5.2.1 Secure Release Notes
Target release: July 8, 2026
Liquibase Secure 5.2.1 builds on the 5.2 release with deep reliability, performance, and platform-coverage improvements across enterprise-scale changelog generation, policy checks, drift detection, and NoSQL database support. This release improves diff-changelog and generate-changelog dependency handling on multi-million-object Oracle schemas, with new guidance on the memory limits for inspecting large schemas, and hardens checks run against multi-megabyte SQL changesets with new --check-timeout and --custom-check-timeout parameters to bound long-running checks. It also introduces MONGODB-AWS authentication for Amazon DocumentDB and MongoDB Atlas using IAM. SQLPlus deployments gain a SqlPlusSlashTerminatorCheck policy check and a --sqlplus-slash-terminator-validation flag that correct false-positive slash-terminator errors, and further regressions are corrected across PostgreSQL, BigQuery, Redshift, and SQLPlus deployment paths. Together, these changes improve operational reliability, governance accuracy, and developer productivity for teams managing complex relational, NoSQL, and cloud-native database estates.
What's new
Key highlights are covered here. For a full list of bugs and fixes addressed in this release, see the "Full list of changes" section below.
Changelog Generation & Dependency Ordering
Changelog generation and dependency ordering received improvements and fixes intended to refine the features delivered in Liquibase Secure 5.2.0, including large-schema performance handling, consistent folder naming for SQL changelogs, and new JVM heap sizing guidance to help you avoid out-of-memory failures.
Policy Checks
The Liquibase Secure 5.2.1 release introduces several refinements, improvements, and expanded documentation for policy checks:
Opt-in timeouts for checks: new
--check-timeoutand--custom-check-timeoutoptions for built-in and custom Python policy checks ensure that a slow or runaway check no longer blocks an entirechecks run. Both timeouts default to disabled, so existing behavior is preserved unless you opt in.Performance and reliability improvements: on multi-megabyte SQL changesets, these eliminate a silent out-of-memory failure on changelogs with more than 5 MB bulk
INSERTstatements.Line-number locator improvements: checks now return exact match line numbers above the 5 MB threshold, eliminating an additional
checks runout-of-memory error on policy checks that match largeCREATE PROCEDUREor DDL bodies.SQLPlus slash-terminator validation: the
--sqlplus-slash-terminator-validationflag catches missing/terminators in PL/SQL scripts before they cause silent SQLPlus deployment hangs, and supports three modes:FIX(default, auto-corrects in memory with a warning and never modifies the source file),LOG(warns and continues), andHALT(stops with an error).Console and HTML output:
--skip-bulk-datanow reports skipped checks at the default log level, and per changeset in the HTML report, so you no longer need to enable FINE logging to discover which SQL statements were skipped.Runtime skip-check syntax: the
--check-name='!CheckName'flag is a runtime-skip syntax that requires no edits to the checks settings file, with a focused console summary of only the skipped checks rather than every check that ran.
Database Platform Support Enhancements
Amazon DocumentDB and MongoDB Atlas on AWS
The Liquibase Secure 5.2.1 release introduces IAM-based authentication for MONGODB-AWS. You can connect using the standard AWS credential chain (environment variables, instance profiles, or shared credentials), or use IAM role assumption (STS AssumeRole) for cross-account access with auto-refreshing temporary credentials, eliminating the need for static database passwords in AWS-native deployments.
BigQuery
The Liquibase Secure 5.2.1 release introduces a new per-changeset output enhancement so DevOps teams can see at a glance whether each changeset succeeded, how long it took, and how many rows were affected.
Db2 for z/OS
Liquibase Secure 5.2.1 eliminates a situation where manually configuring tablespaces for the Liquibase tracking tables could result in an error due to duplicate naming. Liquibase Secure 5.2.1 now relies on Db2 for z/OS's implicit tablespace creation mechanism.
