Introducing Agent Safe Governance for the AI Era

5.2.1 Secure Release Notes

Target release: July 8, 2026

Liquibase Secure 5.2.1 builds on the 5.2 release with deep reliability, performance, and platform-coverage improvements across enterprise-scale changelog generation, policy checks, drift detection, and NoSQL database support. This release improves diff-changelog and generate-changelog dependency handling on multi-million-object Oracle schemas, with new guidance on the memory limits for inspecting large schemas, and hardens checks run against multi-megabyte SQL changesets with new --check-timeout and --custom-check-timeout parameters to bound long-running checks. It also introduces MONGODB-AWS authentication for Amazon DocumentDB and MongoDB Atlas using IAM. SQLPlus deployments gain a SqlPlusSlashTerminatorCheck policy check and a --sqlplus-slash-terminator-validation flag that correct false-positive slash-terminator errors, and further regressions are corrected across PostgreSQL, BigQuery, Redshift, and SQLPlus deployment paths. Together, these changes improve operational reliability, governance accuracy, and developer productivity for teams managing complex relational, NoSQL, and cloud-native database estates.

What's new

Key highlights are covered here. For a full list of bugs and fixes addressed in this release, see the "Full list of changes" section below.

Changelog Generation & Dependency Ordering

Changelog generation and dependency ordering received improvements and fixes intended to refine the features delivered in Liquibase Secure 5.2.0, including large-schema performance handling, consistent folder naming for SQL changelogs, and new JVM heap sizing guidance to help you avoid out-of-memory failures.

Policy Checks

The Liquibase Secure 5.2.1 release introduces several refinements, improvements, and expanded documentation for policy checks:

  • Opt-in timeouts for checks: new --check-timeout and --custom-check-timeout options for built-in and custom Python policy checks ensure that a slow or runaway check no longer blocks an entire checks run. Both timeouts default to disabled, so existing behavior is preserved unless you opt in.

  • Performance and reliability improvements: on multi-megabyte SQL changesets, these eliminate a silent out-of-memory failure on changelogs with more than 5 MB bulk INSERT statements.

  • Line-number locator improvements: checks now return exact match line numbers above the 5 MB threshold, eliminating an additional checks run out-of-memory error on policy checks that match large CREATE PROCEDURE or DDL bodies.

  • SQLPlus slash-terminator validation: the --sqlplus-slash-terminator-validation flag catches missing / terminators in PL/SQL scripts before they cause silent SQLPlus deployment hangs, and supports three modes: FIX (default, auto-corrects in memory with a warning and never modifies the source file), LOG (warns and continues), and HALT (stops with an error).

  • Console and HTML output: --skip-bulk-data now reports skipped checks at the default log level, and per changeset in the HTML report, so you no longer need to enable FINE logging to discover which SQL statements were skipped.

  • Runtime skip-check syntax: the --check-name='!CheckName' flag is a runtime-skip syntax that requires no edits to the checks settings file, with a focused console summary of only the skipped checks rather than every check that ran.

Database Platform Support Enhancements

Amazon DocumentDB and MongoDB Atlas on AWS

The Liquibase Secure 5.2.1 release introduces IAM-based authentication for MONGODB-AWS. You can connect using the standard AWS credential chain (environment variables, instance profiles, or shared credentials), or use IAM role assumption (STS AssumeRole) for cross-account access with auto-refreshing temporary credentials, eliminating the need for static database passwords in AWS-native deployments.

BigQuery

The Liquibase Secure 5.2.1 release introduces a new per-changeset output enhancement so DevOps teams can see at a glance whether each changeset succeeded, how long it took, and how many rows were affected.

Db2 for z/OS

Liquibase Secure 5.2.1 eliminates a situation where manually configuring tablespaces for the Liquibase tracking tables could result in an error due to duplicate naming. Liquibase Secure 5.2.1 now relies on Db2 for z/OS's implicit tablespace creation mechanism.

