/
Allow-list breaking changes in Jira 10.5.0 +

Allow-list breaking changes in Jira 10.5.0 +

Created by Finn Gale
May 19, 2025

JEMH 5.1.0 is now compatible with Jira 10.5.0 and above. Jira 10.5.0 enforces an Allow-list for Velocity which requires all methods within a Velocity Template to be pre-declared. This includes both within the User Interface, and Custom Notification Templates.

The impact of this is existing Custom Email Templates may now be broken. Crucially, the new Atlassian allow-list (Jira Software 10.0.x release notes | Atlassian Support | Atlassian Documentation ) only allows an App to list its own methods. Existing Templates which relied on Non-JEMH methods may now fail to render.

How to identify impact

Assessing impact in both the User Interface and Outbound Notifications. has been described here:

Outbound Notifications

Outbound Notifications will not render Velocity syntax if they are using a Custom Template which uses non-allow-listed methods. An extreme example can be seen here:

97d67984-0d48-4d9f-a27a-653f74a4b5ce.png

Atlassian Jira Log

When a Non-Allow-listed method is used, a log message is added added to the atlassian-jira.log which looks like the following:

image-20250513-154001.png
[velocity] Invocation blocked as method is not allowlisted: com.javahollic.jira.emh.service.cache.JEMHCachedTemplate#getName()

What to do if this is seen within our plugins

If this is seen within our app, please contact our support with a screenshot of the issue, or the atlassian-jira.log. You can contact support by either emailing support@thepluginpeople.com or using our support Portal: https://thepluginpeople.atlassian.net/servicedesk/customer/portal/1

Where possible we will add methods we might have missed to our allow-list, or add Velocity Safe implementations of the methods you would like to use (within reason).

Template Velocity Context Issues

Within the JEMH Velocity Context for Templates, there are a lot of context that Atlassian provided. Since the introduction of the Velocity allow-list it has meant that some of the contexts/methods are no longer usable within JEMH Templates, as Atlassian has either removed them or not allow-listed them.

Below is a table of Broken Contexts/Methods and an alternative to use if one has been found.

Broken Context/Method

Alternative Context/Method

Broken Context/Method

Alternative Context/Method

1

$issue.getCustomFieldValue($aCustomField)

$customFieldUtils.getCustomFieldValue($issue, $aCustomField)

Ā