SillyTavern 1.18.0

Important news

Read the maintainers statement regarding a recent security incident involving the "Bot Browser" third-party extension and learn how to stay safe: https://github.com/SillyTavern/SillyTavern/discussions/5592

Backends

• Added Cloudflare Workers AI and MiniMax as Chat Completion sources.
• KoboldCpp: Grammar state will be preserved when using a "Continue" option.
• KoboldCpp: Added forwarding of reasoning effort when running as a Custom Chat Completion source.
• Tool Calling: Added a configurable tool calling recursion limit; enabled interleaved thinking for Custom sources.
• Text Completion: Impersonation requests use a "Last User Message" prefix at the end of the prompt (if configured).
• Text Generation WebUI: Added Adaptive-P controls.
• NanoGPT: Added provider selection and model sorting.
• Added ability to view remaining balance for OpenRouter and NanoGPT.
• Enhanced support for new models: DeepSeek v4, GPT 5.4 and 5.5, Gemma 4, GLM-5V-Turbo, Claude Opus 4.7.

Server & Security

• Removed post-install script, config migration is now handled by the app or a dedicated npm run init command.
• Added npm configuration to prevent execution of package scripts during installation.
• Moved HTTP error pages and user.css file from /public to /data to support immutable setups.
• Disabled HTTP keep-alive by default to restore old Node 18 behavior, can be enabled with config.
• Added rate limiting to the basic authentication flow to mitigate brute-force attacks.
• Added configuration options to choose which headers can be used for forwarded IP detection to prevent spoofing.
• Added a private address whitelist to prevent SSRF attacks. See the documentation on how to enable and configure: Private Address Whitelist.
• Added an IP whitelist for SSO trusted proxies to prevent authentication bypass.
• Added invalidation of session cookies on password change to prevent session hijacking.
• Increased the length of password reset code to 6 characters to guard against brute-force attacks.
• Implemented PKCE challenge in OpenRouter OAuth flow for more secure key exchange.

UI/UX

• Improved swipe picker: mobile requires a long press on swipe counter to open; added buttons to expand or copy the swipe text.
• "Click to Edit" mode now also applied to reasoning blocks.
• Welcome Screen: Number of recent chats can be configured.
• Streamed requests now can show an error message in the console if the request fails.

STscript

• Added commands for persona management: /persona-create, /persona-update, /persona-delete, /persona-duplicate, and /persona-get.
• Added a command to force update the Prompt Manager's prompt list: /pm-render.
• Added a command to get the state of the regex script: /regex-state.
• Added a command to set fallback expression: /expression-fallback.
• Added a command to generate a streamed response with a connection profile: /profile-genstream.

Extensions

• Assets list now groups extensions by "Official" or "Community" categories.
• Added an additional confirmation prompt when installing third-party extensions (can be disabled).
• Supported extensions can use a secret-id from connection profiles when making an LLM request.
• Extensions list now shows the extension's author name resolved from the git remote URL.
• Vector Storage: Added Workers AI source; added a toggle to keep vectors for hidden messages; added retry logic to summary generation.
• Image Generation: Added Workers AI source; generation can now be cancelled by pressing a button in the status toast.
• Image Captioning: Added support for macros in the caption prompt.
• TTS: "Skip code blocks" no longer ignores lines that start with 4 spaces (legacy code block syntax); "disabled" voice now shows a toast only once per character.

Bug Fixes

• Fixed text edit flow in Firefox on mobile.
• Fixed welcome screen chat pins not updating on chat renaming.
• Fixed character list filters being stuck on app initialization.
• Fixed application of instruct formatting to /genraw requests.
• Fixed model routing to sd.cpp API in Image Generation logic.
• Fixed validation of image URLs generated with Z.AI API.
• Fixed vectors deletion for KoboldCpp when a message is deleted.
• Fixed "Show More Messages" button triggering edit in "Click to Edit" mode.
• Fixed max height of select-multiple elements in mobile layout.
• Fixed server crash on empty messages when applying cache control parameters.

