LoginSign Up
← Back to all sparks
O

OpenProject

PM
Velocity6.3

Open source web-based project management software supporting classical, agile and hybrid project management approaches.

www.openproject.org

OpenProject courts Jira refugees while clearing a heavy bug-bounty security backlog

jira-migrationagile-planningbacklogssecurity-hardeningself-hostedwork-package-identifiers
Current state
OpenProject is a mature self-hosted project-management tool shipping on a fast cadence across several maintained release lines at once (17.2.x through 17.5.x). The 17.x cycle is converging two threads: a ground-up rework of agile planning with dedicated sprint objects and redesigned backlogs, and a Jira migration path aimed at teams leaving Atlassian. In parallel it is absorbing a large batch of externally reported security findings from the EU-sponsored YesWeHack bounty program.
Where it's heading
The clear direction is becoming the default landing spot for organizations migrating off Jira Server and Data Center. The 17.5 project-based work package identifiers exist largely to preserve original Jira issue keys on migration, removing one of the biggest switching costs. Agile features are maturing from version-based workarounds into first-class Scrum entities, while the security posture remains reactive but actively and broadly patched across release branches.
Prediction
Expect continued hardening of the Jira Migrator (more field types, custom fields) and a push to move project-based work package identifiers from Beta to general availability across the remaining UI surfaces that still show numerical IDs.

Recent moves

  1. 12d ago

    OpenProject 17.5.1

    A pure bug-fix point release closing import, direct-upload, and work-package-creation regressions introduced in 17.5.0 — routine cleanup after a feature-heavy minor.

    View source ↗
  2. 17d ago

    OpenProject 17.5.0

    ⚡ SPARK

    The sharpest expression yet of OpenProject's Jira-migration play: optional instance-wide project-based work package identifiers let teams preserve existing Jira issue keys, and the Jira Migrator now carries over due dates and estimates. This is where the agile rework and the migration thread converge.

    View source ↗
  3. 19d ago

    OpenProject 17.3.4

    A one-line patch fixing broken Memcached serialization shipped in 17.3.3 — maintenance on the older 17.3 line with no user-facing change.

    View source ↗
  4. 19d ago

    OpenProject 17.4.1

    A heavy security release on the 17.4 line resolving eight YesWeHack-reported issues, including cache-poisoning remote code execution, SQL-injection privilege escalation, stored XSS, and several IDORs. It reflects an active, externally audited security process rather than a change in product direction.

    View source ↗
  5. 19d ago

    OpenProject 17.3.3

    The same batch of critical security fixes backported to the 17.3 line so self-hosters who have not yet moved to 17.4 are covered. It reinforces OpenProject's practice of patching across multiple maintained release branches simultaneously.

    View source ↗
  6. 1mo ago

    OpenProject 17.4.0

    The Jira Migrator graduates from a feature-flagged preview to directly usable (still Beta) and gains basic custom-field migration, bundled with nine more security fixes. This is the groundwork for the identifier-preservation capability that lands in 17.5.

    View source ↗