Bump org.liquibase:liquibase-core from 4.33.0 to 5.0.0

[dependabot]

Bumps org.liquibase:liquibase-core from 4.33.0 to 5.0.0.

Release notes

Sourced from org.liquibase:liquibase-core's releases.

Liquibase v5.0.0

Liquibase Community 5.0 is a major release

See the Liquibase Community 5.0 Release Notes for the complete set of release information.

⚠️ MAJOR CHANGES IN COMMUNITY AND COMMERCIAL DISTRIBUTIONS

Liquibase is evolving to better serve both open-source contributors and enterprise customers by introducing a clearer separation between its open source Community and the commercial Secure offering. This change is designed to ensure that each distribution is optimized for its respective users: providing open-source Community users with flexibility and control, while delivering scalability, reliability, and governance for Secure enterprise teams. The changes provide Liquibase Secure customers:

• Developer Productivity. Enable developers with autonomy and guardrails built directly into their daily workflow.
• Secure Automation. Embed governance, security, and compliance into every change automatically.
• Change Insights. Deliver audit-ready visibility so every change is trusted, explainable, and observable.

The new structure enables Liquibase to more effectively support developers at all stages—from experimentation and community collaboration to mission-critical deployments. Therefore, starting with this Liquibase 5.0 release, only the open source Community distribution is available at the traditional Github, Docker, and Maven access channels.

If you need the Secure commercial offering, please visit Liquibase.com

• Learn more Liquibase 5.0

Liquibase Community Licensing Change

Additionally, Liquibase Community is now licensed under the Functional Source License (FSL). See LICENSE file at the root of the distribution for details. Starting with Liquibase 5.0, contributors will be asked to sign a one-time Contributor License Agreement (CLA). This is handled automatically by CLA Assistant when you open your first pull request.

Liquibase 5.0 Community Release Notable Changes

Liquibase Package Manager (LPM) integrated to enable users to install, update, and manage their dependencies

• The open source Liquibase Community 5.0 ships without extensions, drivers, and many other packages and dependencies. This change provides a much lighter, modular, and customizable Liquibase experience for Community users. Importantly, this flexibility both allows and requires users to manage their Liquibase dependencies for their specific needs.
• Liquibase Package Manager is now integrated and available for use directly from within the Community CLI experience with a new liquibase lpm command as the preferred method for managing dependencies.
• Learn more at the LPM README

Liquibase Community 5.0+ ships with the Functional Source License (FSL)

• "The Functional Source License (FSL) is a Fair Source license that converts to Apache 2.0 or MIT after two years. It is designed for SaaS companies that value both user freedom and developer sustainability. FSL provides everything a developer needs to use and learn from your software without harmful free-riding."
• Learn more at https://fsl.software/

SnowFlake JDBC Driver CVE Fix

• Liquibase 5.0 patches a vulnerability found in Snowflake JDBC driver (CVE-2025-24789) and resolves issue with logicalfilepath reported in 4.31.0. Note: Neither open source Community nor the commercial Secure products were affected by this CVE.

Dropped support for Java 8 and Java 11

• The minimal Java dependency for Liquibase 5.0+ is Java 17. This update enables Liquiabase to build, test, and ship with modern and more secure dependencies.

ValueDate Checksum bug fix

• In the last release, an issue was introduced by a change in how valueDate was calculated and incorporated into the checksum calculations. This issue has been fixed by ensuring that rawDatevalue is excluded from checksum calculations.
• (#7101) fix: prevent rawDateValue from being used for checksum calculations @​filipelautert

Changelog of Community PRs

🚀 New Features

• (#7286) Allow anyAttribute in dbchangelog-latest.xsd complex types @​filipelautert

... (truncated)

Changelog

Sourced from org.liquibase:liquibase-core's changelog.

Liquibase Core Changelog

Changes in version 4.33.0 (2025.07.09)

Commits

• d6e2ccb Update readme with license information (#7308)
• 4e96db3 Renamed GETTING_STARTED.TXT to GETTING_STARTED.txt (#7306)
• 27044f5 DAT-20859 Secure: README.txt "What Was Installed" section does not match actu...
• 5e0ff0e Merge remote-tracking branch 'origin/master' into release
• bcb4425 feat: add dbchangelog-5.0.xsd schema definition (#7304)
• 8646a29 Updated the links (#7303)
• 50560c3 Updated changelog.txt (#7300)
• d4bad5e chore(deps): bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 in t...
• 5bdfec6 chore(deps-dev): bump the build-tools group with 2 updates (#7302)
• 80fb87f Update messaging for Pro commands in the Liquibase OSS distribution (#7298)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)