What's in this release

Security

(#7689) by @abrackxInput sanitization for generate-changelog: Closes two reported vulnerabilities.

Thanks to @FORIMOC, @Yuremin, and @invoke1442 for the reports.

Notable improvements

(#7647) by @harsh-kaushal PostgreSQL: Sequence discovery is more accurate: The sequence metadata query now uses a LEFT JOIN instead of NOT IN, improving handling of SERIAL and IDENTITY columns in complex ownership scenarios. Note: columns decoupled from their sequence after creation may still appear as autoIncrement="true" in generated changelogs. A follow-up fix is tracked separately.

(#1944) by @MatrixDai MSSQL: systranschemas excluded from diff output: This system view was being flagged as a missing or unexpected table during diff. It's now correctly treated as a system object and filtered out.

(#7674) by @andrewcedgar perf: cache ranChangeSets lookup in SqlChangeLogParser.generateId: Performance improvements in SqlChangeLogParser by building the lookup once per Database as a Map<changeLog, interimId> and reuse it for every subsequent file. Total work becomes O(M+N) and the per-file cost returns to ~O(1).

(#7674) by @andrewcedgar Fixed a performance regression that caused SQL changelog parsing to slow significantly on large projects

SQL changelog parsing became significantly slower starting in 4.32.0. On projects with thousands of SQL changelog files and a large DATABASECHANGELOG history, parse time could increase from roughly 3 minutes to over 15 minutes compared to 4.31.1. This is a performance-only fix, your changelogs will parse and execute exactly as before, just faster.

Users with large SQL changelog sets should see parse times return to pre-4.32.0 levels after upgrading.

New parameter: --diff-column-default-value-constraint-name: Set to false to ignore auto-generated constraint names on column defaults during diff. Prevents false diffs in SQL Server environments where default value constraints are named differently across databases. Default: true.

Fixes

(#7660) by @sayaliM0412 Default branch is now main: Development snapshots are now published as main-SNAPSHOT; contributors should target main for new pull requests.

(#1964, #7680) by @MatrixDai and @wwillard7800 Improved handling of MSSQL view definitions across two fixes: false positive diffs from inconsistent SQL Server version formatting are resolved, and schema qualifiers are now correctly preserved in generated changelogs.

• (#1964) In Microsoft SQL Server, Liquibase incorrectly reported views as changed when comparing two databases, even when the view definitions were identical. This occurred because different SQL Server versions format view definitions differently (with or without schema prefixes and brackets). Liquibase now normalizes view definitions before comparing them, eliminating false positives in diff output.

• (#7680) Continued improvement from the initial #1964: generate-changelog now correctly preserves schema qualifiers in MSSQL view definitions. View definitions are now normalized only during comparison, so diffs remain accurate and generated changelogs retain the original [schema].[view] qualifier.

(#7603) by @filipelautert DATABASECHANGELOGLOCK hanging on multithreaded services: A failed cleanup left recycled threads in pooled environments in an incorrect locked state, causing unexpected errors during subsequent operations. Liquibase now correctly cleans up lock state after a command finishes, even if an error occurs during cleanup. This prevents unexpected lock errors on subsequent operations in environments that reuse threads, such as connection pools. 

(#7488) by @MalloD12 PostgreSQL with PgBouncer: fixed leaks in transaction pooling mode: When using Liquibase with PostgreSQL behind PgBouncer in transaction pooling mode, database schema settings applied by Liquibase could leak into other applications sharing the same connection pool, causing unexpected behavior. Liquibase now properly scopes these settings to individual transactions, preventing any interference with other services.

(#7659) by @filipelautert Oracle: Columns that begin with “int” caused errors in diff-changelog commands: Columns with names that start with “int”, like internalPhoneNumber and integration_type, were causing diff-changelog to report inaccurately. Fixed with exact matching on int and integer only.

(#7542) by @marchof Oracle: FLOAT column precision is back in snapshots: For Oracle databases, float column precision was incorrectly ignored during diff operations due to a regression introduced in a previous release. This could result in inaccurate diff output or generated changelogs missing float precision changes.

(#7646) by @filipelautert Improved logging support: When using Liquibase as an embedded library (such as in a Spring Boot application), some log messages generated during startup bypassed your application's configured logging framework and were handled by Java's built-in logging instead. This could result in missing log output or unexpected warnings, particularly for users on Log4j 2.25+. All Liquibase log output now routes through your configured logging framework from the start.

(#7500) by @MalloD12 diff-changelog uses the right constraint name in DROP statements: When databases have differently named constraints, generated DROP statements now use the target database's name rather than the reference database's, so changelogs actually apply cleanly. Covers foreign keys, indexes, primary keys, and unique constraints.

Security, driver and other updates