Bump org.liquibase:liquibase-core from 5.0.2 to 5.0.3

[dependabot]

Bumps org.liquibase:liquibase-core from 5.0.2 to 5.0.3.

Release notes

Sourced from org.liquibase:liquibase-core's releases.

Liquibase v5.0.3

Liquibase Community 5.0.3 Release Notes

Liquibase Community v5.0.3 is a focused release: two security fixes, a handful of database-specific bug fixes across Oracle, PostgreSQL, and MSSQL, and a thread safety improvement for teams running Liquibase in multitenant environments. Thanks to the ten community contributors who made it happen!

Latest release: v5.0.3, May 15, 2026: https://www.liquibase.com/download-community
Nightly builds: Updated automatically after each successful test run on main: https://github.com/liquibase/liquibase/releases/tag/nightly
Next planned release: August 20, 2026
Roadmap: Liquibase Community (view)

Thank you to every contributor who filed an issue, reviewed code, or submitted a fix. Your work makes each Liquibase Community release stronger than the last.

---

What's in this release

Security

(#7689) by @​abrackxInput sanitization for generate-changelog: Closes two reported vulnerabilities.

Thanks to @​FORIMOC, @​Yuremin, and @​invoke1442 for the reports.

Notable improvements

(#7647) by @​harsh-kaushal PostgreSQL: Sequence discovery is more accurate: The sequence metadata query now uses a LEFT JOIN instead of NOT IN, improving handling of SERIAL and IDENTITY columns in complex ownership scenarios. Note: columns decoupled from their sequence after creation may still appear as autoIncrement="true" in generated changelogs. A follow-up fix is tracked separately.

(#1944) by @​MatrixDai MSSQL: systranschemas excluded from diff output: This system view was being flagged as a missing or unexpected table during diff. It's now correctly treated as a system object and filtered out.

(#7674) by @​andrewcedgar perf: cache ranChangeSets lookup in SqlChangeLogParser.generateId: Performance improvements in SqlChangeLogParser by building the lookup once per Database as a Map<changeLog, interimId> and reuse it for every subsequent file. Total work becomes O(M+N) and the per-file cost returns to ~O(1).

(#7674) by @​andrewcedgar Fixed a performance regression that caused SQL changelog parsing to slow significantly on large projects

SQL changelog parsing became significantly slower starting in 4.32.0. On projects with thousands of SQL changelog files and a large DATABASECHANGELOG history, parse time could increase from roughly 3 minutes to over 15 minutes compared to 4.31.1. This is a performance-only fix, your changelogs will parse and execute exactly as before, just faster.

Users with large SQL changelog sets should see parse times return to pre-4.32.0 levels after upgrading.

New parameter: --diff-column-default-value-constraint-name: Set to false to ignore auto-generated constraint names on column defaults during diff. Prevents false diffs in SQL Server environments where default value constraints are named differently across databases. Default: true.

Fixes

(#7660) by @​sayaliM0412 Default branch is now main: Development snapshots are now published as main-SNAPSHOT; contributors should target main for new pull requests.

(#1964, #7680) by @​MatrixDai and @​wwillard7800 Improved handling of MSSQL view definitions across two fixes: false positive diffs from inconsistent SQL Server version formatting are resolved, and schema qualifiers are now correctly preserved in generated changelogs.

• (#1964) In Microsoft SQL Server, Liquibase incorrectly reported views as changed when comparing two databases, even when the view definitions were identical. This occurred because different SQL Server versions format view definitions differently (with or without schema prefixes and brackets). Liquibase now normalizes view definitions before comparing them, eliminating false positives in diff output.
• (#7680) Continued improvement from the initial #1964: generate-changelog now correctly preserves schema qualifiers in MSSQL view definitions. View definitions are now normalized only during comparison, so diffs remain accurate and generated changelogs retain the original [schema].[view] qualifier.

(#7603) by @​filipelautert DATABASECHANGELOGLOCK hanging on multithreaded services: A failed cleanup left recycled threads in pooled environments in an incorrect locked state, causing unexpected errors during subsequent operations. Liquibase now correctly cleans up lock state after a command finishes, even if an error occurs during cleanup. This prevents unexpected lock errors on subsequent operations in environments that reuse threads, such as connection pools.

(#7488) by @​MalloD12 PostgreSQL with PgBouncer: fixed leaks in transaction pooling mode:

... (truncated)

Changelog

Sourced from org.liquibase:liquibase-core's changelog.

Liquibase Community 5.0.3 is a minor patch release

See the Liquibase Community 5.0.3 Release Notes for the complete set of release information.

