Introducing Agent Safe Governance for the AI Era

Read the Blog

5.2 Secure Release Notes

Released on June 9, 2026

Liquibase Secure 5.2 expands enterprise database change management with major advancements in changelog generation, dependency ordering, policy enforcement, database inspection, NoSQL support, platform coverage, and large-scale operational performance. This release introduces new capabilities across relational and non-relational platforms while improving reliability, governance, observability, and developer workflows for enterprise teams managing complex database estates.

What's new

Changelog Generation

Liquibase Secure 5.2 release introduces dependency-aware changelog generation across Oracle, PostgreSQL, MS SQL, MySQL, MariaDB, Snowflake, Databricks, BigQuery, Db2, MongoDB, and Teradata. Generated changelogs now produce changesets in deployable order and preserve drift fidelity for renamed columns, schema-qualified definitions, partial indexes, sequence-backed defaults, composite array types, and other advanced database constructs. This helps teams eliminate manual changeset reordering, reduce drift loops during round-trip inspection, and adopt Liquibase Secure against existing enterprise databases with less manual intervention.

The release also adds a new --object-changelogs organization option for generated changelogs. Teams can now automatically separate generated output into folders by object type for easier navigation and management of large enterprise schemas. This improves changelog organization, simplifies schema reviews, and supports better long-term governance of generated database assets.

New performance optimizations for dependency graph processing improve handling of large Oracle schemas with circular dependencies. Dependency graph updates on enterprise-scale catalogs now complete significantly faster than previous releases. This reduces execution time from hours to seconds in certain environments and improves scalability for customers managing very large Oracle estates.

Additional drift and dependency handling updates address PostgreSQL partial indexes, Snowflake tags and file formats, MSSQL multi-schema views, BigQuery cross-dataset routines, MariaDB CHECK constraints, and Oracle synonyms, sequences, and view aliases. Generated changelogs and drift reports now round-trip more accurately across supported platforms. This improves deployment reliability and reduces manual troubleshooting for database teams operating heterogeneous environments.

Snapshot and Database Inspection

Liquibase Secure 5.2 release expands snapshot and database inspection reliability across Oracle, PostgreSQL, MSSQL, Azure SQL, MySQL, and Snowflake environments. Snapshot, drift, and inspection workflows now handle online, cloud, and offline workloads with greater consistency across both case-sensitive and case-insensitive database platforms. This improves operational stability for teams using state-based workflows, drift analysis, and schema governance practices at enterprise scale.

Additional workflow reliability updates improve handling of malformed offline URLs, MySQL databases with hyphenated names, and NoSQL warning messages. Database inspection operations now provide clearer guidance and more consistent handling of platform-specific edge cases. This reduces operational friction and improves troubleshooting for DBAs and DevOps teams working across diverse database platforms.

Policy Checks

Liquibase Secure 5.2 introduces new Policy Checks for identifying sensitive information patterns in database changelogs before deployment. Five new PII-focused checks now cover financial, personal, health, location, and computer-and-date identifiers across SQL changesets, and MongoDB-formatted changelogs. This helps teams identify sensitive data exposure earlier in the database change lifecycle, strengthen compliance readiness, and reduce the risk of accidental data exposure in production environments.

A new check-category taxonomy and updated check descriptions simplify how teams identify, organize, and deploy governance policies within deployment workflows. Teams can more easily surface relevant policies and standardize policy administration across environments. This improves governance usability and helps organizations operationalize compliance standards more consistently.

Additional reliability updates improve Policy Check execution across Snowflake, Databricks, stored procedure analysis, and standard DDL evaluation. Policy violations now report more accurate line numbers while reducing false positives during procedure analysis. This increases trust in governance automation, improves auditability, and helps teams confidently enforce database policies directly within deployment pipelines.

Six default packages are now created in a “checks-packages/" folder when init project is run.

Database Platforms

Liquibase Secure 5.2 release introduces targeted platform behavior improvements across Snowflake, Oracle, PostgreSQL, SQL Server, and BigQuery workflows. Drift detection, diff generation, deployment validation, and metadata handling now behave more consistently across supported database platforms. This improves operational reliability and reduces platform-specific troubleshooting for enterprise database teams.

Oracle SQLPlus deployments now treat PL/SQL compiler warnings and errors as deployment failures. Deployment workflows surface PL/SQL compilation problems directly during execution rather than allowing deployments to continue silently. This improves deployment safety and helps teams identify database issues earlier in release pipelines.

Additional platform updates correct PostgreSQL diff behavior for primary key backing indexes and improve support for BigQuery multi-region lock tables, SQL Server stored procedures and functions, Snowflake collation changes, and Oracle Wallet and LDAP connection workflows. These changes improve drift consistency and operational reliability across enterprise database estates.

NoSQL Databases

Liquibase Secure 5.2 release introduces modeled changelog generation support for MongoDB databases. Teams can now use generate-changelog and diff-changelog operations with MongoDB XML, JSON, and YAML modeled change types in the same way they manage relational database environments. This expands governance and automation workflows to modern NoSQL platforms while helping organizations standardize database change practices across mixed database estates.

Support for AWS DynamoDB now includes transactions within <partiql> and <partiqlFile> change types. DynamoDB changes can execute within native transactional boundaries to ensure operations either fully complete or are safely cancelled. This improves deployment consistency, strengthens operational safety, and extends transactional governance coverage to database tracking operations.

Teradata Native Executor

This release also introduces native executor support for Teradata environments. Teams can now adopt Liquibase management workflows while continuing to use existing Teradata scripts, output handling, and operational knowledge. This lowers adoption barriers for Teradata customers and enables organizations to standardize database governance practices without requiring immediate script rewrites.

