Add UnifiedDepResolver that batch-resolves all custom node pack
dependencies via uv pip compile, replacing per-node pip installs.
Core features:
- Collect, sanitize, and compile requirements from all node packs
- Input validation with regex-based sanitization and blacklist/override support
- Conflict detection with per-node-pack attribution output
- CollectedDeps.sources stores (pack_path, pkg_spec) tuples for attribution
- Startup integration via prestartup_script.py with fallback to legacy path
- --uv-compile flag on 8 CLI commands: uv-compile, install, reinstall,
update, fix, restore-snapshot, restore-dependencies, install-deps
Testing:
- 148 unit tests (mock-based) covering all resolver logic
- 12 E2E pytest tests using ltdrdata's dedicated conflict test packs
- E2E environment setup scripts (setup, start, stop)
- Supply-chain safety policy: only verified authors' packs in E2E
Documentation:
- PRD and DESIGN specs for the resolver
- EN/KO cm-cli user docs updated for all new commands
- Test documentation and environment setup guide
Bump version to 4.1b3.
- Add is_safe_path_target() and get_safe_file_path() utilities
- Validate history id and snapshot target parameters in API endpoints
- Sanitize config string values to prevent CRLF injection
- Add verbose config option to control CNR fetch logging
- Improve get_module_name with cnr_id/aux_id fallback via repo_cnr_map
- Fix is_valid_url misuse of try/finally that could cause runtime errors
- Move SSH_URL_PATTERN to module-level constant for performance
- Add aux_id format (author/repo) support in normalize_to_github_id()
- Fix get_module_name() to use URL normalization for unknown_active_nodes
- Use NormalizedKeyDict in reload() to maintain normalized key lookup
- Use --ff-only flag to detect non-fast-forward situations
- Create backup branch before resetting divergent local branch
- Reset to remote branch when fast-forward is not possible
- Add timestamp_utils.py for Mac datetime module compatibility
- Migrate all datetime usages to centralized utilities
- Bump version to 4.0.3b5
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Previously, only `uv` installed inside a venv was properly handled. Now `uv` installed outside the venv is also supported.
* Even if `use_uv=False`, `uv` is used as a fallback when `pip` is unavailable.
* Even if `use_uv=True`, `pip` is used as a fallback when `uv` is unavailable.
https://github.com/Comfy-Org/ComfyUI-Manager/issues/2125
- Mismatch issue between ltdrdata/ and Comfy-Org/
modified: /v2/customnode/installed – cnr_id was being returned in a normalized form
modified: /v2/customnode/installed – when both an enabled nodepack and a disabled nodepack existed, modified to report only the enabled nodepack
fixed: Removed unnecessary warning messages printed during nodepack installation
- Strengthened the default security policy
- Subdivided the risky levels high and middle into high+, high, middle+, and middle
- Added support for personal_cloud network mode
- Updated README.md
fixed: invalid security message
fixed: legacy - crash when security policy violation occurred
modified: default 'use_uv' is now True