Reporting and Observability
The Liquibase Secure 5.2.1 release improves drift report fidelity by consistently excluding filtered objects from all sections. Objects suppressed by --exclude-objects no longer reappear in the Detailed Object Differences section or inflate the Summary of Detected Differences count, and the same fix applies to the JSON diff output, so HTML, TXT, and JSON formats now behave identically.
This release also resolves a runOnChange correctness bug, originally reported against 4.33, where two overlapping update jobs could re-run runOnChange changesets after a v8 to v9 checksum upgrade. If you hit this in 4.33, you can clear the affected rows by running liquibase clearCheckSums after upgrading.
Performance and Stability
The Liquibase Secure 5.2.1 release introduces streaming-mode sqlFile deployment, so changelogs that load millions of statements from a single SQL file no longer run out of memory on modest heap settings.
Formatted-SQL changelog parsing is also more memory-efficient. A new FINE-level advisory log warns when a changeset body exceeds 16 MB so you can recognize and act on the condition before an out-of-memory error occurs. Heap sizing guidance for variable-substituted changeset bodies is also documented, so you don't develop false confidence that all large bodies are safe to deploy. See Memory and heap sizing for large changeset bodies.
Security vulnerability report
This release includes updates to internal platform components and third-party dependencies to address known security vulnerabilities and strengthen the overall platform security posture of Liquibase Secure. These updates help organizations maintain secure deployment environments, improve compliance readiness, and reduce operational risk associated with outdated software components.
CVE Summary
Updated jackson-core from 3.1.0 to 3.1.1, resolving remaining known vulnerabilities. Liquibase Secure also includes VEX (Vulnerability Exploitability eXchange) files with every release to communicate Liquibase's official assessment of reported CVEs. Refer to the VEX file included with the 5.2.1 release (files ending in
.vex.json) for the complete list of vulnerability assessments and exploitability status. For more information about VEX files and how to interpret their status values, see the VEX documentation.
Full list of changes
- Changelog Generation & Dependency Ordering(SECURE-345) Restored the ability to run
generate-changelogon very large schemas using formatted SQL so the command completes in minutes with a usable.oracle.sqlfile and progress logs instead of stalling silently. - Changelog Generation & Dependency Ordering(INT-2170) Documented concrete JVM heap and RAM sizing guidance for
generate-changelog,diff, anddiffChangeLogso customers running these commands against large schemas can right-size-Xmxbefore hittingOutOfMemoryErrorfailures. - Changelog Generation & Dependency Ordering(INT-2071) Liquibase now generates an
objects/folder when using--object-changelogswith SQL changelogs, instead of a timestamped folder name likeobjects-1780005205286that changed on every run. Re-running into the same directory now errors to prevent overwriting existing files, consistent with XML, YAML, and JSON behavior. - Changelog Generation & Dependency Ordering(SECURE-307) Fixed an issue on PostgreSQL where
diff-changelogdid not generate drop and re-add steps for foreign keys that referenced a primary key being modified, causingupdateto fail with a dependency error. If you previously added manualdropForeignKeyConstraintandaddForeignKeyConstraintchangesets as a workaround, those are no longer needed in new migrations. - Changelog Generation & Dependency Ordering(SECURE-407) Restored deployable
diff-changelogoutput on PostgreSQL when a primary key swap and a new foreign key referencing the new PK column occur in the same diff cycle, ordering operations correctly and eliminating duplicate constraint drops. - Changelog Generation & Dependency Ordering(INT-2083) Liquibase now automatically skips the object types Amazon Redshift doesn't support when you run
generate-changeloganddiff-changelog, and tells you which ones it skipped, so these commands complete successfully without you having to list every supported type by hand to avoid an error. - Changelog Generation & Dependency Ordering(INT-2085) Restored
generate-changeloganddiff-changelogon Amazon Redshift when the default--diff-typesset includescompositetype, which previously crashed withrelation "pg_collation" does not existand made the commands unusable without manually omitting composite types. - Changelog Generation & Dependency Ordering(SECURE-341) Liquibase now correctly snapshots stored procedures and functions in MySQL databases whose names contain hyphens, so you no longer hit a SQL syntax error when running
snapshot,diff, orgenerate-changelogagainst those databases. - Changelog Generation & Dependency Ordering(INT-2072) Fixed the misleading
--object-changelogs=typeadvertisement ingenerate-changelog --helpthat suggested Liquibase could capture user-defined SQL Server types but silently produced notype/folder orCREATE TYPEchangesets, and updated the reference docs to match while leaving PostgreSQL composite-type support intact. - Snapshot & Database Inspection(SECURE-205, SECURE-299) Liquibase no longer reports stored procedures, packages, functions, and triggers as drift on Oracle when only the engine-driven compilation status changed, so you won't see recurring false drift that can't be resolved with a changelog.
