langgenius/dify 1.14.1 on GitHub

🚀 What's New in v1.14.1?

v1.14.1 is a patch release focused on security hardening, workflow and knowledge-base stability, deployment cleanup, and continued UI platform migration after v1.14.0.

🔐 Security

Self-hosted SECRET_KEY hardening — Docker deployments no longer rely on a public default key. When SECRET_KEY is left empty, the API generates and persists a runtime key through the configured storage backend, while explicitly configured keys continue to work as before. Thanks @laipz8200 in #36049.
Internal metrics endpoint protection — /threads and /db-pool-stat are hardened to avoid unauthenticated exposure of internal runtime and database-pool details. Thanks @orbisai0security in #35665.
Account and tool isolation — fixed an IDOR issue in GET /account/avatar and scoped builtin-tool default-credential cleanup to the current tenant. Thanks @NeatGuyCoding and @GareArc in #35771 and #35887.
Dependency security — upgraded LiteLLM for CVE-2026-42208 and refreshed several backend dependencies, including urllib3, gunicorn, gitpython, mako, Google SDK packages, storage libraries, and OpenTelemetry exporter packages. Thanks @crazywoola in #35953, #35779, #35791, #35863, #35864, #35958, #36011, #36012, #36013, #36017, and #36050.

🧩 Workflow, HITL, and app runtime

Workflow stability — restored workflow-version loading through the backend API, fixed online-user polling for large app lists, prevented preview resize observer loops, and avoided schema model collisions in trial workflows. Thanks @hjlarry and @lyzno1 in #35817, #35786, #35936, and #36061.
Workflow authoring polish — fixed variable reference picker behavior for sub-variables, workflow node title overflow, condition operator popovers, workflow checklist semantics, and KB metadata filter field selection. Thanks @iamjoel, @hjlarry, @lyzno1, and @shawny011717 in #35732, #35740, #35828, #36006, and #34149.
Workflow execution correctness — preserved single-run input variable types, fixed structured_output_enabled validation, fixed file-preview URL handling in node output display, and unblocked plugin model selector tools on v1.14.0 workflows. Thanks @Jingyi-Dify, @fatelei, @shawny011717, and @sawyer-shi in #35710, #35747, #34150, and #35794.
Human input — exposed selected action values for Human-in-the-loop flows. Thanks @Blackoutta in #35451.
Question Classifier — added editable class labels. Thanks @Blackoutta in #35430.

📚 Data, RAG, and knowledge

Knowledge-base image rendering — fixed image rendering failures in the knowledge base. Thanks @FFXN in #35914.
Document indexing — skip empty documents before vector embedding and validate missing text indexing techniques. Thanks @princepal9120 and @juyua9 in #35763 and #35941.
RAG deduplication — use doc_id as the deduplication key across providers, not only Dify-hosted providers. Thanks @ki3nd in #35759.
Dataset metadata filters — preserve dataset metadata filters in API paths and fix KB metadata filter field selection. Thanks @princepal9120 and @shawny011717 in #35700 and #34149.
Upload filename handling — clean upload filenames parsed from URLs and avoid doubled dots when standardizing datasource file extensions. Thanks @jonathanchang31 and @Beandon13 in #35706 and #35808.

🎨 Web UI and design system

Dify UI migration — continued migration from legacy overlays, tooltips, drawers, selects, tags, and searchable pickers to @langgenius/dify-ui primitives, including new Drawer, Tabs, ToggleGroup, Autocomplete, and Combobox support. Thanks @lyzno1 and @CodingOnStar in #35675, #35715, #35720, #35721, #35774, #35785, #35787, #35792, #35825, #35868, #35881, #35892, #35896, #35917, #35961, #35962, #35963, #35965, #35976, #35982, and #36066.
Accessibility and semantics — improved web accessibility, removed unnecessary data-testid usage, normalized select value handling, improved help glyph semantics, and refined premium badge button semantics. Thanks @lyzno1 in #35999, #36007, #36008, and #36026.
Overlay and navigation reliability — restored app navigation create submenu interaction, fixed transfer workspace dropdown display, normalized overlay control, aligned Tailwind v4 CSS migration, forwarded CSP nonce to the theme script, and aligned tag filter dropdown icons. Thanks @hjlarry, @iamjoel, and @lyzno1 in #35681, #35876, #35832, #35829, #35960, and #36041.
Publisher and launch flows — improved publisher confirmation dialog handling and fixed mismatched copy in prefilled WebApp launch descriptions. Thanks @CodingOnStar and @iamjoel in #35701 and #35964.
Audio and transcript behavior — explicitly resume AudioContext and play audio on first TTS load, and pass end_user.external_user_id correctly to transcript ASR. Thanks @ki3nd in #35901 and #35898.