Community updates

• Fix npm audit in /tests by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5370
• CI: Update node to 24, run ci without scripts by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5376
• Backmerge release into staging by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5377
• feat(secrets): update readSecret function to accept optional secret ID by @dylenyedc in https://github.com/SillyTavern/SillyTavern/pull/5356
• fix: return Error objects from invokeFunctionTool and create error invocations by @xz-dev in https://github.com/SillyTavern/SillyTavern/pull/5351
• Add opt-in toggle to keep hidden messages in chat vector index by @Copilot in https://github.com/SillyTavern/SillyTavern/pull/5378
• feat: swipe picker expand/collapse, copy button, and left-align text by @Copilot in https://github.com/SillyTavern/SillyTavern/pull/5380
• Fix /genraw user instruct format not applied and unwanted system newline by @Claude in https://github.com/SillyTavern/SillyTavern/pull/5372
• fix: require long press to open swipe picker on phones by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5382
• Save chat before emitting event for user message by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5389
• Use custom init script instead of postinstall by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5384
• glm-5v-turbo by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5393
• Add VSCode settings for TypeScript SDK configuration by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5394
• Add Gemma 4 instruct, context, and reasoning presets by @LumiWasTaken in https://github.com/SillyTavern/SillyTavern/pull/5403
• Immutable public and global content management by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5390
• Skip TTS for voices explicitly set to disabled (fixes #4970) by @tgies in https://github.com/SillyTavern/SillyTavern/pull/5367
• Add unit tests for prompt-converters.js by @tgies in https://github.com/SillyTavern/SillyTavern/pull/5364
• Add unit tests for TavernCardValidator by @tgies in https://github.com/SillyTavern/SillyTavern/pull/5366
• Add tests for Cache, MemoryLimitedMap, and other util.js coverage gaps by @tgies in https://github.com/SillyTavern/SillyTavern/pull/5365
• Add IP whitelist for SSO authentication headers by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5404
• fix: improve streaming error propagation and forwarded response logging by @dz114879 in https://github.com/SillyTavern/SillyTavern/pull/5317
• feat: add Cloudflare Workers AI provider by @tgies in https://github.com/SillyTavern/SillyTavern/pull/5385
• fix npm audit in src/electron by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5405
• Add Entry Preview to World Info Deletion Confirmation Dialog by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5423
• refactor(tts): remove redundant 4-space codeblock filter by @bumprat in https://github.com/SillyTavern/SillyTavern/pull/5406
• feat: add Workers AI text embeddings and multimodal captioning by @tgies in https://github.com/SillyTavern/SillyTavern/pull/5414
• Fix: Remove COMFY_RUNPOD from secrets input map — invalid element reference by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5432
• Fix: Suppress false "Unsupported language" console warnings for English locale variants by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5431
• Fix: Skip Pseudo-Elements When Generating Dynamic Focus Styles by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5430
• Add Arguments Logging to Deprecated MacrosParser Method Warnings for Better Debugging Context by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5429
• Fix stable-diffusion.cpp model routing and URL path handling by @V13Axel in https://github.com/SillyTavern/SillyTavern/pull/5427
• Add /regex-state slash command to check regex script status by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5428
• Migrate built-in extensions to use manifest-based activate hooks by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5435
• Refactor repetitive vectorization model loading into a generic data-driven function by @Copilot in https://github.com/SillyTavern/SillyTavern/pull/5425
• Add configurable welcome screen recent chats, fix pin loss on rename, and add popup number input validation by @Copilot in https://github.com/SillyTavern/SillyTavern/pull/5436
• Gemma 4 reasoning: drop newline there by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5433
• Chore: Add persona lifecycle events (PERSONA_CREATED, PERSONA_UPDATED, PERSONA_RENAMED, PERSONA_DELETED) by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5443
• chore: Add getExtensionManifest() to the extension context API by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5442
• Add disabled property support to all popup custom input types by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5441
