chore(release): 4.2.1 — register extension.manager.supports_csrf_post feature flag

Lets clients detect CSRF-POST backend support via ComfyUI core's feature_flags instead of parsing version strings. Absence of the flag indicates a Manager version < 4.2.1 that is incompatible with POST-only state-mutation endpoints. Follow-up to #2818; no endpoint or security behavior change.
2026-05-10 00:52:32 +08:00 · 2026-04-22 22:01:37 +09:00 · 2026-04-22 22:01:37 +09:00 · 81935bd66e
commit 81935bd66e
parent 4410ebc6a6
3 changed files with 32 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,11 +5,11 @@ All notable changes to **ComfyUI-Manager** are documented in this file.
 The format is based on [Keep a Changelog 1.1.0](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html).
-## [Unreleased]
+## [4.2.1] - 2026-04-22
-Security-hardening release on branch `fix/csrf-post-conversion`. Contains
+Security-hardening release. Contains breaking-ish API changes for
-breaking-ish API changes for state-mutating endpoints. See **Migration notes**
+state-mutating endpoints. See **Migration notes** below before upgrading
-below before upgrading programmatic clients.
+programmatic clients.
 ### Security
@ -65,6 +65,12 @@ below before upgrading programmatic clients.
 ### Added
 - **Server-push feature flag `extension.manager.supports_csrf_post`** registered
  at startup, allowing ComfyUI-frontend (and other clients) to detect
  CSRF-POST backend support as a semantic capability contract, without
  relying on version string parsing. Manager versions prior to 4.2.1 do not
  set the flag — clients should treat its absence as 'incompatible with
  POST-only state-mutation endpoints'.
 - **E2E test harness variants** for security-level and legacy-mode scenarios:
  `tests/e2e/scripts/start_comfyui_legacy.sh`,
  `tests/e2e/scripts/start_comfyui_permissive.sh`,
@ -120,4 +126,4 @@ below before upgrading programmatic clients.
  perform the change from a trusted entry point. Read access via `GET` is
  unaffected.
-[Unreleased]: https://github.com/Comfy-Org/ComfyUI-Manager/compare/v4.1b6...HEAD
+[4.2.1]: https://github.com/Comfy-Org/ComfyUI-Manager/compare/v4.1b6...v4.2.1
--- a/comfyui_manager/init.py
+++ b/comfyui_manager/init.py
@ -6,6 +6,26 @@ from .common import manager_security
 from comfy.cli_args import args
 # Register server-push feature flag so ComfyUI_frontend (and other clients)
 # can detect CSRF-POST backend capability as a semantic contract (vs version
 # string parsing). See PR #2818 for context; clients use this flag to decide
 # whether to invoke POST state-mutation endpoints. Manager versions prior to
 # 4.2.1 do not set this flag — clients should treat its absence as
 # 'incompatible with POST-only state-mutation endpoints'.
 try:
    from comfy_api import feature_flags as _core_feature_flags
    _mgr_flags = (
        _core_feature_flags.SERVER_FEATURE_FLAGS
        .setdefault('extension', {})
        .setdefault('manager', {})
    )
    _mgr_flags['supports_csrf_post'] = True
 except ImportError:
    # Older ComfyUI core without comfy_api.feature_flags module.
    # Manager functions but clients will not observe the flag.
    pass
 def prestartup():
    from . import prestartup_script  # noqa: F401
    logging.info('[PRE] ComfyUI-Manager')
--- a/pyproject.toml
+++ b/pyproject.toml
@ -5,7 +5,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "comfyui-manager"
 license = { text = "GPL-3.0-only" }
-version = "4.2"
+version = "4.2.1"
 requires-python = ">= 3.9"
 description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
 readme = "README.md"