🔎 Observability and tracing

Phoenix tracing — improved Phoenix workflow tracing. Thanks @Blackoutta in #35605.
LangSmith tracing — fixed trace_id mismatch in chatflow workflow traces. Thanks @ki3nd in #35979.

⚙️ Deployment and operations

Docker env layout — split Docker Compose environment variables into organized docker/envs/** files and updated generation, cleanup, and middleware setup flows. Thanks @macatizm and @laipz8200 in #31586 and #35938.
Middleware setup — updated local setup and cleanup flows for the new middleware env template location. Thanks @laipz8200 in #35946.
Database pool behavior — added SQLALCHEMY_POOL_RESET_ON_RETURN configuration support. Thanks @fatelei in #31156.
WebSocket service — separated the WebSocket service for cleaner deployment boundaries. Thanks @hjlarry in #35981.
Explore categories — Explore recommended apps now support multiple configurable categories and adjustable category order. Thanks @hjlarry in #35723.
TiDB endpoint updates — fixed endpoint updates when TiDB status changes. Thanks @zyssyz123 in #35854.

Upgrade Guide

Important notes

This release includes a new database migration for configurable Explore app categories. Run database migrations as part of the upgrade.
Docker Compose environment variables are now split into categorized files under docker/envs/**. If you maintain a customized docker-compose.yaml or .env, review the new layout and re-apply local customizations carefully.
For self-hosted deployments, explicitly configured SECRET_KEY values continue to be respected. If SECRET_KEY is empty, Dify now generates and persists a runtime key automatically.

Docker Compose Deployments

Back up your customized docker-compose YAML and env files.

cd docker
cp docker-compose.yaml docker-compose.yaml.$(date +%s).bak
cp .env .env.$(date +%s).bak 2>/dev/null || true

Get the latest code from the release branch or tag.
```
git fetch --tags
git checkout 1.14.1
```
Stop the service. Please execute in the docker directory.
```
docker compose down
```

Back up data.

tar -cvf volumes-$(date +%s).tgz volumes

Review the new docker/envs/** env file layout and re-apply any local customizations.
Upgrade services.
```
docker compose up -d
```

Source Code Deployments

Stop the API server, Worker, and Web frontend Server.
Get the latest code from the release tag.
```
git fetch --tags
git checkout 1.14.1
```
Update Python dependencies.
```
cd api
uv sync
```
Run the migration script.
```
uv run flask db upgrade
```
Restart the API server, Worker, and Web frontend Server.