• Fix: Missing signature and toolSignatures fields in ChatCompletionService streaming state by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5439
• Allow grammar to keep place during continue by @Reithan in https://github.com/SillyTavern/SillyTavern/pull/5444
• Add clean extension lifecycle hook for optional data cleanup by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5449
• Emit PERSONA_CREATED event on persona duplication by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5448
• fix: missing closing bracket in jQuery selector in setInContextMessages() by @Copilot in https://github.com/SillyTavern/SillyTavern/pull/5451
• Add Streaming Display Utility and New Generation Slash Commands (/genstream, /reasoning-format) by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5438
• Integrate Cloudflare Workers AI text-to-image into SD extension by @Copilot in https://github.com/SillyTavern/SillyTavern/pull/5434
• Use 'Last User Prefix' for Last Prompt Line When Sending TC Impersonation Requests by @CasualAutopsy in https://github.com/SillyTavern/SillyTavern/pull/5456
• Enable interleaved tool reasoning for custom OpenAI-compat endpoints by @Reithan in https://github.com/SillyTavern/SillyTavern/pull/5445
• Improve OpenRouter model lists in extensions by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5459
• Enhanced /persona-sync Command with Range, Name Filter, and Quiet Mode by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5460
• implemented emit events for itemized-prompts.js by @Enerccio in https://github.com/SillyTavern/SillyTavern/pull/5461
• Fix incorrect translation of "New" button in World Info module by @awaae001 in https://github.com/SillyTavern/SillyTavern/pull/5463
• Increase Top K max value from 200 to 500 for text generation WebU by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5474
• add claude-opus-4-7 by @ashishch432 in https://github.com/SillyTavern/SillyTavern/pull/5465
• Fix group chat reasoning "mind reading" — only include reasoning from the currently generating character by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5473
• fix: limit max-height of select[multiple] on mobile to prevent Chrome 145+ full-screen rendering by @octo-patch in https://github.com/SillyTavern/SillyTavern/pull/5467
• fix: correct typo in cacheScores debug log and add JSDoc to filterDataByState by @octo-patch in https://github.com/SillyTavern/SillyTavern/pull/5468
• Bulk extension field updates via merge-attributes with UNSET_VALUE sentinel by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5471
• Add 'pm-render' command to refresh prompt manager content by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5483
• fix: enhance URL validation for Z.AI image generation by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5482
• Refactor: Replace SD image generation indicator with ActionLoader system by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5472
• Fix: Prevent "Show More Messages" Button from Triggering Message Edit Mode by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5486
• Add Click-to-Edit Support for Reasoning Blocks by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5487
• Add Persona CRUD Slash Commands with Shared Avatar Utilities by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5466
• Enhance Vectorize All process with error handling, retries and minor improvements by @TanJeeSchuan in https://github.com/SillyTavern/SillyTavern/pull/5479
• Add Slug Parameter to Action Loader for Programmatic Identification by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5490
• feat: add Adaptive-P controls for oobabooga by @yuaiccc in https://github.com/SillyTavern/SillyTavern/pull/5502
• Sync OpenRouter providers list by @cloak1505 in https://github.com/SillyTavern/SillyTavern/pull/5503
• feat: add getWorldInfoNames() to getContext() for WorldInfo enumeration. by @Therosin in https://github.com/SillyTavern/SillyTavern/pull/5505
• Fix KoboldCpp vector hash deletion by @yuaiccc in https://github.com/SillyTavern/SillyTavern/pull/5508
• Display OpenRouter credit balance in UI by @Stagnating in https://github.com/SillyTavern/SillyTavern/pull/5513
• feat: add MiniMax as a chat completion provider by @octo-patch in https://github.com/SillyTavern/SillyTavern/pull/5452
• feat: add DeepSeek V4 model support with thinking mode and reasoning effort by @Dclef in https://github.com/SillyTavern/SillyTavern/pull/5522
• fix: add config toggle to disable HTTP keepAlive (Node 18 behavior) by @DeathStalker471 in https://github.com/SillyTavern/SillyTavern/pull/5519
• fix: Don't apply layout hack in Firefox Mobile while editing text by @Christoph-D in https://github.com/SillyTavern/SillyTavern/pull/5531
• add macro support for image caption extension prompt (multimodal) by @f-eg in https://github.com/SillyTavern/SillyTavern/pull/5527
