TL;DR

Dify has been significantly hardened against security vulnerabilities, including improvements to secret key management and access control, alongside numerous stability improvements to workflows and knowledge bases.

Breaking

• Self-hosted deployments: If you previously relied on the default SECRET_KEY, Dify now generates a runtime key automatically. Ensure your storage backend is configured for persistence.

New

• Enhanced Security: Strengthened tenant isolation for sensitive endpoints and restricted tool credential updates.
• Workflow Reliability: Improved tracing and callback tracking within workflows, reducing database load and memory issues.

Fixes Worth Knowing

• Fixed issues with loading workflows and model selection.
• Improved stability of knowledge base rendering and creation.
• Corrected file preview URL handling and variable type preservation in workflows.
• Resolved UI issues with app creation, annotation, and workflow authoring.

Before You Upgrade

• Verify your storage backend is properly configured if you are running a self-hosted deployment and have not explicitly set a SECRET_KEY.

TL;DR

Dify introduces a completely new Agent + Skill building experience, enabling more robust and reusable workflows with sandboxed execution and collaborative editing.

Breaking

• Docker Compose/Source Code Upgrades: Requires a checkout to the feat/support-agent-sandbox branch and a data backup before upgrading. (Follow detailed steps in "Before You Upgrade")

New

• Agent + Skill Editor: Build agents with a new sandboxed runtime and a dedicated Skill Editor for creating reusable components.
• Collaboration (Beta): Co-edit workflows with comments and real-time presence.
• Template Marketplace: Publish and share your workflows as templates for others to use.

Fixes Worth Knowing

• Fixed an issue where file uploads would fail during single runs.
• Resolved a bug causing silent failures during metadata batch edits.
• Corrected OAuth redirect behavior after login.

Before You Upgrade

1. Backup your data: tar -cvf volumes-$(date +%s).tgz volumes (Docker deployments)
2. Checkout the correct branch: git checkout feat/support-agent-sandbox (Docker/Source deployments)

TL;DR

Dify now includes critical security patches to prevent code injection and cross-site scripting (XSS) attacks, especially important if you expose the service to the internet and use external WebApps.

Breaking

• SVG Rendering Disabled: SVGs are no longer rendered in messages as a security precaution. (SVG: Scalable Vector Graphics - image format)

Fixes Worth Knowing

• XSS Vulnerability Resolved: Fixed a security flaw that could allow malicious scripts to run when viewing SVGs.

Before You Upgrade

If you use the Community Edition and expose Dify to the internet with external WebApps, upgrade immediately. Ensure SERVICE_API_URL and FILES_URL are on different domains for optimal security.

TL;DR

Dify now supports more LLMs (like Llama 3.2 and Qwen 2.5) and storage options (Baidu OBS), plus enhancements to the Prompt Editor and tools like podcast generation and Discord integration, improving overall flexibility and functionality.

Breaking

• Docker Compose Refactor: The docker-compose.yaml file has been updated; review and migrate any custom changes.
• Message Migration: A data migration updates a large volume of messages; review changes in GitHub pull request #9132 before upgrading.

New

• Expanded LLM Support: Added models including Llama 3.2 and Qwen 2.5 for OpenRouter.
• New Storage Option: Baidu OBS (cloud storage) is now supported.
• Prompt Editor Flexibility: The Prompt Editor now accepts arrays of strings and numbers.

Fixes Worth Knowing

• Chat History: Corrected an issue where chat history wasn’t loading correctly.
• Image Links: Fixed broken links to images generated by the QR code tool when using Huawei OBS.
• Model Information: Resolved missing model information in Langfuse LLM spans.

Before You Upgrade

TL;DR

Dify workflows are significantly improved: variable referencing is now simpler using / to select variables directly, but existing apps will need to be recreated.

Breaking

• Workflow Compatibility: Existing Dify apps are incompatible and must be recreated due to data structure changes.
• Database Migration: Requires manual database updates (SQL provided) when upgrading from 0.6.0-preview-workflow.1 to ensure data integrity.

New

• Simplified Variables: Variables in LLM (Large Language Model) and other nodes can now be selected using a / prefix, streamlining workflow creation.
• App Creation UX: Improved user experience when creating new Dify applications.

Fixes Worth Knowing

• Several unspecified issues were resolved, improving overall stability.

Before You Upgrade

• Run SQL Migration: If upgrading from 0.6.0-preview-workflow.1, execute the provided SQL command against your PostgreSQL database.
• Recreate Apps: All existing Dify applications must be recreated to take advantage of the new workflow features.