What's Changed

fix: ensure generated password satisfies the password policy by @kurokobo in #35672
chore: update eslint suppressions codeowner by @lyzno1 in #35679
chore: update to pnpm 11 by @hyoban in #35673
refactor(web): migrate rich tooltip overlays by @lyzno1 in #35675
fix: restore app nav create submenu interaction by @hjlarry in #35681
fix(web): disable pnpm dependency checks during Docker build by @lyzno1 in #35686
chore: allow configurable Next.js dev origins by @hjlarry in #35683
fix(publisher): enhance confirm dialog handling and improve popup interactions by @CodingOnStar in #35701
refactor(auth): update OAuth button and settings modal for improved state management and UI consistency by @CodingOnStar in #35702
refactor: port WorkflowDraftVariableFile by @asukaminato0721 in #30923
refactor(web): migrate short tooltips to dify-ui by @lyzno1 in #35715
refactor(web): migrate subscription create modal to dialog by @lyzno1 in #35721
fix: ToolEntity data validation failed during workflow synchronization by @eldoradoel in #35696
refactor(web/select): base selects to dify-ui by @lyzno1 in #35720
fix(plugin): preserve multi-value HTTP response headers by @xr843 in #35726
fix: var reference picker can not choose sub vars by @iamjoel in #35732
chore: generate enterprise console API by @hyoban in #35735
fix: prevent workflow node titles from overflowing by @hjlarry in #35740
refactor(web): workflow hotkeys and history state by @lyzno1 in #35736
fix: fix structured_output_enabled miss in second validate by @fatelei in #35747
chore: generate contact from api by @hyoban in #35748
refactor: replace Any with [T] syntax by @aliworksx08 in #35750
fix(api): preserve dataset metadata filters by @princepal9120 in #35700
ci: Remove API contracts generation step from autofix workflow by @asukaminato0721 in #35768
fix: Clean upload filenames parsed from URLs by @jonathanchang31 in #35706
refactor(tests): use db_session_with_containers in test_storage_key_loader by @guangyang1206 in #35766
fix: IDOR on console GET /account/avatar by @NeatGuyCoding in #35771
chore(deps): bump the google group in /api with 2 updates by @dependabot[bot] in #35779
chore(deps): bump anthropics/claude-code-action from 1.0.110 to 1.0.111 in the github-actions-dependencies group by @dependabot[bot] in #35781
fix(web): secure external form help links by @aliworksx08 in #35751
refactor(web): convert ValidatedStatus enum to as-const in key-valida… by @guangyang1206 in #35749
fix: skip empty documents before vector embedding by @princepal9120 in #35763
refactor(web): migrate legacy tooltip to infotip by @lyzno1 in #35774
refactor(web): migrate workflow node actions menu by @lyzno1 in #35785
chore(deps-dev): bump the dev group in /api with 6 updates by @dependabot[bot] in #35782
fix: preserve single-run input variable types by @Jingyi-Dify in #35710
refactor(web): migrate workflow panel context menu primitive by @lyzno1 in #35787
fix(rag): use doc_id dedup key for any provider, not only dify by @ki3nd in #35759
refactor(web): migrate HITL overlays to base dialog by @lyzno1 in #35792
chore(deps): bump the storage group across 1 directory with 2 updates by @dependabot[bot] in #35791
fix: workflow online users polling for large app lists by @hjlarry in #35786
refactor: migrate workflow queries to contracts by @lyzno1 in #35799
fix: fix test_sharded_channel failed by @fatelei in #35814
fix: fix Working outside of application context by @fatelei in #35819
fix: restore workflow versions via backend API by @hjlarry in #35817
fix(file_factory): drop doubled dot when standardizing datasource file extension by @Beandon13 in #35808
chore(tailwind-css): migrate to css first by @lyzno1 in #35754
refactor(webapp): migrate partial overlays by @lyzno1 in #35825
fix: migrate condition operator popover by @hjlarry in #35828
fix(web): align Tailwind v4 CSS migration by @lyzno1 in #35829
fix(workflow): unblock plugin model selector tools on 1.14.0 by @sawyer-shi in #35794
fix(web): normalize dify-ui overlay control by @lyzno1 in #35832
chore(web): add enterprise dev proxy support by @hyoban in #35842
chore: improve the progress of education pay by @iamjoel in #35851
