Dify 1.15.0

Dify 1.15.0 Release Note

What's Changed

UX & UI Enhancements

• Redesigned landing / onboarding for an easier first-run experience (#37433, #37844, #37800)
• Faster navigation - improved "go to anything" palette and autofocused search inputs (#32130, #37175)
• Safer deletes - one-click confirmation before removing an app (#37263)
• Cleaner workflow editor with collapsible panels (#37276)
• Clearer notifications - consistent toasts that show long errors in full (#37382, #37581)
• More accessible - plugin permission hints, restored contact-us menu, skip-nav link, and keyboard focus polish (#37310, #37774, #37644)

New Features

difyctl - drive Dify from the command line

• difyctl is a command-line client for Dify: you can now run apps and workflows straight from your terminal, so personal agents, scripts, and CI pipelines can invoke Dify workflows without opening the web UI (#37036)
• Install it on any platform (macOS, Linux, Windows) with a single command and no access token - binaries are published as public releases with checksum verification (#37036, #37454)
• Pass scoped environment variables to CLI tool runs, and get clearer, consistent error messages (including friendly rate-limit handling) across both difyctl and the /openapi/v1 API (#37324, #37285, #37313, #36896)

See CoT in Workflow & Chatflow & CLI

• Chat Flow / Workflow can now stream the model's reasoning into a dedicated live "thinking" panel while keeping the final answer clean and readable. The reasoning is preserved so it's still there after a page refresh, and the same reasoning is visible in CLI and workflow run previews (#37460, #37828)

Richer Human-in-the-Loop forms

• When a workflow pauses to ask a person for input, the form can now include dropdown selects and file / multi-file uploads - not just free text - so people can answer with structured choices and attachments (#36322)

Support for slow, long-running models

• Workflows can now use generation models that take a long time to respond (such as image or video generation) via a polling mechanism: the node patiently waits for the final result instead of timing out (#37462)

Knowledge from richer spreadsheets

• Images embedded inside Excel files are now extracted during knowledge import, so spreadsheet content that relies on pictures (diagrams, screenshots, charts) is no longer lost (#37104)

Deeper observability

• Set your own trace session id for Phoenix so traces line up with your application's sessions, and follow document-retrieval steps in traces to understand how RAG results were produced (#37056, #37283)

Workflow authoring polish

• A refreshed start node makes it clearer how a workflow begins, and a smarter output node gives you more control over what a workflow returns (#37348, #35511)
• Friendlier errors when an app or workspace ID is malformed, instead of confusing failures (#37212)

Faster plugin installs in certain regions

• The plugin daemon now auto-detects your region at startup and, where network connectivity to PyPI is poor, automatically picks a nearby package mirror - so installing plugins is faster and more reliable without any manual setup. You can still pin a specific mirror if you prefer (dify-plugin-daemon#750)

Security Updates

This release fixes a path traversal issue in plugin-daemon forwarding (cve-2026-41948).

Bug Fixes

• Hardened outbound HTTP with bounded timeouts for Firecrawl, Jina, Watercrawl, Nacos, and Marketplace requests, and hardened default SSRF proxy egress (#37638, #37637, #37515, #37444, #37424, #36332)
• Fixed Lindorm vector store errors caused by the opensearch-py update (#37862) and Tongyi credential compatibility (#37942)
• Invalidated credential cache after OAuth refresh (#37630)
• Improved workflow execution error handling, eagerly validated conversations to prevent hanging, and prevented legacy stop from interrupting GraphEngine runs (#37919, #37224, #37129)
• Resolved DetachedInstanceError via session management refactoring (#37847) and stabilized deployment state hydration (#37818)
• Fixed conversation variable description length validation to prevent varchar(255) truncation (#33038) and stored Chinese as unicode so search works (#37446)
• Numerous web UI and accessibility/focus-ring polish fixes

Improvements

• Refactored session management across services to accept db.session explicitly via dependency injection for consistency (#37639, #37832, #37695, #37694, and related)
• Modernized typing (removed redundant type: ignore/cast, converted ABCs to Protocol, replaced isinstance chains with match-case)
• Reduced workflow startup latency for Chatflow (#36773) and lowered workflow termination latency so stopping a run takes effect faster (#37106, #37129)
• Upgraded dependencies for CVE fixes (Bleach, PyJWT, starlette, storage group) (#37860, #37008, #37076, #37861)