New Database Coverage

Liquibase Secure 5.2 release adds support for ScyllaDB and Databricks Lakebase platforms. Organizations can now extend governance and automation workflows into additional distributed and cloud-native database technologies. This expands Liquibase’s ability to provide a unified operational model across relational, NoSQL, and modern data platform ecosystems.

Developer Experience and Integrations

Liquibase Secure 5.2 release introduces workflow improvements across Spring Boot, Maven, Flow, and CLI operations. Developers and DevOps teams can now manage configuration, deployment parameters, logging, and deployment visibility with fewer operational workarounds. This improves deployment consistency, simplifies automation workflows, and supports more efficient CI/CD operations.

Spring Boot users can now define the Liquibase license key directly within the primary liquibase.properties file alongside other configuration values. Teams can consolidate configuration management into a single location instead of maintaining separate configuration handling approaches. This simplifies operational setup and improves configuration management consistency across environments.

Flow variables now support changelog property placeholders, and Maven verbose logging behavior now aligns with CLI execution behavior. Structured logs also include userMetadata in final success messages, while status --verbose output now includes labels, contexts, rollback information, and runWith details for pending changesets. These changes improve deployment observability, simplify parameterized workflows, and provide developers with clearer deployment visibility before execution.

Reporting Infrastructure

Liquibase Secure 5.2 release introduces reporting and observability improvements for Command and Drift reports. HTML reports now display more cleanly in browsers, while JSON reports provide more reliable downstream parsing for CI/CD tooling and automation workflows. This improves operational visibility, simplifies audit workflows, and helps organizations integrate reporting into broader observability and compliance ecosystems.

New report scoping capabilities allow teams to focus reports on specific changesets and workflows. Operators can narrow operational visibility to the deployments and objects most relevant to their review processes. This improves audit efficiency and reduces noise during operational investigations and deployment reviews. Snowflake drift reports now include FileFormat objects in Detailed Object Differences views, and automatically alias standard object filters such as View, Table, and Column to Snowflake-specific subtypes. Teams can use more consistent inspection terminology across Snowflake workflows while receiving richer drift visibility into platform-native objects. Snowflake drift reports no longer duplicate table entries across extension-specific object types, providing cleaner, more accurate object comparisons. This simplifies database inspection workflows, improves drift analysis accuracy, and reduces confusion during drift investigation.

Performance and Stability

Liquibase Secure 5.2 release introduces deep scalability and memory optimization changes for Snapshot, Diff, GenerateChangelog, and drift workflows operating against enterprise-scale schemas. Large schema operations now consume less memory and handle high-object-count environments more efficiently through lightweight report modes, improved parsing methods, and configurable detail thresholds. This improves operational reliability for organizations managing very large enterprise catalogs and drift workflows.

New maxDetailedObjects controls and lightweight reporting modes help large drift reports avoid exhausting JVM heap space while still providing actionable reporting detail. Drift workflows involving schemas in the 150MB and 255K-object range now operate more reliably in constrained runtime environments. This improves system stability and allows teams to scale state-driven workflows across significantly larger environments.

JSON snapshot parsing and diff --format=json operations now use Jackson streaming techniques to reduce heap consumption during large snapshot processing. Snapshot files as large as 934MB and 1.58 million objects can now be processed with substantially lower memory requirements. This improves scalability and enables organizations to process enterprise-scale snapshots more reliably within existing infrastructure limits.

Metadata caching behavior for BigQuery and Databricks deployments using dbclhistory.enabled=true has also been optimized. Multi-changeset runs now avoid redundant JDBC metadata round-trips during execution. This improves deployment efficiency and reduces execution overhead for large automated deployment pipelines.

License Tracking Update (Public Preview)

Liquibase Secure 5.2 release introduces a new approach for identifying unique database targets across supported platforms. License usage tracking now consistently recognizes the same database regardless of JDBC URL variations, schema differences, or connection methods. This improves license consumption accuracy, reduces inaccurate target counting, and provides organizations with more reliable audit and billing visibility across enterprise environments. Liquibase License Tracking is currently available as a Public Preview, with additional enhancements and expanded capabilities planned for upcoming releases.

Resolved security vulnerability report

This release includes updates to internal platform components and third-party dependencies to address known security vulnerabilities and strengthen the overall platform security posture. These updates help organizations maintain more secure deployment environments while improving compliance alignment and reducing operational exposure associated with outdated dependencies.

CVE Summary

Updated tomcat-embed-core (11.0.21 → 11.0.22) and jackson-core (3.1.0 → 3.1.1) to resolve 7 vulnerabilities (3 critical, 4 high).