chore(i18n): sync translations with en-US by @github-actions[bot] in #35853
refactor: verticalize tag management and batch bindings by @lyzno1 in #35840
ci: bump tyck by @asukaminato0721 in #35862
fix: update endpoint when update tidb status by @zyssyz123 in #35854
chore(deps): bump mako from 1.3.11 to 1.3.12 in /api by @dependabot[bot] in #35863
chore(deps): bump gitpython from 3.1.47 to 3.1.49 in /api by @dependabot[bot] in #35864
fix(workflow): use correct field ID in KB metadata filter selection by @shawny011717 in #34149
feat(dev-proxy): init package by @hyoban in #35852
refactor: add type to test by @asukaminato0721 in #30873
feat: add dify-ui autocomplete and combobox by @lyzno1 in #35868
chore: easier and simpler deploy by @Stream29 in #35708
refactor: improve model selector search by @lyzno1 in #35875
fix: transfer workspace dropdown not show by @iamjoel in #35876
refactor(web): migrate tag controls to combobox by @lyzno1 in #35881
test: migrate plugin permission tests to testcontainers by @escape0707 in #35884
fix: delete redundant api/libs/typing.py by @escape0707 in #35890
refactor(web): portal to follow elem migration by @CodingOnStar in #35892
refactor(api): migrate console apikey responses to BaseModel by @ai-hpc in #35218
test: add type to test by @asukaminato0721 in #35871
chore: example of isinstance to match case by @asukaminato0721 in #35903
refactor: migrate app selector to combobox by @lyzno1 in #35896
chore: update deps by @hyoban in #35812
refactor(web): inline tag query defaults by @lyzno1 in #35883
chore: update deps by @hyoban in #35907
fix(web): explicitly resume AudioContext and play audio on first TTS load by @ki3nd in #35901
fix(web): pass end_user.external_user_id string to transcript_asr by @ki3nd in #35898
fix: replace SimpleNamespace with MagicMock(spec=App) in _app_stub (#34636) by @EvanYao826 in #35897
fix(i18n): update Turkish translations for new strings by @bakiburakogun in #35905
fix(tools): scope builtin tool default-credential clear to tenant by @GareArc in #35887
feat: support configurable explore app categories by @hjlarry in #35723
fix(workflow): handle file-preview URLs in node output display by @shawny011717 in #34150
feat(dify-ui): add drawer by @lyzno1 in #35917
chore: add query generator before lauch webapp by @iamjoel in #35416
refactor: convert isinstance chains to match/case (#35902) by @EvanYao826 in #35922
chore(i18n): sync translations with en-US by @github-actions[bot] in #35933
feat: support SQLALCHEMY_POOL_RESET_ON_RETURN config by @fatelei in #31156
chore(docker): clean up env examples by @laipz8200 in #35938
refactor: split docker-compose env config into separate files by @macatizm in #31586
chore: dep inject for session by @asukaminato0721 in #35934
fix: prevent workflow preview resize observer loop by @lyzno1 in #35936
fix: change write to db order by @fatelei in #35948
ci: auto gen api doc and download link by @asukaminato0721 in #35919
chore: bump LiteLLM for CVE-2026-42208 by @crazywoola in #35953
chore: add Type to test by @asukaminato0721 in #35942
chore(deps): bump gitpython from 3.1.49 to 3.1.50 in /api by @dependabot[bot] in #35958
fix(web): forward csp nonce to theme script by @lyzno1 in #35960
fix(swagger): add util to convert BaseModel to schema for query params by @cqjjjzr in #35959
refactor(web): migrate legacy tooltip callers by @lyzno1 in #35961
refactor(web): migrate headless-ui components to dify-ui by @lyzno1 in #35962
fix: mismatched button label in prefilled WebApp launch description by @iamjoel in #35964
chore(api): upgrade graphon to v0.3.0 by @laipz8200 in #35469
ci: update comment by @asukaminato0721 in #35968
fix(swagger): Apply the inline-nested-dicts patch to HTTP Swagger endpoints by @cqjjjzr in #35952
feat(dify-ui): add Tabs/ToggleGroup by @lyzno1 in #35965
refactor(api): migrate console.app.workflow etc. to BaseModel by @cqjjjzr in #35967
fix: Image rendering in the knowledge base failed. by @FFXN in #35914
refactor(web): drop headless-ui, migrate overlay to dify-ui by @CodingOnStar in #35963
refactor(web): converge overlay layering on dify-ui z-50 by @lyzno1 in #35976
