← Back to all sparks
O

OpenProject

PM
Velocity6.3

Open source web-based project management software supporting classical, agile and hybrid project management approaches.

OpenProject grinds out steady releases while hardening against a bug-bounty backlog of CVEs.

project-managementopen-sourcesecurityjira-alternativeenterpriseintegrations
Current state
OpenProject is in a maintenance-heavy stretch: a run of 17.x point releases mixes small features with a steady stream of security patches surfaced by its EU-sponsored bug bounty. Feature work is incremental but pointed — project-based work package identifiers ease Jira migrations, and 17.6 adds an XWiki integration linking project management to enterprise knowledge. The cadence is high but a large share of releases are corrective.
Where it's heading
The product is consolidating as a credible open-source Jira alternative rather than chasing new categories. Recent features — Jira-friendly identifiers, XWiki knowledge links, Baselines refinements — target enterprise buyers weighing a migration. Security discipline, with multiple CVEs patched across back-ported 17.2 through 17.4 lines, signals a push for enterprise trust.
Prediction
Expect continued 17.x point releases pairing migration-friendly features with back-ported security fixes; the Jira-migration and enterprise-knowledge threads are the ones to watch build out.

Recent moves

  1. 1d ago

    OpenProject 17.6 adds XWiki integration for enterprise knowledge

    17.6 fits the enterprise-consolidation arc: a new XWiki integration ties OpenProject to enterprise knowledge management, alongside Baselines refinements and the usual bug fixes. Incremental, but aimed squarely at larger deployments.

    View source ↗
  2. 24d ago

    OpenProject 17.5.1 patches 17.5 regressions

    A pure bug-fix release patching import, scrolling, and work-package status regressions introduced in 17.5 — housekeeping between feature drops.

    View source ↗
  3. 29d ago

    OpenProject 17.5 adds project-based IDs to ease Jira migration

    ⚡ SPARK

    17.5 is the migration-focused release of this cycle: optional project-based work package identifiers make references clearer and, pointedly, smooth the path off Jira.

    View source ↗
  4. 1mo ago

    OpenProject 17.3.4 fixes broken Memcached serialization

    A single-fix patch release correcting broken Memcached serialization introduced in 17.3.3 — invisible to end users.

    View source ↗
  5. 1mo ago

    OpenProject 17.4.1 patches journal and work-package disclosure CVEs

    A security-driven release patching CVEs from OpenProject's EU-sponsored bug bounty, including a journal-diff visibility bypass and private work-package disclosure — the trust work underpinning enterprise adoption.

    View source ↗
  6. 1mo ago

    OpenProject 17.3.3 back-ports visibility and IDOR security fixes

    Another bounty-sourced security release, back-porting fixes for the same visibility-bypass and IDOR issues to the 17.3 line — evidence of disciplined multi-branch patching.

    View source ↗