Advisory

Severity

Package

Fixed in

GHSA-5m62-pw8w-7w9f

Critical

tomcat-embed-core

11.0.22

GHSA-h6fc-48rj-7qqh

Critical

tomcat-embed-core

11.0.22

GHSA-r29c-68gh-xp6x

Critical

tomcat-embed-core

11.0.22

GHSA-5mp6-jrq3-r938

High

tomcat-embed-core

11.0.22

GHSA-fv25-8xcx-gqjc

High

tomcat-embed-core

11.0.22

GHSA-gx5v-xp9w-j4cg

High

tomcat-embed-core

11.0.22

GHSA-2m67-wjpj-xhg9

High

jackson-core

3.1.1

GHSA-5pvg-856g-cp85

High

io.netty:netty-resolver-dns

4.2.15.Final

4.1.135.Final

GHSA-676x-f7gg-47vc

High

io.netty:netty-resolver-dns

4.2.15.Final

4.1.135.Final

GHSA-x4gw-5cx5-pgmh

High

io.netty:netty-handler

4.2.15.Final

Full list of changes

  • Changelog Generation(DAT-22707, DAT-21201) Added the ability to write generated changelog objects into folders organized by type (tables, views, stored procedures, etc.) when using the --object-changelogs flag.
  • Changelog Generation(DAT-21851, DAT-21852, DAT-21853, DAT-21854, DAT-21855, DAT-21856, DAT-21857, DAT-21858, INT-1913) Added dependency-aware changelog generation for Oracle, PostgreSQL, MS SQL Server, MySQL, Snowflake, Databricks, BigQuery, and Db2, so generate-changelog and diff-changelog produce changesets in executable order without manual reordering.
  • Changelog Generation(DAT-22406, DAT-22410, DAT-22455, DAT-22459, DAT-22540, DAT-22769, DAT-22831, DAT-21272) Fixed multiple dependency ordering issues in generate-changelog and diff-changelog where changesets were placed before the objects they depend on, causing deployment failures on clean databases across Oracle, SQL Server, Snowflake, Databricks, PostgreSQL, BigQuery, MySQL, MariaDB, and Db2.
  • Changelog Generation(DAT-22339, DAT-22466) Fixed an issue where generate-changelog lost the disabled/not-valid status of foreign key constraints on PostgreSQL and SQL Server, which could cause unexpected long-running validations when deploying the generated changelog to large tables.
  • Changelog Generation(DAT-22770) Fixed an issue where generate-changelog incorrectly captured Liquibase’s internal tracking tables (DATABASECHANGELOG and DATABASECHANGELOGLOCK) from non-default schemas in multi-schema runs, causing deployment failures.
  • Changelog GenerationBigQuery(DAT-22834) Fixed a regression where diff-changelog on BigQuery hard-coded the source dataset name into generated function and procedure DDL, making the generated changelog non-portable and causing deployment to the target dataset to fail with BIGQUERY_API_ERR.
  • Changelog GenerationBigQuery(INT-2033) Fixed an issue where generate-changelog on BigQuery emitted invalid type syntax for parameterless column types such as JSON and BYTES, producing changelogs that failed to deploy with a BigQuery parser error.
  • Changelog GenerationDatabricks(DAT-22460) Fixed an issue where generate-changelog on Databricks silently omitted CHECK constraints from the generated changelog, causing tables to be recreated without their integrity rules on deployment.
  • Changelog GenerationDatabricks(INT-1815) Added configurable filtering of Databricks TBLPROPERTIES during diff, diff-changelog, and generate-changelog, so customers (driven by ERQ-226) no longer see false-positive drift when Databricks auto-updates properties (pipelines.*, spark.databricks.*, system.*) for security or system reasons.
  • Changelog GenerationMongoDB(DAT-21859) Improved changelog generation for MongoDB Family databases so that generate-changelog and diff-changelog produce changesets in correct dependency order, eliminating manual reordering and deployment failures.
  • Changelog GenerationMongoDBSECURE-187, 188, 189) Fixed an issue where generate-changelog would produce duplicate changesets causing deployments to fail when deployed to a clean database.
  • Changelog GenerationMySQL / MariaDB(DAT-17745) Fixed a bug where diff-changelog on MySQL/MariaDB generated an index with the reserved name PRIMARY, causing deployment failures when a primary key used descending column order.
  • Changelog GenerationMySQL / MariaDB(DAT-22498) Fixed an issue where generate-changelog on MySQL and MariaDB dropped the FULLTEXT type from indexes, causing deployments of the generated changelog to fail on text columns.
  • Changelog GenerationMySQL / MariaDB(DAT-22832) Fixed a regression where snapshot, diff, and generate-changelog completely failed on MariaDB 10., preventing Liquibase Secure customers on those versions from running any inspection command. As a workaround, users could upgrade to MariaDB to 10.4.3+
  • Changelog GenerationOracle(DAT-21801) Fixed an issue where adding a unique constraint via a modeled changeset caused an ORA-01735: invalid ALTER TABLE option error on Oracle 19.24, so modeled changesets targeting multiple database platforms now deploy successfully without manual intervention.
  • Changelog GenerationOracle(DAT-21847) Fixed an issue where generate-changelog hardcoded the source schema name in Oracle sequence DEFAULT values, causing ORA-00942: table or view does not exist errors when deploying to a different schema. The generated changelog now omits the schema qualifier from sequence references, making it deployable across Oracle schema environments without modification.
  • Changelog GenerationOracle(DAT-21848) Fixed an issue where generate-changelog on Oracle placed sequences after the tables that referenced them, causing ORA-02289: sequence does not exist errors on deployment to fresh databases. Sequences are now correctly ordered before their dependent tables in the generated changelog.
  • Changelog GenerationOracle(DAT-22403) Fixed generate-changelog emitting unquoted Oracle keywords (e.g., SUCCESSFUL) in CREATE VIEW column alias lists, which caused ORA-00904: invalid identifier errors on deployment.
  • Changelog GenerationOracle(DAT-22808) Fixed an issue where generate-changelog would run indefinitely on large Oracle schemas with circular package dependencies, reducing sort time from hours to under two minutes.
  • Changelog GenerationPostgreSQL(DAT-22798, SECURE-134) Fixed an issue where renaming a PostgreSQL view column caused diff-changelog to generate an undeployable changelog, so drift detection operations now accurately remediate detected view column changes.
  • Changelog GenerationPostgreSQL(DAT-21549, DAT-21860) Fixed two issues where generate-changelog on PostgreSQL produced undeployable changelogs for tables with TIME[] columns or custom domain type columns, causing syntax errors and type modifier errors on deployment.
