v1.1.2

[laipz8200]

✨ What’s New in v1.1.2? ✨

Thanks for keeping up with Dify! This patch delivers some important fixes to boost the stability and security of your operations.

Important

This update includes a critical fix for an XSS vulnerability. Cloud users are not affected by this issue.

This version disables the SVG rendering in the message. If you are using our Community Edition and meet all of the following conditions, we recommend that you upgrade to the current version immediately:

1. Your service is exposed to the internet.
2. You provide external WebApps.
3. You have not configured SERVICE_API_URL and FILES_URL on different domains.

🛠️ Fixes & Improvements

• Security: Resolved an XSS vulnerability related to rendering SVGs, closing a security gap with help from @iamjoel in fix: xss in render svg #16433.

• Knowledge Base Cleanup: Fixed an issue where the OpenAPI interface couldn't delete metadata, thanks to @StrayDragon in fix: knowledge base openapi cannot delete metadata #16365. Now clearing out old or unnecessary metadata is straightforward.

• GitHub Plugin Installation: Resolved an import DSL issue that blocked the installation of the GitHub plugin, thanks to @junjiem in fix import DSL install Github plugin failed #16362. This patch ensures smoother plugin integrations.

• Metadata Migration Check: Added a check for built-in fields during old metadata migration to ensure completeness and accuracy, contributed by @JohnJyong in add built-in field check when doing old metadata migrate #16371. Your metadata migrations have stepped up in robustness.

• Literal Syntax Error Handling: Fixed errors related to literal_eval function usage, courtesy of @svcvit in fix error with literal_eval #16297. These changes help keep your code from breaking due to syntax evaluation.

This update is all about refining the edges and enhancing the user experience—an essential pit-stop on our road to new features and capabilities. Keep those contributions and feedback coming, and let's make Dify even better, together! 🚀

---

Upgrade Guide

Docker compose deployments

1. Back up your customized docker-compose YAML file (optional)

   cd docker
   cp docker-compose.yaml docker-compose.yaml.$(date +%s).bak

2. Get the latest code from the main branch

   git checkout main
   git pull origin main

3. Stop the service, Command, please execute in the docker directory

   docker compose down

4. Back up data

   tar -cvf volumes-$(date +%s).tgz volumes

5. Upgrade services

   docker compose up -d

Source Code deployments

1. Stop the API server, Worker, and Web frontend Server.

2. Get the latest code from the release branch:

   git checkout 1.1.2

3. Update Python dependencies:

   cd api
   poetry install

4. Then, let's run the migration script:

   poetry run flask db upgrade

5. Finally, run the API server, Worker, and Web frontend Server again.

---

What's Changed

• fix: knowledge base openapi cannot delete metadata by @StrayDragon in fix: knowledge base openapi cannot delete metadata #16365
• fix import DSL install Github plugin failed by @junjiem in fix import DSL install Github plugin failed #16362
• add built-in field check when doing old metadata migrate by @JohnJyong in add built-in field check when doing old metadata migrate #16371
• fix error with literal_eval by @svcvit in fix error with literal_eval #16297
• fix: typos by @kid1412621 in fix: typos #16385
• fix: xss in render svg by @iamjoel in fix: xss in render svg #16433
• Chore: frontend infrastructure upgrade by @iamjoel in Chore: frontend infrastructure upgrade #16420
• feat: replace file content type to avoid load script in svg. by @laipz8200 in feat: replace file content type to avoid load script in svg. #16454
• chore(api): enhance ruff rules to disallow dangerous functions and modules by @QuantumGhost in chore(api): enhance ruff rules to disallow dangerous functions and modules #16461

New Contributors

• @kid1412621 made their first contribution in fix: typos #16385

Full Changelog: 1.1.1...1.1.2

---

This discussion was created from the release v1.1.2.