Reporting and Observability

The Liquibase Secure 5.2.1 release improves drift report fidelity by consistently excluding filtered objects from all sections. Objects suppressed by --exclude-objects no longer reappear in the Detailed Object Differences section or inflate the Summary of Detected Differences count, and the same fix applies to the JSON diff output, so HTML, TXT, and JSON formats now behave identically.

This release also resolves a runOnChange correctness bug, originally reported against 4.33, where two overlapping update jobs could re-run runOnChange changesets after a v8 to v9 checksum upgrade. If you hit this in 4.33, you can clear the affected rows by running liquibase clearCheckSums after upgrading.

Performance and Stability

The Liquibase Secure 5.2.1 release introduces streaming-mode sqlFile deployment, so changelogs that load millions of statements from a single SQL file no longer run out of memory on modest heap settings.

Formatted-SQL changelog parsing is also more memory-efficient. A new FINE-level advisory log warns when a changeset body exceeds 16 MB so you can recognize and act on the condition before an out-of-memory error occurs. Heap sizing guidance for variable-substituted changeset bodies is also documented, so you don't develop false confidence that all large bodies are safe to deploy. See Memory and heap sizing for large changeset bodies.

Security vulnerability report

This release includes updates to internal platform components and third-party dependencies to address known security vulnerabilities and strengthen the overall platform security posture of Liquibase Secure. These updates help organizations maintain secure deployment environments, improve compliance readiness, and reduce operational risk associated with outdated software components.

CVE Summary

  • Updated jackson-core from 3.1.0 to 3.1.1, resolving remaining known vulnerabilities. Liquibase Secure also includes VEX (Vulnerability Exploitability eXchange) files with every release to communicate Liquibase's official assessment of reported CVEs. Refer to the VEX file included with the 5.2.1 release (files ending in .vex.json) for the complete list of vulnerability assessments and exploitability status. For more information about VEX files and how to interpret their status values, see the VEX documentation.

