Release notes - ScrumPoker Estimates for Jira
- Monica Tye
2025-06-13 | 3.5.0 Release
Minor version update
2025-06-12| 3.4.0 Release
Minor version update
2025-06-04 | 3.3.0 Release
Security Patch: Removal of Unused Dependencies and Critical Vulnerability Fixes
This release resolves several critical security vulnerabilities in older versions of Scrum Poker Estimates for Jira. Unused or outdated dependencies were removed, including hawk, babel-traverse, handlebars, and elliptic. No customer data was affected, and the app has been updated to meet Atlassian’s latest security standards.
More details:
Security Advisory: Vulnerability Disclosure for Scrum Poker Estimates for Jira
We are writing to inform you of several security vulnerabilities that were recently identified in the Scrum Poker Estimates for Jira app. These vulnerabilities affect versions prior to the upcoming patched release of the app.
The vulnerabilities relate to outdated or unused third-party dependencies in our application, which could theoretically expose attack vectors under certain configurations. Importantly, no customer data was compromised and no end-user impact occurred at any point. These vulnerabilities were present until June 2025 and have now been remediated in the latest release.
These issues have been rated as Critical (P1) by Atlassian, following the Common Vulnerability Scoring System (CVSS).
The vulnerabilities were identified through Atlassian’s internal scanning processes and were brought to our attention between late May and early June 2025. Upon notification, we promptly reviewed all flagged dependencies, removed unused components, and updated our build pipeline to eliminate the risk surface.
Resolved Issues
[AMS-37152] hawk
Removed: This dependency was no longer used by any part of the codebase or transitive dependencies and has been fully removed.[AMS-37146] babel-traverse
Removed: An outdated parser-related dependency that was no longer required and has been removed from the project.[AMS-37140] handlebars
Removed: Previously used for templating, it was not required anymore since all communication is handled through structured JSON APIs.[AMS-37135, AMS-37128, AMS-37125, AMS-37124, AMS-37121] elliptic
Removed: This dependency was originally included viawebpackandkarma-typescript, both of which have now been replaced or removed. Webpack was replaced with Parcel, and testing infrastructure was modernized, eliminating the need for elliptic.
Impact
Based on our internal investigation, these vulnerabilities did not result in any known security breaches or data exposure. The affected packages were not actively used in runtime or production paths that would be exploitable by end users or external actors.
We are working with Atlassian to update the Marketplace listing to reflect the remediated version. No further action is required from you unless you are on a self-managed instance, in which case we recommend updating to the latest version as soon as it's available.
We want you to know that we take this issue very seriously. We are conducting a thorough review of our dependency management and build processes to prevent recurrence and to better align with Atlassian's latest security standards.
If you have any questions, please feel free to raise a support request at support.atlassian.com referencing any of the issue numbers above.
Sincerely,
Catapult Labs team
2025-05-29 | 3.2.0 Release
Minor version update
2025-04-2| 3.1.0 Release
Forge Compatibility
This release introduces Forge compatibility for our app while continuing to support existing Connect modules. With this update, the app now runs on a hybrid architecture, combining the flexibility of Connect with the scalability and enhanced security of Forge. No action is required from existing users—your current setup will continue to work as expected.