Skip to content

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 6, 2025

Bumps org.liquibase:liquibase-core from 4.31.1 to 5.0.1.

Release notes

Sourced from org.liquibase:liquibase-core's releases.

Liquibase v5.0.1

Liquibase Community 5.0.1 is a minor patch release

See the Liquibase Community 5.0.1 Release Notes for the complete set of release information.

License corrections for Maven

The license block for Maven users has been corrected to use the Functional Source License (FSL).

Changelog

-[(#7350) Update licensing and documentation for OSS distribution](liquibase/liquibase#7350) by @​filipelautert

Full Changelog: v5.0.0...v5.0.1

Liquibase v5.0.0

Liquibase Community 5.0 is a major release

See the Liquibase Community 5.0 Release Notes for the complete set of release information.

⚠️ MAJOR CHANGES IN COMMUNITY AND COMMERCIAL DISTRIBUTIONS

Liquibase is evolving to better serve both open-source contributors and enterprise customers by introducing a clearer separation between its open source Community and the commercial Secure offering. This change is designed to ensure that each distribution is optimized for its respective users: providing open-source Community users with flexibility and control, while delivering scalability, reliability, and governance for Secure enterprise teams. The changes provide Liquibase Secure customers:

  • Developer Productivity. Enable developers with autonomy and guardrails built directly into their daily workflow.
  • Secure Automation. Embed governance, security, and compliance into every change automatically.
  • Change Insights. Deliver audit-ready visibility so every change is trusted, explainable, and observable.

The new structure enables Liquibase to more effectively support developers at all stages—from experimentation and community collaboration to mission-critical deployments. Therefore, starting with this Liquibase 5.0 release, only the open source Community distribution is available at the traditional Github, Docker, and Maven access channels.

If you need the Secure commercial offering, please visit Liquibase.com

Liquibase Community Licensing Change

Additionally, Liquibase Community is now licensed under the Functional Source License (FSL). See LICENSE file at the root of the distribution for details. Starting with Liquibase 5.0, contributors will be asked to sign a one-time Contributor License Agreement (CLA). This is handled automatically by CLA Assistant when you open your first pull request.

Liquibase 5.0 Community Release Notable Changes

Liquibase Package Manager (LPM) integrated to enable users to install, update, and manage their dependencies

  • The open source Liquibase Community 5.0 ships without extensions, drivers, and many other packages and dependencies. This change provides a much lighter, modular, and customizable Liquibase experience for Community users. Importantly, this flexibility both allows and requires users to manage their Liquibase dependencies for their specific needs.
  • Liquibase Package Manager is now integrated and available for use directly from within the Community CLI experience with a new liquibase lpm command as the preferred method for managing dependencies.
  • Learn more at the LPM README

Liquibase Community 5.0+ ships with the Functional Source License (FSL)

  • "The Functional Source License (FSL) is a Fair Source license that converts to Apache 2.0 or MIT after two years. It is designed for SaaS companies that value both user freedom and developer sustainability. FSL provides everything a developer needs to use and learn from your software without harmful free-riding."
  • Learn more at https://fsl.software/

SnowFlake JDBC Driver CVE Fix

  • Liquibase 5.0 patches a vulnerability found in Snowflake JDBC driver (CVE-2025-24789) and resolves issue with logicalfilepath reported in 4.31.0. Note: Neither open source Community nor the commercial Secure products were affected by this CVE.

... (truncated)

Changelog

Sourced from org.liquibase:liquibase-core's changelog.

Liquibase Core Changelog

Changes in version 4.33.0 (2025.07.09)

Liquibase 4.33.0 is a major release

Liquibase 4.33.0 delivers important updates across Policy Checks, Change Automation, and other areas of platform enhancement, along with critical bug fixes and improvements to MongoDB, PostgreSQL, and DB2 on Z/OS support. See the Liquibase 4.33.0 Release Notes for the complete set of release information.