Full list of changes

  • Changelog Generation & Dependency Ordering(SECURE-345) Restored the ability to run generate-changelog on very large schemas using formatted SQL so the command completes in minutes with a usable .oracle.sql file and progress logs instead of stalling silently.
  • Changelog Generation & Dependency Ordering(INT-2170) Documented concrete JVM heap and RAM sizing guidance for generate-changelog, diff, and diffChangeLog so customers running these commands against large schemas can right-size -Xmx before hitting OutOfMemoryError failures.
  • Changelog Generation & Dependency Ordering(INT-2071) Liquibase now generates an objects/ folder when using --object-changelogs with SQL changelogs, instead of a timestamped folder name like objects-1780005205286 that changed on every run. Re-running into the same directory now errors to prevent overwriting existing files, consistent with XML, YAML, and JSON behavior.
  • Changelog Generation & Dependency Ordering(SECURE-307) Fixed an issue on PostgreSQL where diff-changelog did not generate drop and re-add steps for foreign keys that referenced a primary key being modified, causing update to fail with a dependency error. If you previously added manual dropForeignKeyConstraint and addForeignKeyConstraint changesets as a workaround, those are no longer needed in new migrations.
  • Changelog Generation & Dependency Ordering(SECURE-407) Restored deployable diff-changelog output on PostgreSQL when a primary key swap and a new foreign key referencing the new PK column occur in the same diff cycle, ordering operations correctly and eliminating duplicate constraint drops.
  • Changelog Generation & Dependency Ordering(INT-2083) Liquibase now automatically skips the object types Amazon Redshift doesn't support when you run generate-changelog and diff-changelog, and tells you which ones it skipped, so these commands complete successfully without you having to list every supported type by hand to avoid an error.
  • Changelog Generation & Dependency Ordering(INT-2085) Restored generate-changelog and diff-changelog on Amazon Redshift when the default --diff-types set includes compositetype, which previously crashed with relation "pg_collation" does not exist and made the commands unusable without manually omitting composite types.
  • Changelog Generation & Dependency Ordering(SECURE-341) Liquibase now correctly snapshots stored procedures and functions in MySQL databases whose names contain hyphens, so you no longer hit a SQL syntax error when running snapshot, diff, or generate-changelog against those databases.
  • Changelog Generation & Dependency Ordering(INT-2072) Fixed the misleading --object-changelogs=type advertisement in generate-changelog --help that suggested Liquibase could capture user-defined SQL Server types but silently produced no type/ folder or CREATE TYPE changesets, and updated the reference docs to match while leaving PostgreSQL composite-type support intact.
  • Snapshot & Database Inspection(SECURE-205, SECURE-299) Liquibase no longer reports stored procedures, packages, functions, and triggers as drift on Oracle when only the engine-driven compilation status changed, so you won't see recurring false drift that can't be resolved with a changelog.
  • Snapshot & Database Inspection(INT-2063) Liquibase now ignores Oracle-managed changes to stored object status and column expressions during diff and drift, so the same non-structural changes no longer resurface after you approve them.
  • Policy Checks(SECURE-195, SECURE-196) Added timeout options for checks run so a slow or runaway check won't block your entire pipeline. Use --check-timeout for built-in checks and --custom-check-timeout for custom Python checks. Both are disabled by default.
  • Policy Checks(SECURE-294, SECURE-292) Liquibase now runs policy checks significantly faster on changelogs that contain large SQL changesets, so checks run operations that previously took minutes complete in seconds without any changes to your configuration.
  • Policy Checks(SECURE-366) Fixed an issue where checks run threw OutOfMemoryError when a policy check matched on a large changeset body (such as a large CREATE PROCEDURE or DDL statement), causing the command to fail at modest heap sizes.
  • Policy Checks(SECURE-85, SECURE-333, SECURE-335) Liquibase can now catch missing / terminators in PL/SQL scripts when using runWith=sqlplus. Use --sqlplus-slash-terminator-validation to control behavior: FIX (default) auto-corrects at runtime without changing your files, LOG warns and continues, or HALT stops and errors. GRANT statements that reference stored-object privileges (such as GRANT CREATE PROCEDURE TO user) no longer incorrectly trigger the check, and EDITIONABLE / NONEDITIONABLE stored objects are now correctly detected as needing a terminator.
  • Policy Checks(SECURE-421) Improved visibility of policy checks skipped by --skip-bulk-data so you can run liquibase checks run against large changesets and immediately see in the console and HTML report which changesets were skipped, instead of having to enable FINE logging.
  • Policy Checks(SECURE-216, SECURE-191) You can now skip individual quality checks at runtime by passing --check-name='!CheckName' without changing your checks settings file, and Liquibase shows you a focused summary of what was skipped rather than a list of everything else that ran.