Environment Variable Changes

Added

• DEVICE_FLOW_APPROVE_RATE_LIMIT_PER_HOUR (docker/envs/core-services/shared.env.example)
• DIFY_ENV_NACOS_CONNECT_TIMEOUT, DIFY_ENV_NACOS_REQUEST_TIMEOUT (api/.env.example)
• ENABLE_LEARN_APP (api/.env.example)
• ENABLE_OAUTH_BEARER (docker/envs/core-services/shared.env.example)
• MILVUS_SECURE, MILVUS_SERVER_NAME, MILVUS_SERVER_PEM_PATH (docker/envs/vectorstores/milvus.env.example)
• NEXT_PUBLIC_ENABLE_FEATURE_PREVIEW (docker/envs/core-services/web.env.example)
• OPENAPI_CORS_ALLOW_ORIGINS, OPENAPI_ENABLED, OPENAPI_KNOWN_CLIENT_IDS, OPENAPI_RATE_LIMIT_PER_TOKEN (docker/envs/core-services/shared.env.example)
• PLUGIN_MODEL_PROVIDERS_CACHE_TTL (api/.env.example)
• SERVER_CONSOLE_API_URL (docker/.env.example)
• SSRF_PROXY_ALLOW_PRIVATE_DOMAINS, SSRF_PROXY_ALLOW_PRIVATE_IPS, SSRF_SANDBOX_PROXY_HOST, SSRF_SANDBOX_PROXY_PORT (docker/envs/middleware.env.example)
• PIP_MIRROR_AUTO_DETECT (plugin daemon; default true) - auto-select a nearby PyPI mirror at startup for regions with poor connectivity
• PIP_MIRROR_URL (plugin daemon; default empty) - manually pin the PyPI mirror; takes precedence over auto-detection

Removed

• SSRF_REVERSE_PROXY_PORT, SSRF_SANDBOX_HOST (docker/envs/middleware.env.example)

Modified

• UV_CACHE_DIR: /tmp/.uv-cache /tmp/uv_cache

Docker Compose Files

• docker/docker-compose.yaml (modified)
• docker/docker-compose.middleware.yaml (modified)
• docker/docker-compose.pytest.ports.yaml (added)

Database Migrations

This release includes new database migrations. Run flask db upgrade (or uv run --project api flask db upgrade) after updating the code. Notable schema additions:

• OAuth access tokens (ENABLE_OAUTH_BEARER)
• Credential visibility
• Human Input upload tables and conversation linkage
• Category-scoped plugin auto-upgrade strategy (add_plugin_auto_upgrade_category)
• App stars, learn-dify / cloud-only flags on recommended apps
• Normalized legacy end-user type

Upgrade Guide

[!IMPORTANT]

- This release includes new database migrations. Run them as part of the upgrade.

- Plugin auto-upgrade is now configured per plugin category. After running flask db upgrade, you MUST also run flask backfill-plugin-auto-upgrade to migrate existing tenants' auto-upgrade settings into the new category-scoped model. If you skip this step, plugin auto-upgrade settings users previously configured may stop taking effect.

- Environment variables changed (19 added, 2 removed, 1 modified). Review the Environment Variable Changes section and update your .env accordingly.

- Docker Compose configuration files changed. If you maintain a customized docker-compose.yaml, review the changes and re-apply local customizations carefully.

Docker Compose Deployments

1. Back up your customized docker-compose YAML and env files.

cd docker
cp docker-compose.yaml docker-compose.yaml.$(date +%s).bak
cp .env .env.$(date +%s).bak 2>/dev/null || true
2. Get the latest code for the `1.15.0` release.

git fetch --tags

git checkout 1.15.0

1. Stop the services (run inside the docker directory).

docker compose down
4. Back up data.

tar -cvf volumes-$(date +%s).tgz volumes

1. Review any env file changes and re-apply local customizations.
2. Upgrade services.

docker compose up -d
7. **Backfill category-scoped plugin auto-upgrade strategies** (required).

docker compose exec api flask backfill-plugin-auto-upgrade

Source Code Deployments

1. Stop the API server, Worker, and Web frontend server.
2. Get the latest code for the 1.15.0 release.

git fetch --tags
git checkout 1.15.0
3. Update Python dependencies.

cd api

uv sync

1. Run database migrations.

uv run flask db upgrade
5. **Backfill category-scoped plugin auto-upgrade strategies** (required).