  • Changelog GenerationPostgreSQL(DAT-21649) Fixed an issue where diff-changelog did not generate changesets for renamed PostgreSQL indexes, so drift detection now correctly captures index renames as a drop and recreate.
  • Changelog GenerationPostgreSQL(DAT-21876) Fixed diff-changelog not capturing PostgreSQL ENUM types, causing enum-dependent columns and constraints to be missing or incorrect in generated changelogs.
  • Changelog GenerationPostgreSQL(DAT-22381) Fixed a crash where generate-changelog completely failed on EDB PostgreSQL instances running without Oracle compatibility mode, with the error "relation all_objects does not exist". Any EDB user not running Oracle-compat views was unable to use database inspection commands.
  • Changelog GenerationPostgreSQL(DAT-22385) Fixed an issue where diff-changelog generated false-positive create and drop changesets for PostgreSQL functions with composite type parameters when the two databases had different search_path configurations, even when the databases were otherwise identical
  • Changelog GenerationPostgreSQL(DAT-22402, DAT-22766, DAT-22338) Fixed two issues where generate-changelog and diff-changelog on PostgreSQL mishandled partial indexes, silently dropping co-located regular indexes and stripping the WHERE condition, causing missing or incorrectly scoped indexes in the generated changelog.
  • Changelog GenerationPostgreSQL(DAT-22574) Fixed an issue where diff-changelog generated invalid SQL for PostgreSQL composite types containing array attributes, causing a syntax error when the changelog was deployed.
  • Changelog GenerationPostgreSQL(DAT-22626) Fixed an issue where diff-changelog generated out-of-order changesets for PostgreSQL databases containing functions that reference composite types as array parameters, causing deployments to fail.
  • Changelog GenerationPostgreSQL(DAT-22705) Fixed a backward compatibility issue where generate-changelog and diff-changelog applied unnecessary object quoting to all PostgreSQL changelogs, causing re-deploy failures and false drift detection on databases with existing unquoted DDL.
  • Changelog GenerationPostgreSQL(DAT-22940) Fixed a regression on PostgreSQL where diff incorrectly reported changed catalog names as missing objects, generated false unique-constraint differences, and diff-changelog with an offline snapshot silently produced no output file.
  • Changelog GenerationPostgreSQL(DAT-22974) Fixed an issue where diff-changelog and generate-changelog stripped double-quotes from mixed-case column names inside PostgreSQL expression-based indexes, causing the generated changelog to fail on deployment with a column not found error.
  • Changelog GenerationPostgreSQL(SECURE-154) Fixed an issue where diff-changelog generated separate changesets for each column rename, followed by a createView changeset to restore the view body. Rollback executes in reverse order, so the view was dropped before the column rename rollbacks ran, causing an error. Liquibase now combines all column renames and the view body restore into a single changeset, so rollback completes atomically.
  • Changelog GenerationSnowflake(INT-1829) Fixed an issue where diff-changelog on Snowflake incorrectly included a CURRENT_TIMESTAMP() default value on columns that were absent from the comparison database, generating a changelog that Snowflake would refuse to deploy.
  • Changelog GenerationSnowflake(INT-1844) Fixed an issue where diff-changelog on Snowflake incorrectly detected drift in file format objects and generated invalid empty changesets that failed validation on deployment.
  • Changelog GenerationSQL Server(DAT-22964) Fixed a regression where generate-changelog stripped schema prefixes from view definitions in multi-schema SQL Server databases, causing views to deploy to the wrong schema on update.
  • Changelog GenerationSQL Server(DAT-22405) Fixed an issue where generate-changelog on SQL Server produced non-deterministic output for tables with primary keys, sometimes generating a separate addPrimaryKey changeset with incorrect clustering metadata that would silently alter index structure on deployment.
  • Changelog GenerationNT-1502): Liquibase Secure 5.2.0 improves drift detection accuracy for MSSQL by capturing additional object metadata for foreign key validate state, trigger base object type, time column precision, and check constraint aggregates. If you upgrade from Liquibase Secure 5.1.x and run `diff` against a snapshot taken with an earlier version, these objects will appear as differences. This does not represent real schema drift, it reflects metadata that 5.1.x did not capture. To restore accurate drift detection after upgrading, retake your baseline snapshot using `liquibase snapshot` with Liquibase Secure 5.2.0.
  • Snapshot and Database Inspection(DAT-15534) Fixed an issue where a malformed offline snapshot URL caused Liquibase to throw an unhelpful Java exception instead of a clear error, so users now see an actionable message explaining the correct offline URL format.
  • Snapshot and Database Inspection(DAT-22040) Fixed an issue where snapshot silently discarded all but one object when a case-sensitive database contained multiple objects with the same name but different casing (e.g., users, "USERS", "Users"), causing incomplete changelogs and false drift detection.
  • Snapshot and Database Inspection(DAT-22469) Fixed an issue where snapshot captured view columns even when column was excluded from --snapshot-filters, causing false drift to appear in diff operations when column-level differences were not intended for comparison.
  • Snapshot and Database Inspection(DAT-22968) Fixed a regression introduced in 5.1.1 where snapshot failed with an unresolved reference exception on Oracle and SQL Server databases with indexes containing descending columns, blocking customers from running snapshot commands even with the --ignore-missing-references flag set.
  • Snapshot and Database InspectionMySQL(DAT-21732) Fixed an issue where Liquibase commands (connect, update, snapshot, etc.) failed against MySQL databases with hyphenated names (e.g., running liquibase connect with the JDBC url set to url: jdbc:mysql://localhost:7458/test-user).
  • Snapshot and Database InspectionOracle(DAT-22369, SECURE-133) Fixed a regression introduced in 5.0.0 where Oracle snapshots silently lost the notNullConstraintName attribute on columns with user-named NOT NULL constraints, breaking behavior that worked correctly in 4.33.0 and earlier.
