Defense-in-depth over GET→POST alone: reject the three CORS-safelisted
simple-form Content-Types (x-www-form-urlencoded, multipart/form-data,
text/plain) on 5 no-body POST handlers (snapshot/save,
manager/queue/{reset,start,update_comfyui}, manager/reboot) to block
<form method=POST> CSRF that bypasses method-only gating. Convert 10 pure
state-changing endpoints (fetch_updates, queue/{update_all,reset,start,
update_comfyui}, snapshot/{remove,restore,save}, comfyui_switch_version,
reboot) from GET to POST and split 5 config endpoints
(db_mode/preview_method/channel_url_list/policy/{component,update}) into
GET(read) + POST(write, JSON body). Emit the in_progress + done event pair
from the /manager/queue/install sync-enable fast-path so client UI
finalizes (previously only queue/start's empty worker done fired, leaving
item.restart unset and the Enable button visible after a successful enable).
Harden js/custom-nodes-manager.js completion path: await onQueueCompleted
with try/catch (surfaces silent turbogrid stale-item throws), replace the
{}.length == 0 no-op empty guard, set install_context before queue/install
to avoid a sync-completion race, wrap classList/updateCell in try/catch.
Resynchronize openapi.yaml with the converted routes (method → post, query
params → requestBody JSON schema, sibling post on 5 split endpoints).
Update 31 JS fetchApi call sites across 7 files; add
tests/test_csrf_content_type_helper.py covering 5 Content-Type cases via
aiohttp TestClient.
Reported-by: XlabAI Team of Tencent Xuanwu Lab
CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
handleFile signature is updated in ComfyUI frontend [handleFile (file: File, openSource?: WorkflowOpenSource, options?: { deferWarnings?: boolean } )]. Using rest parameters to fix and future-proof.
- Add detection for ComfyUI PR #11261 (per-queue preview override)
- Return DISABLED status when native feature is detected
- Improve UI loading state and prevent flash of enabled state
- Add accessibility attributes and visual feedback for disabled state
- Show user notification when feature transitions to native
- Version bump to 3.39
* Started changing UI to match the rest of ComfyUI
Completed Main Container
* - Added layout formatting to components of the Manager dialog box
- Pulled name from select and put it into a label (eg "DB: Channel" now has a label of DB and a dropdown with channel, etc)
- Fixed incorrect z-index
* Removed this.close() I added before finding z-index issue.
* Matched buttons and drop downs to match style of ComfyUI interface while keeping the colours the same as OG ComfyUI Manager
* - Took gui building out and put into its own .js
- Applied theme to Nodes Manager
- Made theme respect user theme colors
* - Themed model manager and snapshot manager
- fixed incorrect id in gui builder
* Fix syntax error in color property
---------
Co-authored-by: Dr.Lt.Data <128333288+ltdrdata@users.noreply.github.com>
- Migrate Manager data path: default/ComfyUI-Manager → __manager
- Force security_level=strong on outdated ComfyUI (block installations)
- Auto-migrate config.ini only; backup legacy files for manual verification
- Raise weak/normal- to normal during migration
- Add /manager/startup_alerts API for UI warnings
- Differentiate 403 responses: comfyui_outdated vs security_level
- Block startup scripts execution on old ComfyUI
Requires ComfyUI v0.3.76+ for full functionality.
Backward compatible with older versions (uses legacy path).
* retain initial node_versions on serialize
* give precedence to workflow version
* set version info on node
* move patch to setup hook
* switch to nodeCreated
fixed: Update all - Properly display the results of the ComfyUI update.
fixed: Update all - An issue where the action results of the custom nodes manager were reflected in the main dialog.
https://github.com/ltdrdata/ComfyUI-Manager/issues/1548
* Add commands for manager keybindings
* use more consistent isVisible condition check
* remove hide method in favor of super class's close method
* fix formatting
* fix tabs formatting
* IMPROVED: Instead of updating the entire CNR cache at once, the process now divides it into 30-page queries.
* IMPROVED: Clicking on the titles of nodes that exist only in CNR now opens the GitHub repository link instead of the CNR link, where possible.
* ADDED: Added information about `extra_model_paths.yaml` to the README.md file.
https://github.com/ltdrdata/ComfyUI-Manager/issues/1457