- Snapshot & Database Inspection(INT-2063) Liquibase now ignores Oracle-managed changes to stored object status and column expressions during diff and drift, so the same non-structural changes no longer resurface after you approve them.
- Policy Checks(SECURE-195, SECURE-196) Added timeout options for
checks runso a slow or runaway check won't block your entire pipeline. Use--check-timeoutfor built-in checks and--custom-check-timeoutfor custom Python checks. Both are disabled by default. - Policy Checks(SECURE-294, SECURE-292) Liquibase now runs policy checks significantly faster on changelogs that contain large SQL changesets, so
checks runoperations that previously took minutes complete in seconds without any changes to your configuration. - Policy Checks(SECURE-366) Fixed an issue where
checks runthrewOutOfMemoryErrorwhen a policy check matched on a large changeset body (such as a large CREATE PROCEDURE or DDL statement), causing the command to fail at modest heap sizes. - Policy Checks(SECURE-85, SECURE-333, SECURE-335) Liquibase can now catch missing
/terminators in PL/SQL scripts when usingrunWith=sqlplus. Use--sqlplus-slash-terminator-validationto control behavior:FIX(default) auto-corrects at runtime without changing your files,LOGwarns and continues, orHALTstops and errors.GRANTstatements that reference stored-object privileges (such asGRANT CREATE PROCEDURE TOuser) no longer incorrectly trigger the check, andEDITIONABLE/NONEDITIONABLEstored objects are now correctly detected as needing a terminator. - Policy Checks(SECURE-421) Improved visibility of policy checks skipped by
--skip-bulk-dataso you can runliquibase checks runagainst large changesets and immediately see in the console and HTML report which changesets were skipped, instead of having to enable FINE logging. - Policy Checks(SECURE-216, SECURE-191) You can now skip individual quality checks at runtime by passing
--check-name='!CheckName'without changing your checks settings file, and Liquibase shows you a focused summary of what was skipped rather than a list of everything else that ran. - Policy Checks(SECURE-334) Liquibase now correctly applies your
SPLIT_STATEMENTS=truesetting when running pattern-based policy checks against large SQL changesets, so you won't miss per-statement violations in large files. - Policy Checks(SECURE-346) Improved
SqlUserDefinedPatternCheckfindings on large changesets so that the matched text and line number are now included in the output on Windows, consistent with findings on smaller changesets and with Linux behavior. - Policy Checks(SECURE-380) Added a SQLGlot-based Python custom policy check that flags
GRANTstatements lackingGRANT EXECUTE. Performs well on deployments containing 860,000+ SQL inserts, where typical regex-based checks become too slow to be usable. - Database Platform Fixes & Improvements(INT-2052) Liquibase now shows you a per-changeset summary when deploying to BigQuery, so you can see at a glance whether each changeset succeeded, how long it took, and how many rows were affected. Example output:
ChangeSet changelog.xml::id::author: EXECUTED, rows affected: 5, elapsed: 42ms. - Database Platform Fixes & Improvements(INT-2125, INT-2086) Liquibase now correctly applies your default schema name when deploying unqualified SQL to Redshift, fixing a regression introduced in 5.2.0 where the setting was silently ignored and objects could be deployed to the wrong schema.
