Due to the vulnerabilities CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) , how can this upgrade be performed smoothly and safely

[libosheng123]

Self Checks

• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:)
• Please do not modify this template :) and fill in all the required fields.

Content

Due to the vulnerabilities CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), it is necessary to upgrade Dify from version 1.5.0 to version 1.10.1-fix.1. Given the significant version gap, how can this upgrade be performed smoothly and safely?

[dosubot[bot]]

Hi @libosheng123! I'm Dosu and I’m helping the dify team.

To upgrade Dify from 1.5.0 to 1.10.1-fix.1 and address the React and Next.js vulnerabilities, follow these steps for a smooth and safe process:

1. Stop all running Dify services and back up your database, Redis, and any persistent storage volumes.
2. Review and update your .env file to match the latest .env.example from the new release. This is required for compatibility and configuration persistence across deployments (docker/README.md).
3. Update your Docker Compose setup to use the new images (langgenius/dify-api:1.10.1-fix.1 and langgenius/dify-web:1.10.1-fix.1). Make sure all services and environment variables are correctly set (docker-compose.yaml).
4. Run all database migrations to bring your schema up to date. Dify uses Alembic for migrations, and skipping this step can result in missing tables, columns, or functionality (migration scripts).
5. Inside your Docker environment, run these commands to restore plugin and model data:

   uv run flask extract-plugins --workers=20
   uv run flask install-plugins --workers=2
   uv run flask migrate-data-for-plugin
   

   Skipping these can result in missing backend records for plugins and models, even if the UI looks normal (upgrade procedure).
6. Test the upgrade in a staging environment before deploying to production. Validate all workflows, plugins, and integrations.
7. Monitor logs and application health after the upgrade. If you encounter issues, Alembic migration scripts support rollback.

For a detailed migration guide, see the community reference.

If you have customizations or use a non-standard database backend, review compatibility and transfer any changes as needed. Always back up before starting, and ensure you run all migration steps to avoid data loss or missing features.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[libosheng123]

thank you very much