Dify v1.14.2 ships as a patch release on top of v1.14.1. The changes are not flashy, but they close real gaps that affect production deployments: tenant isolation holes, broken workflow tracing, and fragile knowledge-base operations.
Security first. Two endpoints got tighter tenant scoping: app trace-config and FilePreview text extraction. Both could previously leak data across tenant boundaries. Separately, default built-in tool credential updates are now restricted to workspace admins and owners. If you run a multi-tenant Dify instance, this patch is not optional. There is also a cleanup step: reset-encrypt-key-pair now removes stale tenant tool credentials, which matters if you have rotated keys before.
Workflow and HITL fixes. Human-in-the-loop (HITL) workflows lost their trace context on resume. That is fixed. Workflow run callback tracking is also repaired, meaning your observability stack will see complete run data again. On the performance side, message-update database roundtrips are reduced. Two lower-profile bugs are also closed: memory fetches happening outside Flask context, and base64 file lookup sessions not closing properly. The last one is a quiet resource leak that compounds under load.
Model selection and UI polish. The workflow editor no longer breaks when no model is selected on load. Model presets are now filtered by supported parameters, so builders stop seeing irrelevant options in the picker. API extension dialog controls also received fixes.
Knowledge base and RAG. Hit-testing rendering is fixed, empty knowledge base creation works again, and null handling in recommended app detail retrieval is patched. On the RAG side, LLM nodes received processing improvements (the source notes this section was cut short, but the direction is toward more reliable document handling).
What to do today. If you operate a multi-tenant Dify deployment, update to v1.14.2 and run reset-encrypt-key-pair to flush stale credentials. If you use HITL workflows and rely on tracing for debugging or audit, this patch restores data you have been missing. Check your observability dashboards after upgrading: workflow run callbacks should now produce complete records where they were previously dropping data. If you build on the knowledge-base features, re-test hit-testing and empty-dataset creation flows before pushing to production.