Security:
- Add _INLINE_DANGEROUS_OPTIONS regex to catch pip options after package
names (--find-links, --constraint, --requirement, --editable, --trusted-host,
--global-option, --install-option and short forms)
- Stage index URLs in pending_urls, commit only after full line validation
to prevent URL injection from rejected lines
Tests:
- Add 50 new tests: inline sanitization, false-positive guards, parse
helpers (_parse_conflicts, _parse_install_output), exception paths
(91 → 141 total, all pass)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rewrite _split_index_url() to handle multiple --index-url /
--extra-index-url options on a single requirements.txt line using
regex-based parsing instead of single split.
- Cache installed_packages snapshot in collect_requirements() to avoid
repeated subprocess calls during downgrade blacklist checks.
- Add unit tests for multi-URL lines and bare --index-url edge case.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
read_config() in manager_core.py unconditionally re-read
use_unified_resolver from config.ini, undoing the False set by
prestartup_script.py on resolver fallback. This caused runtime
installs to still defer deps even after a startup batch failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When the unified resolver fails at startup (compile error, install
error, uv unavailable, or generic exception), the runtime flag was
not being reset to False. This caused subsequent runtime installs
to incorrectly defer pip dependencies instead of falling back to
per-node pip install.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Move cm_cli from comfyui_manager/cm_cli/ to top-level cm_cli/ package
- Convert relative imports to absolute imports
- Remove non-functional cli-only-mode command (flag was never checked)
- Update docs: python cm-cli.py → cm-cli entrypoint
- Update prestartup snapshot restore to use -m cm_cli
- Version bump to 4.1b1
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
- Add is_safe_path_target() and get_safe_file_path() utilities
- Validate history id and snapshot target parameters in API endpoints
- Sanitize config string values to prevent CRLF injection
- Add verbose config option to control CNR fetch logging
- Improve get_module_name with cnr_id/aux_id fallback via repo_cnr_map
- Fix is_valid_url misuse of try/finally that could cause runtime errors
- Move SSH_URL_PATTERN to module-level constant for performance
* Started changing UI to match the rest of ComfyUI
Completed Main Container
* - Added layout formatting to components of the Manager dialog box
- Pulled name from select and put it into a label (eg "DB: Channel" now has a label of DB and a dropdown with channel, etc)
- Fixed incorrect z-index
* Removed this.close() I added before finding z-index issue.
* Matched buttons and drop downs to match style of ComfyUI interface while keeping the colours the same as OG ComfyUI Manager
* - Took gui building out and put into its own .js
- Applied theme to Nodes Manager
- Made theme respect user theme colors
* - Themed model manager and snapshot manager
- fixed incorrect id in gui builder
* Fix syntax error in color property
---------
Co-authored-by: Dr.Lt.Data <128333288+ltdrdata@users.noreply.github.com>
- Add aux_id format (author/repo) support in normalize_to_github_id()
- Fix get_module_name() to use URL normalization for unknown_active_nodes
- Use NormalizedKeyDict in reload() to maintain normalized key lookup
* Improve comfyui version listing
* Fix ComfyUI semver selection and stable update
* Fix nightly current detection on default branch
* Fix: use tag_ref.name explicitly and cache get_remote_name result
- Use tag_ref.name instead of tag_ref object for checkout
- Cache get_remote_name() result to avoid duplicate calls
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Dr.Lt.Data <dr.lt.data@gmail.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
- Use --ff-only flag to detect non-fast-forward situations
- Create backup branch before resetting divergent local branch
- Reset to remote branch when fast-forward is not possible
- Add timestamp_utils.py for Mac datetime module compatibility
- Migrate all datetime usages to centralized utilities
- Bump version to 4.0.3b5
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Add Keybinding Extra custom node
Added a new custom node for Keybinding Extra with relevant details.
* Enhance description for Keybinding Extra
Updated the description for the Keybinding Extra to provide more detail about its functionality.
* Update custom-node-list.json
---------
Co-authored-by: Dr.Lt.Data <128333288+ltdrdata@users.noreply.github.com>
Resolved merge conflict with PR #2297 by integrating:
- PDF Tools - Advanced PDF Processing & OCR (new entry)
- AAA Metadata System (updated with enhanced description and metadata)
- HYPIR Image Restoration (preserved from main branch)
All entries use consistent spacing and JSON formatting.