• Add Tool Call Recurse Limit slider to Chat Completion settings by @Copilot in https://github.com/SillyTavern/SillyTavern/pull/5518
• OpenAI: Add gpt-5.5, gpt-5.4-mini/nano, gpt-image-2 by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5529
• feat: add gemma 4 for AI studio by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5493
• feat: pass koboldcpp reasoning effort by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5491
• fix: remove legacy filter state restoration by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5535
• Implement S256 challenge in OpenRouter OAuth flow by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5501
• Chat Completion: common model sorting and grouping settings, improved NanoGPT model list by @DeathStalker471 in https://github.com/SillyTavern/SillyTavern/pull/5536
• feat: Add NanoGPT credit stats UI by @DeathStalker471 in https://github.com/SillyTavern/SillyTavern/pull/5537
• Fix missing filename sanitization on V2 JSON character import + harden getPngName as safety nee by @Wolfsblvt in https://github.com/SillyTavern/SillyTavern/pull/5538
• Implement private IP range request host validator by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5497
• Fix: Prevent crash in cachingAtDepthForOpenRouterClaude on empty content from trailing tool calls by @crsp6447 in https://github.com/SillyTavern/SillyTavern/pull/5541
• Better SVG for Kobold/KoboldCpp by @bubfix in https://github.com/SillyTavern/SillyTavern/pull/5543
• fix: improve sanitation of toasts that bypass HTML escaping by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5540
• fix: update backup archive to ignore migration secrets files by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5548
• Backmerge release into staging by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5549
• Minor adjustments to the SVG icons. by @bubfix in https://github.com/SillyTavern/SillyTavern/pull/5546
• fix: (AI Studio) temperature -> maxTemperature by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5554
• Extension management improvements by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5552
• Fix json schema use for openAI compat CUSTOM endpoints in several use paths by @Reithan in https://github.com/SillyTavern/SillyTavern/pull/5561
• Feat - Add expression-set-fallback slash command by @leandrojofre in https://github.com/SillyTavern/SillyTavern/pull/5551
• feat: add nanogpt provider selection by @DeathStalker471 in https://github.com/SillyTavern/SillyTavern/pull/5544
• Add rate limit to basic auth middleware by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5504
• Update/Turn expression-set-fallback into expression-fallback by @leandrojofre in https://github.com/SillyTavern/SillyTavern/pull/5564
• Add account version tags to cookies by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5563
• Extension clone improvements (part 2) by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5571
• fix: npm audit package dependencies by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5572
• Add option to return malformed JSON string from extractJsonFromData by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5578
• Refactor extension management and assets download menu by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5583
• Tabby: Prevent unwanted BOS token being added to all tokenizations. by @Ph0rk0z in https://github.com/SillyTavern/SillyTavern/pull/5589
• Update release version number by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5590
• Staging by @Cohee1207 in https://github.com/SillyTavern/SillyTavern/pull/5591

New Contributors

• @dylenyedc made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5356
• @dz114879 made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5317
• @bumprat made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5406
• @V13Axel made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5427
• @Enerccio made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5461
• @ashishch432 made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5465
• @octo-patch made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5467
• @TanJeeSchuan made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5479
• @yuaiccc made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5502
• @Stagnating made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5513
• @Dclef made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5522
• @DeathStalker471 made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5519
• @f-eg made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5527
• @crsp6447 made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5541
• @bubfix made their first contribution in https://github.com/SillyTavern/SillyTavern/pull/5543

Full Changelog: https://github.com/SillyTavern/SillyTavern/compare/1.17.0...1.18.0