  • Snapshot and Database InspectionOracle(DAT-21862) Fixed an issue where Oracle snapshots using the --schemas or --default-schema-name parameters silently omitted all sequences from the output, even when sequences were listed as an included type.
  • Snapshot and Database InspectionSnowflake(INT-1768) Fixed a backward compatibility issue where --snapshotFilters using standard type names (View, Table, Column) failed to capture Snowflake objects, requiring users to update their filters to Snowflake-specific type names, such as --snapshotFilters=SnowflakeView
  • Snapshot and Database InspectionSnowflake(INT-1806) Fixed an issue where diff reports on Snowflake omitted the schema prefix from primary key constraint definitions, causing inconsistent and incomplete constraint display compared to other database platforms.
  • Snapshot and Database InspectionSnowflake(INT-1827) Fixed an issue where diff-changelog on Snowflake reported missing primary key constraints redundantly in drift reports, inflating the Objects With Differences count and making it harder to identify actual schema drift.
  • Snapshot and Database InspectionSnowflake(INT-1838) Fixed an issue where snapshot and generate-changelog failed with "View does not exist or not authorized" on Snowflake schemas containing views with double-quoted names, preventing those schemas from being captured.
  • Snapshot and Database InspectionSnowflake(INT-1840) Fixed a silent data corruption issue where Snowflake snapshot replaced double-quote characters in file format option values (such as NULL_IF) with single quotes in the snapshot output, producing snapshots that did not accurately represent the source database
  • Snapshot and Database InspectionSnowflake(INT-1848) Fixed Snowflake diff-changelog generating ineffective dropPrimaryKey and addPrimaryKey changesets when schemas differ only in the rely constraint attribute, preventing infinite diff loops.
  • Policy Checks(DAT-21137) Ensured the default liquibase.check-settings.conf file generated by init project, checks show, and shipped in the examples directory is consistent and runs all default-enabled checks against default changelogs without errors, so new users can run policy checks immediately after setup.
  • Policy Checks(DAT-20998) Added a new checks describe command that outputs a JSON representation of all policy checks (or a specific check via --checkname), providing AI and MCP tools with a machine-readable catalog of check configurations, parameters, and metadata.
  • Policy Checks(DAT-21126, DAT-21128, DAT-21129, DAT-21130, DAT-21131) Added five new PII policy checks (PIIfinancial, PIIpersonal, PIIhealth, PIIlocation, and PIIcomputerAndDate) that detect personally identifiable information across financial, personal-identity, health, location, and computer/date categories in changelog SQL.
  • Policy Checks(DAT-21159, DAT-21173, DAT-22045) Added a new Category column to checks show output and updated descriptions for all built-in checks, making it easier to find the right checks for compliance, governance, and auditing needs and improving accuracy when using the MCP server or AI tools to configure checks.
  • Policy Checks(DAT-21181, DAT-21304) Fixed an issue where AI and MCP tools could not create named copies of configurable checks, preventing custom check names from being applied during AI-assisted policy check configuration.
  • Policy Checks(DAT-21345) Fixed an issue where the SensitiveInfoCheck DATE identifier flooded console output with ERROR-level stack traces when processing partial date patterns, making it difficult to identify real errors in checks output.
  • Policy Checks(DAT-21559, DAT-21567) Fixed two issues where the ObjectNameMustMatch policy check threw a NullPointerException and caused checks run to fail: one when evaluating CREATE TABLE statements with inline PRIMARY KEY constraints, and one when evaluating ALTER TABLE ADD CONSTRAINT statements (including FOREIGN KEY, CHECK, UNIQUE, and PRIMARY KEY).
  • Policy Checks(DAT-21702) Fixed an issue where policy checks were skipped for modeled changesets even when --check-rollbacks=true was set and the rollback section contained raw SQL, causing TRUNCATE, GRANT, and REVOKE statements in rollbacks to go unchecked.
  • Policy Checks(DAT-21897, DAT-21898) Fixed two issues where policy check violation output reported incorrect line numbers due to comment handling: --comment: directives in SQL changelogs and inline SQL comments on the same line as the <sql> tag in XML changelogs each caused reported line numbers to be off by one.
  • Policy Checks(DAT-22321) Fixed a regression introduced in 5.1 where custom regex policy checks produced false positives on scripts that correctly passed in 5.0.3 and earlier.
  • Policy Checks(DAT-22380) Fixed a regression introduced in 5.1.0 where three default-enabled policy checks (PrimaryKeyOnCreateTable, DetectChangeType, and MaxAffectedRowsAllowedUpdate) were skipped instead of evaluated when running against SQL-format CREATE TABLE changesets.
  • Policy Checks(DAT-22538) Added six themed policy check packages (auth-and-access, data-protection, database-compatibility, metadata-content, scripting-standards, and sensitive-data-pii) to init project output, replacing the previously broken placeholder package references with ready-to-use check configurations.
  • Policy Checks(DAT-22817) Fixed an issue where checks describe returned a static list of built-in checks instead of reading from the checks-settings file, causing cloned and custom checks to be silently excluded from the output and preventing AI and MCP tools from discovering and configuring new checks.
  • Policy Checks(DAT-23003) Fixed a regression introduced in 5.1.0 where checks run flooded console output with sqlglot parser warnings when processing database-specific SQL syntax (such as Oracle DDL), making output unreadable on large changelogs.
  • Policy ChecksSECURE-177) When Liquibase upgrades a Checks settings file, it now creates only one backup file per run, regardless of how many upgrade steps the file goes through. Previously, multiple backup files (for example, both .v1.1 and .backup.01) could be created in a single upgrade run, which could cause confusion in source control. 
