Download Latest Version v2.5.5 source code.tar.gz (3.0 MB)
Email in envelope

Get an email when there's a new version of dbatools

Home / v2.5.0
Name Modified Size InfoDownloads / Week
Parent folder
README.md 2025-07-20 5.6 kB
0
v2.5.0 - Major library updates source code.tar.gz 2025-07-20 3.0 MB
0
v2.5.0 - Major library updates source code.zip 2025-07-20 4.5 MB
0
Totals: 3 Items   7.5 MB 0

Overview

This release updates dbatools to use the new dbatools.library v2025.7.19 and includes significant improvements to CI/CD workflows and assembly management which will make quickly addressing library dependency vulnerabilities a whole lot easier.

This release should resolve a lot of the issues we have all run into with connecting to SQL Server 2022. Newer (but not too newer) .NET versions are now required. The dbatools.library will now be pretty big because I'm including complete packages (like dac) for each OS, without trimming it. The previous trims I did kept the library small but it also kept me from releasing library updates as regularly as I'd like because it made everything hard. So, we're now at about 250mb for all the assemblies from Microsoft that we need to cover as many platforms as possible.

Thanks a hell of a lot to @niphlod who helped get this version update in motion.

Major Changes

📚 Library Update

  • Updated dbatools.library dependency to v2025.7.19-preview-freshold-20250719213145
  • Added centralized version management via .github/dbatools-library-version.json
  • Implemented dynamic library installation script for both stable and preview versions

🔒 Security Improvements

By updating to dbatools.library v2025.7.19, this PR addresses significant security vulnerabilities:

Critical Vulnerabilities Resolved

  • CVE-2017-0160 (CVSS 10.0): .NET Framework remote code execution
  • CVE-2018-8284 (CVSS 9.8): .NET Framework remote code execution
  • CVE-2019-0613: .NET Framework XML parsing remote code execution
  • CVE-2020-0646: .NET Framework input validation remote code execution
  • CVE-2024-35264: Kestrel HTTP/3 data corruption remote code execution
  • CVE-2024-30045: .NET Double Parse buffer overrun remote code execution

High Severity Vulnerabilities Resolved

  • CVE-2024-0056 (CVSS 8.7): SQL client information disclosure via AiTM attacks
  • CVE-2023-28260 (CVSS 7.8): .NET DLL hijacking vulnerability
  • CVE-2023-36049: .NET FTP command injection elevation of privilege
  • CVE-2024-38229: HTTP/3 use-after-free remote code execution
  • CVE-2023-44487: HTTP/2 "Rapid Reset" denial of service
  • CVE-2024-43485: System.Text.Json algorithmic complexity DoS

Medium Severity Vulnerabilities Resolved

  • CVE-2023-36013 (CVSS 6.5): PowerShell Web cmdlets information disclosure
  • CVE-2024-0057: X.509 certificate validation bypass
  • CVE-2023-36558: Blazor server form validation bypass
  • CVE-2024-21319: JWT authentication memory exhaustion
  • CVE-2024-21386: SignalR server denial of service
  • CVE-2024-38095: ASN.1 parsing excessive CPU consumption

Security Enhancements

  • Assembly loading improvements prevent DLL hijacking attacks
  • SQL connections now use encrypted connections by default (via DacFx)
  • Enhanced credential management with Azure token support
  • Improved certificate validation logic
  • Removed hardcoded paths that could be exploited

Security Impact: This update resolves 30+ CVEs across all dependencies, including 6 Critical, 12 High, and 12+ Medium severity vulnerabilities.

🔄 CI/CD Improvements

  • Centralized Library Version Management: All workflows now read from dbatools-library-version.json
  • Preview Version Support: CI can now handle preview versions of dbatools.library
  • Dynamic Installation: New install-dbatools-library.ps1 script handles version detection and installation
  • Improved Test Scripts: Moved test scripts to .github/scripts/ for better organization

🏗️ Assembly & Platform Updates

  • Updated sqlpackage paths to use new dac folder structure:
  • Windows: lib/dac/windows/sqlpackage.exe
  • Linux: lib/dac/linux/sqlpackage
  • macOS: lib/dac/mac/sqlpackage
  • Enhanced Get-DbaManagementObject to better handle:
  • Loaded assemblies detection
  • SNI module tracking
  • Cross-platform assembly resolution
  • Added support for SQL Server 2025 instance detection

🔧 Export-DbaDacPackage Improvements

  • Updated sqlpackage path resolution for new directory structure
  • Better cross-platform path handling
  • Distinction between Core and Desktop paths on Windows

📋 Version Management Documentation

Added comprehensive version management guide (.github/DBATOOLS_LIBRARY_VERSION_MANAGEMENT.md) covering: - Version update procedures - Testing requirements - Rollback procedures - CI/CD pipeline usage

🧪 Testing Enhancements

  • Added SQL Server engine installation to Windows tests (not just LocalDB)
  • Improved credential handling for SQL Server connections
  • Better error messages for assembly loading issues
  • Enhanced copyright compliance in web search functionality

Non-Breaking Changes

  • All changes maintain backwards compatibility
  • Existing scripts and modules will continue to work
  • Version management is transparent to end users

Testing Checklist

  • [ ] Verified module imports successfully on Windows PowerShell 5.1
  • [ ] Verified module imports successfully on PowerShell 7.4+
  • [ ] Integration tests pass on all platforms
  • [ ] Gallery installation tests pass
  • [ ] Replication tests pass (when fixed)
  • [ ] Assembly loading diagnostics show correct versions

Notes

  • Some replication tests are currently disabled pending fixes
  • The library version can be updated by modifying .github/dbatools-library-version.json
Source: README.md, updated 2025-07-20