Soda Agent - Release notes

soda-agent 1.3.8

^{26 November 2025}

• Across Product:

  • Added support for dataset-level warehouse override for Snowflake data sources (v4 only). This enables using a bigger warehouse specifically for large datasets.

• Data Testing:

  • Added support to configure sampling for Test Contract functionality on Snowflake data sources.

  • Minor bug fixes.

• Observability:

  • Added support for separating compute and storage projects for BigQuery in v4. This was previously already supported for v3.

  • Changed custom SQL monitors to collect data even when the partition is empty. This enables use cases where the custom monitor looks at a different time partition than the regularly scheduled partition interval.

  • Fixed possible int overflow when profiling text columns for large tables.

• Security: known vulnerability in bundled fugue python package CVE-2025-62703

soda-agent 1.3.7

^{12 November 2025}

• Fixed issue when using regex format in missing check when verifying contract

• Orchestrator

  • Improved k8s retry logic

  • Bumped base image to 21-jre-alpine-3.22

• Security: there are some known vulnerabilities in stdlib in this release:

  • CVE-2025-58183

  • CVE-2025-58186

  • CVE-2025-58187

  • CVE-2025-58188

soda-agent 1.3.6

^{7 November 2025}

^{Soda Library version: 1.12.28}

• Fixed using a storage project_id for BigQuery data sources. This feature allows splitting the query execution from the project where the data is stored. It is currently only available for v3 data sources and will be added for v4 data sources in a future version.

  • This is a follow up to an earlier fix issued in version 1.3.4. Some flows were still incorrectly querying the compute project_id.

• Fixed an issue for custom SQL monitors with group-by. These monitors would previously stop working after the initial backfilling scan.

• Improved performance for the metric monitoring anomaly detection algorithm. Metric monitoring scans are now ~2.5x faster (depending on monitor configuration).

• Security: there are some known vulnerabilities in stdlib in this release:

  • CVE-2025-47912

  • CVE-2025-58183

  • CVE-2025-58186

  • CVE-2025-58187

  • CVE-2025-58188

  • CVE-2025-58189

  • CVE-2025-61723

  • CVE-2025-61724

soda-agent 1.3.5

^{29 October, 2025}

^{Soda Library version: 1.12.27}

• Added dataset_id and scan_id to Python API in ContractVerificationSessionResult .

• Fixed an issue with SparkDF schema checks.

• Security: [CVE-2025-59375] A known vulnerability exists in libexpat, a library for parsing XML files. It is included with the JRE environment used by soda-agent. The Soda agent application does not use any XML files. No impact and no action required.

soda-agent 1.3.4

^{24 October, 2025}

^{Soda Library version: 1.12.27}

• Introduced support for custom SQL monitor (preview).

  • Monitor any metric you want with Soda's anomaly detection.

  • Support for group-by and rolling aggregation.

• Improved scheduling when many scans are submitted simultaneously.

• Fixed an issue for metadata collection on Oracle when there is no recent data. This would previously cause metric monitoring scans to fail.

• Fixed an issue that would cause duplicate monitors to be created for v4 datasets in some cases.

• Fixed using a storage project_id for BigQuery data sources. This feature allows splitting the query execution from the project where the data is stored. It is currently only available for v3 data sources and will be added for v4 data sources in a future version.

• Added additional connection tests for some data sources and fixed an issue with Postgres file-based password authentication.

• Added hive_metastore support for Databricks data source.

• Security: [CVE-2025-59375] A known vulnerability exists in libexpat, a library for parsing XML files. It is included with the JRE environment used by soda-agent. The Soda agent application does not use any XML files. No impact and no action required.

soda-agent 1.3.3

^{8 October, 2025}

^{Soda Library version: 1.12.25}

• Introduced support for smart treatment of anomalies in metric monitoring (preview).

• Introduced support for Redshift external tables in metric monitoring.

• Changed dataset discovery on Redshift to exclude system tables (pg_ prefix).

• Improved performance of dataset discovery for large data sources.

• Fixed reporting number of failing groups for group-by check in data contracts.

• Security: [CVE-2025-59375] A known vulnerability exists in libexpat, a library for parsing XML files. It is included with the JRE environment used by soda-agent. The Soda agent application does not use any XML files. No impact and no action required.

soda-agent 1.3.2

^{2 October, 2025}

^{Soda Library version: 1.12.24}

• Bump contracts launcher to 0.1.13

• Introduced support for reconciliation checks in data contracts.

• Fixed an issue for profiling columns with special characters in the column name. This would previously fail with query errors on various data sources.

• Security: [CVE-2025-50817] A known vulnerability exists in python-future which is an indirect dependency of soda-agent. No patched version of python-future is available. It is exploitable only if attackers can write files on the server. Soda's cloud infrastructure is hardened against this attack. Users should ensure servers are hardened to prevent unauthorized file writes.

• Security: [CVE-2025-59375] A known vulnerability exists in libexpat, a library for parsing XML files. It is included with the JRE environment used by soda-agent. The Soda agent application does not use any XML files. No impact and no action required.

soda-agent 1.3.1

^{25 September, 2025}

• Introduced support for warning threshold in data contracts.

• Introduced support for group-by check in data contracts.

• Fixed an issue for the last modification time observability monitor on PostgreSQL.

• Security: [CVE-2025-50817] A known vulnerability exists in python-future which is an indirect dependency of soda-agent. No patched version of python-future is available. It is exploitable only if attackers can write files on the server. Soda's cloud infrastructure is hardened against this attack. Users should ensure servers are hardened to prevent unauthorized file writes.

• Security: [CVE-2025-59375] A known vulnerability exists in libexpat, a library for parsing XML files. It is included with the JRE environment used by soda-agent. The Soda agent application does not use any XML files. No impact and no action required.

v4 initial release - soda-agent 1.3.0

^{01 September, 2025}

• Introduced automatic partition column detection.

  • Based on warehouse metadata.

  • Based on data patterns.

• Introduced support for metric monitoring (both dataset- and column-level monitors).

  • Group column-level monitor by any column to get insights per segment.

  • Configurable threshold strategy, exclusion values and sensitivity.

  • Support for user feedback to flag anomalies & improve algorithm performance.

  • Support for configurable frequencies.

    • Supported frequencies: hourly, two-hourly, three-hourly, four-hourly, six-hourly, eight-hourly, 12-hourly, daily, weekly.

  • Available on supported data sources:

    • Athena, Bigquery, Databricks, Fabric, Postgres, Redshift, Snowflake, SQL Server, Synapse.

• Introduced sampling strategy for dataset profiling.

  • You can now choose between the top 1,000,000 rows or the last 30 days of data (based on partition column).

• Increased default resource limits to meet increased demand for metric monitoring features.

  • Requests

    • CPU: 250m (unchanged)

    • Memory: 250 MiB → 500 MiB

  • Limits

    • CPU: 250m → 500m

    • Memory: 250 MiB → 750 MiB

• SECURITY: [CVE-2025-50817] A known vulnerability exists in python-future which is an indirect dependency of soda-agent. No patched version of python-future is available. It is exploitable only if attackers can write files on the server. Soda's cloud infrastructure is hardened against this attack. Users should ensure servers are hardened to prevent unauthorized file writes.

• SECURITY: [CVE-2025-47907] Race condition in Go’s database/sql package. This item is listed for transparency because it was flagged by our automated scanning. The version of kubectl distributed by Kubernetes and included in soda-agent is built against a Go release that includes the affected code, but kubectl does not use the vulnerable functionality. No advisory has been issued by the Kubernetes project and no patched version of kubectl is currently available. No impact and no action required.