Notable Changes

[PRO]

Change Automation

  • PostgreSQL Composite TYPE Support in Database Inspection. Liquibase Pro now includes support for inspecting PostgreSQL Composite TYPE objects during database inspection operations such as snapshot and diff. This enhancement ensures Composite TYPEs appear in inspection outputs, helping users manage and track changes to complex data structures more effectively. [INT-1249] [INT-135]
  • PostgreSQL Composite TYPE Support in generate-changelog and diff-changelog. Liquibase Pro now includes support for detecting PostgreSQL composite TYPE objects during generate-changelog and diff-changelog operations. This enhancement ensures that composite TYPE definitions—used to group multiple fields into a custom data structure—are captured and modeled alongside other schema elements, helping users manage and track changes more comprehensively. [INT-1251]
  • PostgreSQL Password Escaping Enhancement. Liquibase now escapes special characters in PostgreSQL passwords when using the psql native executor. Previously, if a password included characters requiring percent-encoding (such as @, %, or #), the executor would fail with a psql: error: invalid percent-encoded token message. [DAT-20254]
  • Db2 on Z/OS JCL Executor. Liquibase Pro now includes the ability to submit JCL jobs to the mainframe via Db2 DSNUTILU stored procedure. This enables users to automate more sophisticated procedures by integrating system level activities and database activities in a standard changelog format. This feature is enabled by a runwith:JCL decoration on applicable changesets containing properly formatted JCL.[INT-573, INT-1217]
  • Improved Persistent Spool File Behavior for SQLPlus Executor. The SQLPlus executor ensures that spool files are always retained when --sqlplus-create-spool=true, giving users consistent access to output files. Previously, spool file retention was tied to the --sqlplus-keep-temp setting; now, this setting applies only to temporary SQL files, not spool files. This decoupling improves clarity and gives users more control—if a spool file is created, it will remain unless users opt out by setting --sqlplus-create-spool=false. [DAT-18983]

Policy Checks

  • MongoChangetypeAttributes Policy Check. Introduced a new quality check named MongoChangetypeAttributes that allows users to enforce specific values or patterns for attributes within MongoDB-specific changetypes. Users can select a single Mongo changetype (e.g., createIndex, dropCollection) and specify expected values or patterns for its attributes. The check triggers if a specified attribute is present but does not match the defined value or regex—ensuring consistent standards across Mongo changesets. This supports validation across key changetypes attributes like adminCommand, createCollection, insertOne, and more, and enhances control and quality enforcement in MongoDB deployment pipelines. [DAT-18275]

[OSS]

Important dependency updates

  • Liquibase OSS 4.33+ has Java 24 core build support.
  • The liquibase-cdi and liquibase-cdi-jakarta modules are still supported, but have been removed from the OSS distribution to their own repositories.

️[PRO] and [OSS] Upcoming Change in Distributions

Liquibase is evolving to better serve both open-source contributors and enterprise customers by introducing a clearer separation between its Open Source (OSS) and PRO offerings. This change is designed to ensure that each distribution is optimized for its respective users—providing open-source users with flexibility and control, while delivering scalability, reliability, and governance for enterprise teams. The new structure enables Liquibase to more effectively support developers at all stages—from experimentation and community collaboration to mission-critical deployments. Liquibase 4.32.0 introduced the first general availability (GA) release of independently packaged Pro distributions, along with dedicated distribution channels and key-based access enforcement for Pro capabilities. This marks a significant step toward delivering a curated, enterprise-grade experience for Pro users. The OSS distribution and its delivery channels remain unchanged in this phase.

PRO PRs

New Features

... (truncated)

Commits
  • 06b9ef9 Update changelog for version 5.0.1 release
  • 3bb6b5a Update changelog for Liquibase Community 5.0.1 release and correct Maven lice...
  • 3247cb1 Update license names in POM files to reflect FSL-1.1-ALv2 using SPDIX format
  • 788da81 Update license information in README to reflect Functional Source License
  • 5ec0f6d Handle spaces in the Java version check
  • db577f4 DAT-20879 (#7351)
  • c5fbb43 Update licensing and documentation for OSS distribution (#7350)
  • bcd8e5b chore: update LICENSE to Functional Source License, Version 1.1
  • 4386ac1 DAT-20868 DevOps :: OSS: failure on javadocs and xsds (#7315)
  • d6e2ccb Update readme with license information (#7308)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [org.liquibase:liquibase-core](https://github.com/liquibase/liquibase) from 4.31.1 to 5.0.1.
- [Release notes](https://github.com/liquibase/liquibase/releases)
- [Changelog](https://github.com/liquibase/liquibase/blob/master/changelog.txt)
- [Commits](liquibase/liquibase@v4.31.1...v5.0.1)

---
updated-dependencies:
- dependency-name: org.liquibase:liquibase-core
  dependency-version: 5.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the kind/dependency-update Update one of dependencies label Oct 6, 2025
@dependabot dependabot bot requested a review from php-coder as a code owner October 6, 2025 01:08
@dependabot dependabot bot added the kind/dependency-update Update one of dependencies label Oct 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/dependency-update Update one of dependencies
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant