If flush callbacks persistently fail (e.g., network issues), logs would
accumulate indefinitely in _logs_since_flush, potentially causing OOM
on long-running servers.
Added MAX_PENDING_LOGS (10000) limit - when exceeded, oldest logs are
dropped. This is similar to how the global logs deque uses maxlen.
Move log clearing to after all callbacks succeed, not before. This
ensures that if any callback raises an exception, the logs remain
available for retry on the next flush call instead of being lost.
The previous approach cleared logs before iterating callbacks,
which meant logs were permanently lost if any callback failed.
Clear _logs_since_flush before iterating callbacks by capturing logs
into a local variable first. This prevents duplicate logs if a
callback raises an exception, since the instance variable is already
cleared before any callback runs.
Add test to verify logs are cleared even when callbacks raise.
Move _logs_since_flush reset outside the callback loop so all
registered callbacks receive the same log data instead of only
the first callback getting logs while subsequent ones get an empty list.
Add test to verify multiple callbacks all receive the same logs.
When running ComfyUI in API mode on Windows, print() statements from
custom nodes can crash with "OSError: [Errno 22] Invalid argument"
during flush. This occurs because piped/redirected stdout streams on
Windows may fail to flush even after successful writes.
This fix catches OSError with errno 22 (EINVAL) specifically in
LogInterceptor.flush(), allowing the flush callbacks to still execute.
The error is safe to ignore since write() already succeeded.
Fixes#11367
* feat(security): add System User protection with `__` prefix
Add protected namespace for custom nodes to store sensitive data
(API keys, licenses) that cannot be accessed via HTTP endpoints.
Key changes:
- New API: get_system_user_directory() for internal access
- New API: get_public_user_directory() with structural blocking
- 3-layer defense: header validation, path blocking, creation prevention
- 54 tests covering security, edge cases, and backward compatibility
System Users use `__` prefix (e.g., __system, __cache) following
Python's private member convention. They exist in user_directory/
but are completely blocked from /userdata HTTP endpoints.
* style: remove unused imports
* Add get_subgraphs_dir to ComfyExtension and PUBLISHED_SUBGRAPH_DIRS to nodes.py
* Created initial endpoints, although the returned paths are a bit off currently
* Fix path and actually return real data
* Sanitize returned /api/global_subgraphs entries
* Remove leftover function from early prototyping
* Remove added whitespace
* Add None check for sanitize_entry
Adds installed and required workflow templates version information to the
/system_stats endpoint, allowing the frontend to detect and notify users
when their templates package is outdated.
- Add get_installed_templates_version() and get_required_templates_version()
methods to FrontendManager
- Include templates version info in system_stats response
- Add comprehensive unit tests for the new functionality
- Update comfyui-frontend-package from 1.25.9 to 1.25.10
- Revert forced legacy navigation mode from PR #9518
- Frontend v1.25.10 includes proper navigation mode fixes and improved display text
* Added the parameter required_frontend_version in the /system_stats api response
* Update server.py
* Created a function get_required_frontend_version and wrote tests for it
* Refactored the function to return currently installed frontend pacakage version
* Moved required_frontend to a new function and imported that in server.py
* Corrected test cases using mocking techniques
* Corrected files to comply with ruff formatting
* Add '@prerelease' to use latest test frontend
Allows download of pre-release versions.
Will always get the latest pre-release version - even if it's older than the latest stable release.
* nit
* install templates as pip package
* Update requirements.txt
* bump templates version to include hidream
---------
Co-authored-by: Chenlei Hu <hcl@comfy.org>
* Ensuring a 401 error is returned when user data is not found in multi-user context.
* Returning a 401 error when provided comfy-user does not exists on server side.
* improved: better installation guide
- change `pip` to `{sys.executable} -m pip`
modified: To prevent the guide message from being obscured by a complex error message, apply `exit` instead of `raise`.
* ruff fix
* nit
* Add option to log non-error output to stdout
- No change to default behaviour
- Adds CLI argument: --log-stdout
- With this arg present, any logging of a level below logging.ERROR will be sent to stdout instead of stderr