uv run flask backfill-plugin-auto-upgrade

1. Restart the API server, Worker, and Web frontend server.

Full Change List

• feat(dify-ui): add shared form primitives by @lyzno1 in https://github.com/langgenius/dify/pull/36334
• refactor(web): migrate annotation selection to checkbox group by @lyzno1 in https://github.com/langgenius/dify/pull/36370
• feat(dev-proxy): isolate local auth cookies by target by @lyzno1 in https://github.com/langgenius/dify/pull/36371
• chore(api): annotate simple contract responses by @hyoban in https://github.com/langgenius/dify/pull/36331
• fix(agenton): use AsyncGenerator return annotation for asynccontextmanager by @algojogacor in https://github.com/langgenius/dify/pull/36361
• test(api): manage backend pytest services natively by @laipz8200 in https://github.com/langgenius/dify/pull/36235
• refactor(web): migrate multi-checkbox lists to CheckboxGroup by @lyzno1 in https://github.com/langgenius/dify/pull/36381
• chore: hide model provider setting in default model setting by @iamjoel in https://github.com/langgenius/dify/pull/36383
• feat(dev-proxy): reload env file changes by @lyzno1 in https://github.com/langgenius/dify/pull/36384
• fix: prevent agent tool info popover from jumping on close by @iamjoel in https://github.com/langgenius/dify/pull/36389
• test: stabilize trigger subscription name uniqueness setup by @escape0707 in https://github.com/langgenius/dify/pull/36353
• fix(api): add Phoenix wrapper spans and error tracing by @Blackoutta in https://github.com/langgenius/dify/pull/36388
• feat: add new agent by @zyssyz123 in https://github.com/langgenius/dify/pull/36284
• chore(codeowners): update plugin ownership by @laipz8200 in https://github.com/langgenius/dify/pull/36394
• fix: workflow node selection state not sync caused problem by @iamjoel in https://github.com/langgenius/dify/pull/36390
• chore(web): remove generic tailwind skill by @lyzno1 in https://github.com/langgenius/dify/pull/36402
• fix: fix add uv_cache_dir env by @fatelei in https://github.com/langgenius/dify/pull/36398
• chore: update deps by @hyoban in https://github.com/langgenius/dify/pull/36413
• refactor: convert isinstance chains to match/case pattern by @xxiaoxiong in https://github.com/langgenius/dify/pull/36364
• fix(web): prevent local cloud analytics script errors by @lyzno1 in https://github.com/langgenius/dify/pull/36420
• refactor: migrate to tailwind v4 style by @hyoban in https://github.com/langgenius/dify/pull/36417
• chore(deps): bump the storage group across 1 directory with 4 updates by @dependabot[bot] in https://github.com/langgenius/dify/pull/36393
• build: fix api docker build by @hyoban in https://github.com/langgenius/dify/pull/36423
• chore: bump versions for litellm and langsmith by @wylswz in https://github.com/langgenius/dify/pull/36385
• fix: prevent recursion error when SharePoint folder is empty by @EvanYao826 in https://github.com/langgenius/dify/pull/36372
• fix(web): resolve model provider console warnings by @lyzno1 in https://github.com/langgenius/dify/pull/36422
• chore: Check more files by @asukaminato0721 in https://github.com/langgenius/dify/pull/36407
• fix(api): fix invalid token error while changing email by @QuantumGhost in https://github.com/langgenius/dify/pull/36412
• chore: example for [Refactor/Chore] add missing-override-decorator #36406 by @asukaminato0721 in https://github.com/langgenius/dify/pull/36425
• chore(codeowners): assign trigger scheduler ownership by @laipz8200 in https://github.com/langgenius/dify/pull/36430
• fix(web): debounce email check when change email by @JzoNgKVO in https://github.com/langgenius/dify/pull/36421
• chore: move API readiness reporting to terminal output by @hyoban in https://github.com/langgenius/dify/pull/36433
• chore(api): cap non-dev dependency major versions by @laipz8200 in https://github.com/langgenius/dify/pull/36429
• refactor(web): use dropdown data attributes by @lyzno1 in https://github.com/langgenius/dify/pull/36431
• fix(auth): use validity-returned token in ChangePasswordForm reset submit by @GareArc in https://github.com/langgenius/dify/pull/36415
• ci: show web test shard failures by @lyzno1 in https://github.com/langgenius/dify/pull/36436
• chore: update to only SaaS can view template by @iamjoel in https://github.com/langgenius/dify/pull/36440
• fix: allow config pubsub join timeout for lower post-run latency by @wylswz in https://github.com/langgenius/dify/pull/36438
• chore: remove unused pyrefly ignore comments in dataset.py by @xxiaoxiong in https://github.com/langgenius/dify/pull/36443
• chore: upgrade base ui to 1.5.0 by @lyzno1 in https://github.com/langgenius/dify/pull/36442
• feat(ui): migrate radio to Base UI and update web callsites by @lyzno1 in https://github.com/langgenius/dify/pull/36451
• chore: compatiable conversation is not exists by @fatelei in https://github.com/langgenius/dify/pull/33274
• feat: wire workflow agent node runtime by @zyssyz123 in https://github.com/langgenius/dify/pull/36437
• fix: suggested questions API crash on legacy conversation override configs by @leslie2046 in https://github.com/langgenius/dify/pull/36459