  • Policy Checks(SECURE-334) Liquibase now correctly applies your SPLIT_STATEMENTS=true setting when running pattern-based policy checks against large SQL changesets, so you won't miss per-statement violations in large files.
  • Policy Checks(SECURE-346) Improved SqlUserDefinedPatternCheck findings on large changesets so that the matched text and line number are now included in the output on Windows, consistent with findings on smaller changesets and with Linux behavior.
  • Policy Checks(SECURE-380) Added a SQLGlot-based Python custom policy check that flags GRANT statements lacking GRANT EXECUTE. Performs well on deployments containing 860,000+ SQL inserts, where typical regex-based checks become too slow to be usable.
  • Database Platform Fixes & Improvements(INT-2052) Liquibase now shows you a per-changeset summary when deploying to BigQuery, so you can see at a glance whether each changeset succeeded, how long it took, and how many rows were affected. Example output: ChangeSet changelog.xml::id::author: EXECUTED, rows affected: 5, elapsed: 42ms.
  • Database Platform Fixes & Improvements(INT-2125, INT-2086) Liquibase now correctly applies your default schema name when deploying unqualified SQL to Redshift, fixing a regression introduced in 5.2.0 where the setting was silently ignored and objects could be deployed to the wrong schema.
  • Database Platform Fixes & Improvements(SECURE-365) Liquibase now executes your changeset's rollback block when a SQLPlus deployment fails with rollback-on-error=true and sqlplus-fail-options=all, so stored procedures and other objects are correctly restored rather than left in an invalid or dropped state.
  • Database Platform Fixes & Improvements(SECURE-206) Fixed an Oracle issue where function-based indexes could cause phantom drift on hidden virtual columns (such as TRUNC("END_DATE")) that you never created. Liquibase was flagging these as untracked schema changes; this affected versions 5.0.1–5.2. As a workaround on older versions, you can use a regex to exclude computed columns from diff.
  • Database Platform Fixes & Improvements(SECURE-453) With –sqlplus-fail-options=none, a PL/SQL compile error is logged but does not fail the changeset (procedure ends up INVALID, deployment continues). warnings / errors / all continue to fail as documented.
  • Database Platform Fixes & Improvements(SECURE-446) Liquibase now generates changelogs from large Oracle schemas quickly even when you connect without DBA privileges, fixing a regression introduced in 5.2.0 where generate-changelog could run for tens of minutes or fail after running out of temporary space.
  • Database Platform Fixes & Improvements(SECURE-301) You no longer need to manually configure tablespaces for Liquibase's tracking tables when deploying to Db2 for z/OS. Liquibase now relies on Db2 for z/OS's implicit tablespace creation mechanism.
  • Database Platform Fixes & Improvements(INT-2165) Tracked a Databricks-side server regression that blocked ALTER TABLE ... DROP CONSTRAINT for primary keys on tables where Delta column mapping was enabled, a foreign key once referenced the PK, and any non-PK column had been dropped; awaiting upstream fix before re-enabling the affected test.
  • New Platform Support(INT-1979, INT-1980) Liquibase now supports MONGODB-AWS authentication for Amazon DocumentDB and MongoDB Atlas on AWS. You can connect using the standard AWS credential chain (environment variables, instance profiles, or shared credentials), or use IAM role assumption (STS AssumeRole) for cross-account access with auto-refreshing temporary credentials, eliminating the need for static database passwords in AWS-native deployments and works with both direct connections and runWith="mongosh" changesets.
  • New Platform Support(INT-2049, INT-2131) Liquibase now correctly applies and checks tags against Cassandra databases, so tag and tag-exists work as expected.
  • New Platform Support(INT-2050) clear-checksums now works with Couchbase databases.
  • Integrations & Developer Experience(SECURE-303) Liquibase no longer re-executes createProcedure runOnChange="true" changesets after you upgrade to a new major version, fixing a regression introduced in 5.0.0 where these changesets would run once even when the procedure body was unchanged.
  • Reporting & Observability(SECURE-300) Liquibase now consistently excludes filtered objects from all sections of drift reports, so objects you've excluded no longer reappear in the detailed differences section or inflate the summary count. Applies to HTML, TXT, and JSON output.
  • Reporting & Observability(SECURE-288) Fixed a bug reported in 4.33 where your runOnChange changesets could unexpectedly re-run if two Liquibase update jobs overlapped during a checksum upgrade. If this happened to you, running liquibase clearCheckSums after upgrading will clear it up.
  • Performance & Stability(SECURE-60) Liquibase now processes large SQL files a piece at a time when you deploy them with splitStatements=true, so changelogs that load millions of statements from a single sqlFile no longer run out of memory, even on modest memory settings.
  • Performance & Stability(SECURE-367) Improved memory efficiency when parsing formatted-SQL changelogs with large changeset bodies to prevent out-of-memory errors. Changeset bodies that use variable substitutions (such as ${your_variable}) still require additional memory proportional to body size; Liquibase now logs a warning when a changeset body exceeds 16 MB to help you identify and adjust memory settings before an error occurs.