  • Policy ChecksDatabricks(DAT-22625) Fixed a regression introduced in 5.1.1 where database-scoped policy checks failed against Databricks with a "Connection closed" error, while changelog-scoped checks and other Databricks commands were unaffected.
  • Policy ChecksMongoDB(DAT-22310) Extended PII policy check support to MongoDB formatted changelogs, so PII checks now correctly evaluate all MongoDB insert operations (insertOne, insertMany, bulkWrite, and the legacy insert()) for personally identifiable information.
  • Policy ChecksOracle(DAT-21613) Fixed an issue where the TableColumnLimit check and other SQL-parsing checks could not evaluate Oracle CREATE TABLE statements using DEFAULT USER as a column default value, reporting a parse error instead of running the check.
  • Policy ChecksSnowflake(INT-1772) Fixed an issue where database-scoped policy checks on Snowflake silently excluded primary key and unique constraint objects from validation, so checks targeting those object types never triggered on Snowflake databases.
  • Policy ChecksSnowflake(INT-1945) Fixed a regression introduced in 5.1.0 where checks run against Snowflake failed with "Database-scoped checks cannot be completed" for roles without access to SNOWFLAKE.ACCOUNT_USAGE, even when only changelog-scoped checks were configured.
  • Policy ChecksSnowflake(DAT-21839) Fixed an issue where the MaxAffectedRowsAllowedInsert check incorrectly triggered on procedure changesets in SQL, YAML, and JSON changelog formats, producing unexpected check output that XML changelogs did not exhibit.
  • Database Platforms(INT-1867) Fixed an issue where sensitive CLI arguments passed with space-separated syntax (such as --password postgres) appeared in plain text in the troubleshooting bundle, while the same arguments using = syntax were correctly obfuscated, and added --username to the list of sensitive parameters that are redacted from bundle output.
  • Database PlatformsBigQuery(INT-1957) Fixed an issue where update silently deployed NOT NULL columns as NULLABLE on BigQuery, causing subsequent diff-changelog operations to repeatedly generate addNotNullConstraint changesets that could never resolve the drift.
  • Database PlatformsBigQuery(INT-1817) Fixed a crash caused by an empty Location= parameter in the BigQuery JDBC URL, and added an improved error message when the configured location does not match the dataset’s actual region, explaining the distinction between multi-region identifiers (such as US) and single-region names (such as us-central1) so users can correct their configuration without further investigation.
  • Database PlatformsOracle(DAT-21393) Added a --sqlplus-fail-options flag for Oracle SQLPlus deployments that lets users control whether compiler warnings, compiler errors, or both cause the deployment to fail, with a default of none so existing deployments are unaffected.
  • Database PlatformsPostgreSQL(DAT-22497) Changed the psql native executor on PostgreSQL so that liquibase.psql.logFile now writes a separate log file per changeset to a directory instead of appending all output to a single file, making it possible to identify which output came from which changeset. Existing configurations that set liquibase.psql.logFile to a file path must be updated to a directory path.
  • Database PlatformsSnowflake(INT-1839) Fixed an issue where createFileFormat and alterFileFormat changesets failed with a SQL compilation error when a formatTypeOptions value contained single or double quote characters, because those characters were not properly escaped in the generated SQL.
  • Database PlatformsSnowflake(INT-1842) Fixed an issue where diff-changelog on Snowflake generated an undeployable changeset when schemas differed only in column collation, because Snowflake does not support changing collation on an existing column, causing deployment to fail with an "incompatible collations" error.
  • Database PlatformsSnowflake(INT-1927) Fixed an issue where diff on Snowflake incorrectly reported columns from views that were entirely absent from the target schema as changed rather than missing, producing misleading drift output that obscured the actual scope of schema differences.
  • Database PlatformsSQL Server(DAT-21731) Fixed an issue where SQL Server database URLs in Liquibase reports were truncated before the database name could be displayed, making it impossible to distinguish databases with similar names (such as ET_PROD vs. ET_PROD_eph) from the report view or hover tooltip.
  • NoSQL DatabasesMongoDB(INT-1859, INT-1860, INT-1861, INT-1862, INT-1863, INT-1864, INT-1865, INT-1866, INT-1855) Added diff and diff-changelog support for MongoDB collections, indexes, validators, and views using modeled change types, so users can now detect and generate accurate changelogs for additions, removals, and modifications across all major MongoDB object types.
  • NoSQL DatabasesMongoDB(DAT-22794) Fixed an issue introduced in 5.1 where Liquibase failed to initialize when using Spring Boot auto-configuration with MongoDB, causing Spring Boot applications to fail at startup with a connection error.
  • NoSQL DatabasesNoSQL Databases MongoDB(INT-1996) Fixed an issue where rolling back a MongoDB changeset from a JSON changelog correctly executed the rollback operation but failed to remove the entry from DATABASECHANGELOG, causing Liquibase to treat the changeset as still deployed and skip it on the next update run.
  • NoSQL DatabasesDynamoDB(INT-1985) Fixed an issue where a DynamoDB changeset could run twice if the data write succeeded but the tracking write failed on the same run, leaving Liquibase unaware the changeset had already executed. Changesets with more than 99 DML items will now produce a clear error with instructions to split the changeset or use runInTransaction=false.
  • NoSQL DatabasesDynamoDB(INT-1904) Enforced DynamoDB transaction limits so users receive a clear error before exceeding the 100-item or 4 MB payload ceiling, rather than encountering a cryptic AWS rejection.
  • NoSQL DatabasesDynamoDB(INT-1905) Enabled idempotent retries for DynamoDB transactional writes, preventing duplicate side-effects when a transaction is re-attempted after a transient failure.
  • NoSQL DatabasesDynamoDB(INT-1906) Added meaningful error messages for DynamoDB transaction failures, so users can identify which statement in a batch caused the failure and take corrective action instead of seeing raw AWS SDK exceptions.
