From bd4ede2237c97b3a71569a0301a0be9db226c7e9 Mon Sep 17 00:00:00 2001 From: "Dr.Lt.Data" Date: Mon, 15 Jun 2026 02:41:52 +0900 Subject: [PATCH] bump version --- CHANGELOG.md | 23 +++++++++++++++++++++++ pyproject.toml | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fabf8ab5..5226f425 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning 2.0.0](https://semver.org/spec/ ## [Unreleased] +## [4.2.2] - 2026-06-15 + ### Security - **Dedicated install flags decouple git-URL / pip installs from `security_level`**: @@ -30,6 +32,26 @@ and this project adheres to [Semantic Versioning 2.0.0](https://semver.org/spec/ `[default]` section of `config.ini`. The flags are NOT auto-seeded from your `security_level` — explicit opt-in is intentional. +### Fixed + +- **pygit2 fallback hardening (Desktop 2.0)**: under `CM_USE_PYGIT2=1` the + pygit2 backend ran `clone_repository` / `remote.fetch` honoring the user's + global git config, so an `insteadOf` rewrite (https→ssh) or credential + helper forced authentication and failed with *"authentication required but + no callback set"*. The system/global/XDG config search path is now blanked + at import time (hermetic libgit2 operations) and SSH-form GitHub URLs are + normalized to anonymous HTTPS on clone and when opening a repo. System + `git` is preferred when available. +- **pygit2 fallback follow-ups**: `list_remotes()` fetches now route through + `_fetch_remote` so the proxy and SSH→HTTPS rewrite apply to every fetch + entry point, with `pull` provided on the proxies via a shared + `_pull_remote` helper. `_to_https_url` now handles `ssh://git@host:port/...` + URLs (drops the custom SSH port instead of mangling it) and collapses + leading slashes; non-scp-form and port-only/IPv6 `ssh://` URLs are returned + unchanged. `clone_repo` omits the `proxy=` kwarg when no proxy is + configured (proxy-less installs keep working on pygit2 < 1.18), and pygit2 + is now pinned to `>= 1.18`. + ## [4.2.1] - 2026-04-22 Security-hardening release. Contains breaking-ish API changes for @@ -151,4 +173,5 @@ programmatic clients. perform the change from a trusted entry point. Read access via `GET` is unaffected. +[4.2.2]: https://github.com/Comfy-Org/ComfyUI-Manager/compare/v4.2.1...v4.2.2 [4.2.1]: https://github.com/Comfy-Org/ComfyUI-Manager/compare/v4.1b6...v4.2.1 diff --git a/pyproject.toml b/pyproject.toml index bf2035c7..ed8e5f72 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "setuptools.build_meta" [project] name = "comfyui-manager" license = { text = "GPL-3.0-only" } -version = "4.2.1" +version = "4.2.2" requires-python = ">= 3.9" description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI." readme = "README.md"