Take the 2026 Database Change Survey

5 minutes. Share your reality. Chance to win AirPods Pro 3.

Take the Survey

Liquibase Secure Developer Extension Release Notes 1.2.0

Overview

This 1.2.0 release focuses on bug fixes and minor quality improvements, and patches a CVE. This release improves the user experience for file creation and flow commands, enables the ability to use JAVA_OPTS to run commands, and how Defaults FIles are handled, along with multiple minor bug fixes.

Security Vulnerability Fix

A Security vulnerability has been patched in Liquibase Secure Developer 1.2 to address CVE-2025-65945.

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

CVE ID

Security Score

Library and Impact Assessment

CVE-2025-65945

CVS 7.5 High

Description: The auth0/node-jws library, a JSON Web Signature implementation for Node.js, has an improper signature verification vulnerability when using the HS256 algorithm. In versions 3.2.2 and earlier, and version 4.0.0, applications using the jws.createVerify() function for HMAC algorithms that also use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines may be vulnerable to signature verification bypass. Attack Vector: Network Impact: Integrity compromise - The vulnerability allows attackers to bypass signature verification, enabling them to forge JWTs that the application accepts as valid. This is classified as CWE-347 (Improper Verification of Cryptographic Signature). Weakness :CWE-44 (Path Equivalence) KEV Status :Yes (Known Exploited Vulnerability) Exploitability: Network-based, no privileges required, no user interaction needed. Applications are affected only if they meet ALL of the following conditions: - Use auth0/node-jws versions ≤3.2.2 or 4.0.0 - Use the jws.createVerify() function for HMAC algorithms - Use user-provided data from the JWS Protected Header or Payload in HMAC secret lookup routines Available Patched Versions: jws 3.2.3, jws 4.0.1 Required Action: Upgrade to Liquibase Secure Developer VS Code Extension version 1.2.0 or later to eliminate scanner alerts. No immediate security action is required. Customer impact: NOT EXPLOITABLE The Liquibase Secure Developer VS Code Extension is a local desktop plugin with no network-facing services. The CVE-2025-65945 attack vector requires network-based access to a JWT verification endpoint, which does not exist in this extension. The dependency has been upgraded as a precautionary measure to eliminate scanner alerts.

Improvements

Liquibase Secure Developer 1.2 enables users to set `JAVA_OPTS` properties and values to be used in the running of commands invoked from within the IDE extension. Additionally, this release also enhances the repeated creation of flow files and support files (such as liquibase.flowvariables.yaml, liquibase.advanced.flowfile.yaml, liquibase.endstage.flow) by coherently incrementing all related files generated from within the IDE. Finally, the ability to edit “unregistered” default files allows users to test one-off property file configurations before committing to using these files as the default properties file.

  • Add ability to set/use JAVA_OPTS to run commands from Secure Developer [#318] by @RomanDeveloperAcc

  • Flow file advanced: Support files do not follow the name pattern provided by the user. When run repeatedly, then the main flow file references correctly incremented support files. [#341] by @RomanDeveloperAcc

  • Improve "Edit existing Defaults File" with the ability to choose unregistered defaults file to edit [#344] by @RomanDeveloperAcc

Bug Fixes

Multiple minor bugs and quality of life improvements are included in this Liquibase Secure Developer 1.2 release:

  • Unchecking SAVE option does not remove SAVED settings [#361]

  • Init project format setting is not preselected in dropdown when liquibase.command.init.project.format is configured [#363]

  • -Rollback button name starts with the lower case in "I understand the risks" dialog [#356]

  • “Turn off/on specific checks“ from the right-click menu fails [#349]

  • 'Get Help' commands don't start with 'Liquibase' [#333]

  • Update defaults tests like to fail for some reason. Increase timeouts [#343]

  • 'Rollback-one-update' requires deploymentID [#336]

  • rollback-to-date-sql auto fills with the current date, but should not [#326]

  • Diff-types selections aren't preserved [#314]

  • Generated changesets contain an empty "rollback" object [#311]

Dependency Bumps

  • Bump Liquibase Secure Develop version from 1.1.0 to 1.2.0 [#371]

  • Bump glob [#325]

  • chore(deps-dev): bump vscode-extension-tester from 8.17.0 to 8.19.0 [#274]

  • chore(deps-dev): bump vite from 5.4.20 to 5.4.21 in /webview-ui [#275]

  • chore(deps-dev): bump @types/node from 24.4.0 to 24.9.1 [#283]

  • Bump jws from 3.2.2 to 3.2.3 [#355]

Contributors

Special thanks to all contributors who made this release possible:  

  • @RomanDeveloperAcc  

  • @filipelautert

  • @TymofiiKritsak

Getting Started

To get started with the Liquibase VS Code Extension:   Install and configure the Liquibase Secure Developer VS Code Extension

Full Changelog: https://github.com/liquibase/liquibase-vscode/compare/v1.1.0...v1.2.0