  • NoSQL DatabasesDynamoDB(INT-1946) Added a warning message when DynamoDB users use the generic sql change type instead of the DynamoDB-specific partiql change type, guiding users toward better compatibility and error handling.
  • Teradata Native Executor(INT-2008) Fixed a NullPointerException on Teradata that caused snapshot, diff, diff-changelog, db-doc, and dropAllForeignKeyConstraints to fail on any schema containing a foreign key constraint.
  • Teradata Native Executor(INT-1918) Fixed an issue where Teradata database inspection commands (snapshot, diff, diff-changelog) failed with "Database 'information_schema' does not exist" because Liquibase queried a schema that does not exist on Teradata.
  • Teradata Native Executor(INT-1695) Added a BTEQ native executor for Teradata, allowing Liquibase to run Teradata-specific SQL scripts through BTEQ when changesets use runWith: bteq, with support for TD2 and LDAP authentication, connection parameters from the JDBC URL, and execution control options.
  • Teradata Native Executor(INT-1732) Packaged the Teradata extension directly into Liquibase Secure so Teradata connectivity is available without a separate extension installation, matching the in-the-box experience of other supported platforms.
  • Teradata Native Executor(INT-1883) Added the .LOGDATA directive and liquibase.bteq.logdata configuration property to the Teradata BTEQ native executor, enabling LDAP deployments that use explicit credential tokens to authenticate without embedding passwords in the LOGON command.
  • Teradata Native Executor(INT-1917) Fixed an issue where addColumn with multiple columns on Teradata generated SQL with null table and column names, causing deployment failures whenever more than one column was added in a single changeset.
  • Teradata Native Executor(INT-1919) Fixed an issue where deploying createProcedure changesets on Teradata via JDBC failed when the procedure body used BEGIN...END blocks.
  • Teradata Native Executor(INT-1920) Fixed two issues where drop-all and the foreignKeyConstraintExists precondition each threw a NullPointerException on Teradata, blocking deployments that used either operation.
  • Teradata Native Executor(INT-1921) Fixed an issue where the uniqueConstraintExists precondition on Teradata generated SQL with a literal ? placeholder instead of the actual constraint name, causing every evaluation to throw a JDBC error.
  • Teradata Native Executor(INT-1922) Added support for setTableRemarks and setColumnRemarks change types on Teradata, which previously failed with an unsupported operation error.
  • Teradata Native Executor(INT-1923) Fixed an issue where loadData on Teradata failed with JDBC Error 857 when inserting into DECIMAL columns, because Liquibase sent values as strings instead of the numeric type the driver requires.
  • Teradata Native Executor(INT-1925) Fixed an issue where addLookupTable on Teradata generated invalid CREATE TABLE AS syntax that was missing the required parentheses around the SELECT and the WITH DATA clause, causing deployment to fail.
  • Teradata Native Executor(INT-1951) Fixed an issue where deploying createFunction changesets containing BEGIN...END blocks on Teradata via JDBC failed.
  • Teradata Native Executor(INT-1953) Fixed an issue where functions deployed using runWith: bteq on Teradata failed with BTEQ Error 7947.
  • Teradata Native Executor(INT-1983) Fixed an issue where the Teradata BTEQ executor marked changesets as failed even when .SET ERRORLEVEL or MAXERROR was configured to suppress specific Teradata error codes, making standard BTEQ error-suppression directives ineffective in Liquibase-managed deployments.
  • New Database Coverage(INT-1703) Validated Databricks Lakebase as a supported Postgres variant in Liquibase Secure.
  • New Database Coverage(INT-1671) Validated ScyllaDB compatibility with the Liquibase Cassandra extension, confirming that ScyllaDB functions as a drop-in replacement.
  • Developer Experience and Integrations(DAT-22802/ SECURE-117) Spring Boot users were required to add the Liquibase licence to the application.properties file using spring.liquibase.license-key. We have updated this so that you can add your license key to the liquibase.properties file using liquibase.licenseKey=ABwwGgQUqiKcl.. This makes it easier to configure Liquibase for your CLI or CI/CD pipelines.
  • Developer Experience and Integrations(DAT-19551) Fixed confusing NoSuchFieldException stack traces emitted at INFO level when using standard Liquibase parameters (such as liquibase.licenseKey, liquibase.logFile, liquibase.loglevel) in liquibase.properties with the Maven plugin, which made users believe their configuration was broken.
  • Developer Experience and Integrations(DAT-20821) Fixed an issue where context expressions using comma-separated values inside parentheses (such as context="(DEV,UAT,QA) AND wellness_rewards_accounts") threw a parse error, requiring users to rewrite their expressions using OR instead of commas.
  • Developer Experience and Integrations(DAT-21094) Added precondition support to modifyChangeSets, allowing users to apply database-type or other preconditions globally across all changesets in a changelog (including those pulled in by include and includeAll), so individual changesets are skipped rather than failing the entire deployment when a precondition is not met.
  • Developer Experience and Integrations(DAT-21149) Fixed an issue where Oracle SQLPlus deployments hung indefinitely without an error message when the working directory path contained an @ character (such as Jenkins concurrent build workspaces like Pipelines@2), because SQLPlus misinterpreted the @ in the path as a file include directive.
  • Developer Experience and Integrations(DAT-21629) Fixed an issue where changelog-sync did not update checksums for runOnChange changesets that had already been deployed and subsequently modified, causing those changesets to continue showing as pending on status runs and requiring users to manually delete and re-sync rows in the DATABASECHANGELOG table.
  • Developer Experience and Integrations(DAT-21975) Added support for Flow file variable substitution in changelogs, so variables declared in a Flow file (globally or per stage) are now automatically available for ${...}  property resolution in any changelog called within that Flow, with stage variables taking precedence over global variables when both define the same property.
