All notable changes to Atomio are documented below.

The format is based on Keep a Changelog, and Atomio adheres to Semantic Versioning.

• Added compression for responses to reduce bandwidth usage and improve performance for responses over 1KB. Compression is enabled by default and can be disabled by setting server.compression.enabled to false.

• Upgraded to Spring Boot 3.2.3 resolving CVEs
• Upgraded to PostgreSQL JDBC Driver 47.2.2 to resolve critical vulnerability CVE-2024-1597 - note the use prior Atomio versions make of this driver does not expose Atomio to this vulnerability

• Fixed a bug that denied access to aliases unnecessarily introduced in Spring Security upgrade

• Updated to Spring Boot 3.2.2 which addresses CVE-202422233 Spring Framework server Web DoS Vulnerability

• Defect introduced in 2.0.0 adopting Spring Boot 3 which broke Atomio's Swagger UI and OpenAPI documentation

• For those using H2, H2 has been upgraded and requires a database migration. See Atomio documentation for details of the provided migration Docker image.

• Updated to Spring Boot 3.2.1 which upgrades many dependencies including fixes for outstanding CVEs

• Support for 'validated' attribute for artefacts as specified at https://ontoserver.csiro.au/docs/6/syndication.html

• Fixed a recursive response requesting a Feed with Aliases from Atomio's JSON API

• Updated to Spring Boot 2.6.14

• Updated Spring Security Core and the base Docker image to address CVEs
• CVE-2022-43680
• CVE-2022-31692

• Updated Spring Boot to 2.6.13 and regenerated base image to address CVEs
• CVE-2022-42003
• CVE-2022-42004
• CVE-2022-31197
• CVE-2022-31679
• CVE-2022-25857
• CVE-2022-38749
• CVE-2022-38750
• CVE-2022-38751
• CVE-2022-38752
• CVE-2022-30065
• CVE-2022-2097
• CVE-2022-30065
• CVE-2022-37434

• Support for PostgreSQL as Atomio's database backend, configured by activating the postgres Spring profile and setting the appropriate datasource URL.
• /.well-known/smart-configuration and /.well-known/openid-configuration to support client autodiscovery of authorisation endpoints

• CORS support when atomio.security.enabled=false, previously only supported when atomio.security.enabled=true

• Updated Spring Boot to 2.6.8 to address CVEs
  • CVE-2022-22978
  • CVE-2022-22976
  • CVE-2022-22970
  • CVE-2022-22971

• Updated Spring Boot to 2.6.7 and moved to Jib default base image (eclipse-temurin) from gcr.io/distroless/java to address following CVEs
  • CVE-2022-22965
  • CVE-2020-36518
  • CVE-2021-33813
  • CVE-2022-0778
  • CVE-2018-25032
  • CVE-2022-21449
  • CVE-2022-0778
  • CVE-2022-27404
  • CVE-2021-45960
  • CVE-2022-22822
  • CVE-2021-3999
  • CVE-2021-33574

• Updated log4j2 to 2.17.0 to handle CVE-2021-45046 and CVE-2021-45105

• Issue preventing configuring atomio.security.issuerUri only with no jwks set

• Updated log4j2 to 2.15.0 to handle CVE-2021-44228

• Issue causing additional (past the first) artefact for an entry to cause errors deleting the entry
• Rights elements not displaying in the Atom XML version of entries in feeds

• Feed and entry clone changing file name extension by replacing . with _

• Changed to allow configuration of whether to include a Content-Disposition header or not - atomio.contentDispositionEnabled defaults to true
• Changed to allow configuration of the Content-Disposition type from hard coded to inline - can be changed with atomio.contentDispositionType defaults to more appropriate attachment

• Fixed Content-Type in artefact GET request responses which upgraded Spring Boot was defaulting
• Reinstated /actuator/info endpoint in default configuration which was lost in a Spring Boot upgrade

• Added ability to configure for CORS.

• Updated to new Spring Security which ignores Authorization headers on requests when security is disabled, previously they were rejected.
• Configuration for JWK set URI from Spring specific to atomio.security.jwkSetUri, legacy support for existing configuration maintained
• Configuration support added for auto-configuration from an OAuth 2.0 or OIDC issuer from atomio.security.issuerUri - this will also configure JWK signature validation and issuer validation

• Added atomio.security.allowedOrigins configuration option to allow for CORS support.

• Fixed arbitrary length limitations on entry rights and summary fields to small sizes to support changes in NCTS feed.

• Anonymous read mode may be enbled by configuration to allow unauthenticated users to list available feeds and feed content, with security still applied to all other operations.

• OpenAPI v3 documentation endpoint and Swagger UI.
• Ability to associate "aliases" with feeds which provide a movable label with a stable URL that is a proxy for a feed.
• Defaulting for artefact file name, making filename optional in entry creation requests.

• Handling of file uploads changed to asynchronous to better deal with long duration uploads.
• Enhanced information supplied with storage validation failure messages.

• Defect in storage validation affecting files referred to by more than one entry falsely reporting file length validation failures.

• Added download URL prefix whitelist configuration to prevent exposure of internal content through clone operations. By default no URL prefixes are whitelisted and Atomio will not download from any URL until prefixes are added to atomio.client.urlWhitelist as a comma separated list.

• Removed internal Spring requirement for communication only on plain HTTP which was causing redirect responses in certain reverse proxy configurations in front of Atomio.

• Support for FHIR Bundle interpretation batch/collection for entries.

• Validation of filenames which was permitting spaces.

• Support for Sentry.io configuration and connection for error monitoring.