- Database Platform Fixes & Improvements(SECURE-365) Liquibase now executes your changeset's rollback block when a SQLPlus deployment fails with
rollback-on-error=trueandsqlplus-fail-options=all, so stored procedures and other objects are correctly restored rather than left in an invalid or dropped state. - Database Platform Fixes & Improvements(SECURE-206) Fixed an Oracle issue where function-based indexes could cause phantom drift on hidden virtual columns (such as
TRUNC("END_DATE")) that you never created. Liquibase was flagging these as untracked schema changes; this affected versions 5.0.1–5.2. As a workaround on older versions, you can use a regex to exclude computed columns fromdiff. - Database Platform Fixes & Improvements(SECURE-453) With –sqlplus-
fail-options=none, a PL/SQL compile error is logged but does not fail the changeset (procedure ends up INVALID, deployment continues).warnings / errors / allcontinue to fail as documented. - Database Platform Fixes & Improvements(SECURE-446) Liquibase now generates changelogs from large Oracle schemas quickly even when you connect without DBA privileges, fixing a regression introduced in 5.2.0 where
generate-changelogcould run for tens of minutes or fail after running out of temporary space. - Database Platform Fixes & Improvements(SECURE-301) You no longer need to manually configure tablespaces for Liquibase's tracking tables when deploying to Db2 for z/OS. Liquibase now relies on Db2 for z/OS's implicit tablespace creation mechanism.
- Database Platform Fixes & Improvements(INT-2165) Tracked a Databricks-side server regression that blocked
ALTER TABLE ... DROP CONSTRAINTfor primary keys on tables where Delta column mapping was enabled, a foreign key once referenced the PK, and any non-PK column had been dropped; awaiting upstream fix before re-enabling the affected test. - New Platform Support(INT-1979, INT-1980) Liquibase now supports MONGODB-AWS authentication for Amazon DocumentDB and MongoDB Atlas on AWS. You can connect using the standard AWS credential chain (environment variables, instance profiles, or shared credentials), or use IAM role assumption (STS AssumeRole) for cross-account access with auto-refreshing temporary credentials, eliminating the need for static database passwords in AWS-native deployments and works with both direct connections and
runWith="mongosh"changesets. - New Platform Support(INT-2049, INT-2131) Liquibase now correctly applies and checks tags against Cassandra databases, so
tagandtag-existswork as expected. - New Platform Support(INT-2050)
clear-checksumsnow works with Couchbase databases. - Integrations & Developer Experience(SECURE-303) Liquibase no longer re-executes
createProcedure runOnChange="true"changesets after you upgrade to a new major version, fixing a regression introduced in 5.0.0 where these changesets would run once even when the procedure body was unchanged. - Reporting & Observability(SECURE-300) Liquibase now consistently excludes filtered objects from all sections of drift reports, so objects you've excluded no longer reappear in the detailed differences section or inflate the summary count. Applies to HTML, TXT, and JSON output.
- Reporting & Observability(SECURE-288) Fixed a bug reported in 4.33 where your
runOnChangechangesets could unexpectedly re-run if two Liquibase update jobs overlapped during a checksum upgrade. If this happened to you, runningliquibase clearCheckSumsafter upgrading will clear it up. - Performance & Stability(SECURE-60) Liquibase now processes large SQL files a piece at a time when you deploy them with
splitStatements=true, so changelogs that load millions of statements from a single sqlFile no longer run out of memory, even on modest memory settings. - Performance & Stability(SECURE-367) Improved memory efficiency when parsing formatted-SQL changelogs with large changeset bodies to prevent out-of-memory errors. Changeset bodies that use variable substitutions (such as
${your_variable}) still require additional memory proportional to body size; Liquibase now logs a warning when a changeset body exceeds 16 MB to help you identify and adjust memory settings before an error occurs.