  • Developer Experience and Integrations(DAT-21989) Enhanced status --verbose to display all changeset attributes (including labels, contexts, runWith, and rollback specifications) in alphabetical order for each pending changeset, making it easier to verify deployment targeting before running an update.
  • Developer Experience and Integrations(DAT-22286) Fixed a regression introduced in 5.1.0 where init project, init copy, and init project-clone failed when writing to an S3 path, creating project files locally but crashing before uploading them to S3, while other S3 operations such as reading changelogs from S3 were unaffected.
  • Developer Experience and Integrations(DAT-22314) Fixed an issue where userMetadata values from --custom-log-data-file were absent from the final success and failure log messages in structured logs, making it impossible to correlate Liquibase operations with other tools using span or trace IDs injected as custom log data.
  • Developer Experience and Integrations(DAT-22451) Fixed excessive WARNING log messages (approximately 15 per command) appearing when using the HashiCorp Vault extension with INFO-level logging, cluttering output and creating a false alarm for users whose vault address URL contained the word "hashicorp".
  • Developer Experience and Integrations(DAT-22782) Fixed an inconsistency where the Maven status command ignored -Dliquibase.verbose=false and always displayed the full verbose changeset list, unlike the CLI which correctly suppressed verbose output. This caused unnecessarily noisy output in Maven-based CI/CD pipelines.
  • Developer Experience and Integrations(SECURE-74) Spring Boot users can now add their Liquibase license key to liquibase.properties using liquibase.licenseKey=... instead of requiring it separately in application.properties as spring.liquibase.license-key, enabling a single defaults file to be shared across CLI, CI/CD, and Spring Boot deployments.
  • Reporting Infrastructure(INT-1805, INT-1986, INT-1845) Fixed Snowflake drift reports that listed each changed table, view, or FileFormat object three times, so each changed object now appears once with a human-readable label, matching the behavior on other database platforms.
  • Reporting Infrastructure(DAT-19471) Added --count and field filter parameters to the history and dbcl-history commands, so users can limit and filter output from the DATABASECHANGELOG and DATABASECHANGELOGHISTORY tables without reviewing all historical entries.
  • Reporting Infrastructure(DAT-22330) Fixed a NullPointerException that caused formatted diff reports to fail on large Oracle databases with complex schemas containing changed objects.
  • Reporting Infrastructure(DAT-21660) Fixed HTML Operation Reports uploaded to S3 being assigned application/octet-stream Content-Type, which forced browsers to download reports instead of rendering them inline, degrading the CI/CD review workflow.
  • Reporting InfrastructureBigQuery(INT-1798) Liquibase now correctly handles project ID differences when comparing BigQuery objects across catalogs, so your drift reports no longer flag pre-existing objects as changed when the only difference is the project ID embedded in their definitions.
  • Performance and Stability(DAT-22307) Improved snapshot performance by up to 3x for large schemas, reducing snapshot time from over 8 minutes to under 3 minutes for schemas with 150,000 or more database objects.
  • Performance and Stability(DAT-22894) Improved BigQuery update performance by up to 65%.
  • Performance and Stability(DAT-22949) Improved deployment performance on BigQuery and Databricks by up to 24%.
  • Performance and Stability(DAT-21344) Fixed a regression introduced in 5.0 where tableExists preconditions triggered a full database snapshot on each evaluation instead of using a cached result, causing deployment time to increase by tens of seconds per precondition on high-latency databases.
  • Performance and Stability(DAT-22284) Fixed an OutOfMemoryError that caused diff operations against large offline JSON snapshots to crash, regardless of available heap size.
  • Performance and Stability(DAT-22285) Fixed an OutOfMemoryError that caused drift report generation to crash on large schemas; drift reports now generate a summary when the number of changed objects exceeds the configurable liquibase.reports.drift.maxDetailedObjects threshold (default: 10,000) instead of attempting full detail and crashing.
  • Performance and Stability(DAT-22388) Fixed an OutOfMemoryError that occurred when deploying SQL scripts with large numbers of INSERT statements.
  • Performance and Stability(SECURE-144) Improved performance for Liquibase Pro users running policy checks or SQL-parsing-heavy operations, reducing CPU usage by approximately 45% on large SQL files.
  • License Tracking(DAT-22478, DAT-22479, DAT-22480, DAT-22481, DAT-22483, DAT-22484, DAT-22485, DAT-22486, DAT-22487, DAT-22488, DAT-22491, DAT-22492, DAT-22493, DAT-22482, DAT-21563) Updated unique target detection for all supported database platforms so License Tracking reports now accurately reflect the total number of unique targets for active licenses.
  • License Tracking(DAT-19800, DAT-19801, DAT-19802, DAT-19994) Fixed multiple issues where License Tracking reports showed incomplete or missing database identification for BigQuery, DB2 LUW, MongoDB, and Snowflake, so all databases are now accurately identified in the report.
  • License Tracking(DAT-20125) Fixed an issue where Snowflake connections without a database specified were counted as a licensed target, so connections that cannot be resolved to a specific database no longer consume a license slot.
  • License Tracking(DAT-22461) Fixed the LLT report.sh script writing all output files with a .txt extension regardless of selected format, so CSV reports now open in spreadsheet tools, HTML reports render in browsers, and JSON reports parse with downstream tooling — eliminating manual rename steps and silently broken CI/CD upload pipelines that filter by extension.
  • License Tracking(SECURE-38): Fixed an issue where the full license key was exposed in plain text in console and CI/CD log output at the default log level when License Tracking was enabled, so the key is now masked in all log output.
  • License Tracking(SECURE-129): Restored the error message when License Tracking is enabled and --license-tracking-url points to a server that returns a non-200 HTTP response.