refactor(web): migrate drawer components to dify-ui and remove legacy drawer implementation by @CodingOnStar in #35982
chore: unify api && clean some type ignore by @asukaminato0721 in #35984
chore: api para type by @asukaminato0721 in #35985
chore(web): remove drawer overlay import restriction by @lyzno1 in #35990
feat: support editable class labels in question classifier by @Blackoutta in #35430
chore(i18n): sync translations with en-US by @github-actions[bot] in #35994
fix(api): "File validation failed" on Chatflow follow-up with custom file type + memory by @lin-snow in #35891
feat(human-input): expose selected action value by @Blackoutta in #35451
chore: separate websocket service by @hjlarry in #35981
fix(trace): LangSmith trace_id mismatch in chatflow workflow traces by @ki3nd in #35979
refactor: port DatasetProcessRule by @asukaminato0721 in #31004
feat(web): improve a11y and remove data-testid by @lyzno1 in #35999
chore(deps): bump the github-actions-dependencies group with 2 updates by @dependabot[bot] in #36009
chore(deps): bump opentelemetry-exporter-otlp-proto-grpc from 1.41.0 to 1.41.1 in /api in the opentelemetry group by @dependabot[bot] in #36013
chore(web): refresh agent skills by @hyoban in #36015
chore(deps): bump the storage group in /api with 2 updates by @dependabot[bot] in #36017
chore(deps): bump gunicorn from 25.3.0 to 26.0.0 in /api in the flask group by @dependabot[bot] in #36011
fix(web): remove unsafe select value casts by @lyzno1 in #36007
chore(i18n): sync translations with en-US by @github-actions[bot] in #36019
fix: improve workflow checklist semantics by @lyzno1 in #36006
fix: use infotip for help glyphs by @lyzno1 in #36008
chore(deps): bump the google group across 1 directory with 2 updates by @dependabot[bot] in #36012
fix(docker): update middleware env setup by @laipz8200 in #35946
chore(api): upgrade graphon to v0.3.1 by @QuantumGhost in #35987
refactor(web): split premium badge button semantics by @lyzno1 in #36026
refactor: replace dict params with BaseModel in AppService by @satishkc7 in #35904
refactor: enhance modal layouts and scrolling behavior across components by @CodingOnStar in #36033
refactor: port some if else to match by @asukaminato0721 in #31841
feat: improve phoenix workflow tracing by @Blackoutta in #35605
fix(web): align tag filter dropdown icon by @lyzno1 in #36041
chore: port WorkflowComment by @asukaminato0721 in #36039
refactor(apps): simplify query state and debounce URL writes by @lyzno1 in #36043
chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /api by @dependabot[bot] in #36050
fix: avoid trial workflow schema model collision by @hjlarry in #36061
fix: validate missing text indexing technique by @juyua9 in #35941
refactor(web): migrate searchable pickers to combobox by @lyzno1 in #36066
refactor: rewrite estimate_args_validate using Pydantic v2 models by @Deepam02 in #36036
fix(security): harden self-hosted SECRET_KEY bootstrap by @laipz8200 in #36049
fix: the /threads and /db-pool-stat endpoints in api... in... by @orbisai0security in #35665
chore(release): bump version to 1.14.1 by @laipz8200 in #36034
chore: DocumentSegment to Typebase by @asukaminato0721 in #35635

New Contributors

@eldoradoel made their first contribution in #35696
@princepal9120 made their first contribution in #35700
@guangyang1206 made their first contribution in #35766
@ki3nd made their first contribution in #35759
@Beandon13 made their first contribution in #35808
@sawyer-shi made their first contribution in #35794
@shawny011717 made their first contribution in #34149
@escape0707 made their first contribution in #35884
@EvanYao826 made their first contribution in #35897
@macatizm made their first contribution in #31586
@cqjjjzr made their first contribution in #35959
@satishkc7 made their first contribution in #35904
@juyua9 made their first contribution in #35941
@Deepam02 made their first contribution in #36036
@orbisai0security made their first contribution in #35665

Full Changelog: 1.14.0...1.14.1

langgenius/dify 1.14.1 v1.14.1 - Security hardening, workflow stability, and cleaner self-hosted deployments on GitHub