New Features

• (#7674) perf: cache ranChangeSets lookup in SqlChangeLogParser.generateId @​andrewcedgar
• (#7660) [DAT-22091] Migrate default branch from master to main @​sayaliM0412
• (#1964) MSSQL exclude schema name when diff view definition @​MatrixDai
• (#7603) fix: make LockServiceCommandStep.isDBLocked thread-safe @​filipelautert
• (#1944) Exclude system table systranschemas for mssql diff @​MatrixDai
• (#7647) Use LEFT JOIN instead of NOT IN for PostgreSQL sequence dependency detection @​harsh-kaushal
• (#7639) DAT-22653: update GHA workflows and functionality @​sayaliM0412
• (#7618) DAT-22530: update GitHub Actions to use latest versions of actions @​sayaliM0412
• (#7610) chore(deps): upgrade testcontainers to 2.0.3 @​filipelautert

Bug Fixes

• (#7680) fix(mssql): preserve schema prefix in view definitions during generate-changelog @​wwillard7800
• (#7689) DAT-22984/DAT-29985: Sanitize table names when saving files. Escape column-name list when running generate changelog @​abrackx
• (#7488) SEARCH_PATH setup as LOCAL for Postgres @​MalloD12
• (#7659) fix: OracleDatabase.correctObjectName() no longer mangles column names starting with "int" @​filipelautert
• (#7642) fix: escape mentions and special chars in release notes @​filipelautert
• (#7646) Discover custom LogService before configuration init @​filipelautert
• (#7500) Issue-7461 :: diff-changelog dropps now the expected constraint @​MalloD12
• (#7542) fix: Capture float precision again on Oracle DBs @​marchof

Security, Driver and Other Updates

• (#7716) fix(ci): skip release-docker on dry-run @​jandroav
• (#7715) feat(docker-scan): persist main HEAD scan to scan-results branch [TECHOPS-408] @​jandroav
• (#7714) TECHOPS-432: add docker/.trivyignore to suppress SNAPSHOT-version false positive @​jandroav
• (#7712) TECHOPS-427: bump LPM_VERSION 0.3.3 -> 0.3.4 to clear 5 Go stdlib HIGH CVEs @​sayaliM0412
• (#7702) fix(TECHOPS-417): propagate packages: write to nested docker workflows @​sayaliM0412
• (#7596) Update README.md @​mnovotnyLB
• (#7591) DAT-22396: fix approvers and skip completed orchestrator jobs for v5.0.2 recovery @​jnewton03
• (#7590) DAT-22396: temp skip completed jobs for v5.0.2 recovery @​jnewton03
• (#7588) DAT-22397:fix: update approvers list for manual deployment approval @​sayaliM0412
• (#7699) chore(deps-dev): bump net.snowflake:snowflake-jdbc from 4.1.0 to 4.2.0 in the build-tools group @dependabot[bot]
• (#7695) chore(deps): bump the test-deps group with 2 updates @dependabot[bot]
• (#7688) chore(deps-dev): bump the production-deps group across 1 directory with 2 updates @dependabot[bot]
• (#7691) chore(deps-dev): bump org.xerial:sqlite-jdbc from 3.53.0.0 to 3.53.1.0 in the build-tools group across 1 directory @dependabot[bot]
• (#7692) fix(TECHOPS-365): pin docker base image to temurin:21-jre-noble @​sayaliM0412
• (#7662) chore(deps): bump targetMavenVersion from 3.9.14 to 3.9.15 @dependabot[bot]
• (#7664) chore(deps): bump the production-deps group across 1 directory with 6 updates @dependabot[bot]
• (#7670) chore(deps): bump org.testcontainers:testcontainers-bom from 2.0.4 to 2.0.5 @dependabot[bot]
• (#7671) chore(deps): bump org.projectlombok:lombok from 1.18.44 to 1.18.46 @dependabot[bot]
• (#7672) chore(deps): bump commons-io:commons-io from 2.21.0 to 2.22.0 @dependabot[bot]
• (#7677) chore(deps): bump eclipse-temurin from 21-jre-noble to 25-jre-noble in /docker @dependabot[bot]
• (#7678) chore(deps): bump the github-actions group across 1 directory with 5 updates @dependabot[bot]
• (#7681) chore(deps-dev): bump the build-tools group across 1 directory with 3 updates @dependabot[bot]
• (#7658) chore(deps): bump the production-deps group across 1 directory with 8 updates @dependabot[bot]
• (#7636) chore(deps): bump javax.servlet:javax.servlet-api from 3.1.0 to 4.0.1 @dependabot[bot]
• (#7652) chore(deps): bump jakarta.servlet:jakarta.servlet-api from 5.0.0 to 6.0.0 @dependabot[bot]

... (truncated)

Commits

• 4d815ea Guard SqlChangeLogParser.generateId against null DB connection (#7719)
• 8d0930a Update changelog.txt for 5.0.3 (#7720)
• 1873538 fix(ci): skip release-docker on dry-run (#7716)
• b15d1bc fix(docker-scan): wrap downloaded artifact in expected subdir [TECHOPS-408]
• ed1f6d7 feat(docker-scan): persist main HEAD scan to scan-results branch [TECHOPS-408...
• 4467344 TECHOPS-432: add docker/.trivyignore to suppress SNAPSHOT-version false posit...
• 99b99cf TECHOPS-431: add build-qa-docker.yml for community + alpine QA images (#7713)
• 02e9e1b TECHOPS-427: bump LPM_VERSION 0.3.3 → 0.3.4 to clear 5 Go stdlib HIGH CVEs (#...
• dda3db6 fix(DAT-22091): retarget docker-release.yml checkout from master to main (#7710)
• ff5c1e9 fix(TECHOPS-417): propagate contents: write to nested docker workflows (#7709)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)