feat: add read-only comfy outdated verb (core + node pack versions vs latest) (BE-3396)#561
feat: add read-only comfy outdated verb (core + node pack versions vs latest) (BE-3396)#561mattmillerai wants to merge 2 commits into
comfy outdated verb (core + node pack versions vs latest) (BE-3396)#561Conversation
…vs latest) (BE-3396)
|
Warning Review limit reachedYou’ve reached a temporary PR review limit under our Fair Usage Limits Policy. Next review available in: 44 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
There was a problem hiding this comment.
🔍 Cursor Review — Consolidated panel
Triggered by @mattmillerai.
Found 10 finding(s).
| Severity | Count |
|---|---|
| 🔴 Critical | 1 |
| 🟠 High | 3 |
| 🟡 Medium | 3 |
| 🟢 Low | 3 |
Panel: 6/8 reviewers contributed findings.
Reviewers that did not contribute: kimi-k2.5:adversarial (empty), kimi-k2.5:edge-case (empty)
Root-cause the CI build failure and address the cursor-review panel on comfy_cli/command/outdated.py: - test fixture: pin the git-pack bare repo to `-b main` so `ls-remote HEAD` resolves on runners whose `init.defaultBranch` is `master` (the 2 test_outdated failures). - git-pack RCE hardening: restrict transports (drop ext::/git://), pin GIT_SSH_COMMAND, clear credential.helper/core.fsmonitor, and add `--` before the origin URL in ls-remote (option-injection). Applied to every git call since cwd sits in an untrusted pack. - redirect get_latest_release stdout to stderr so a network error can't corrupt the single-line JSON envelope. - RegistryAPI.install_node: add a request timeout so a stalled registry can't hang `comfy outdated`. - escape pack names/versions/warnings through rich markup (MarkupError). - fall back to the git HEAD comparison when a pyproject pack isn't in the registry, instead of reporting it permanently unknown. - warn on a missing origin remote; catch UnicodeDecodeError on a corrupt cache. Adds tests for the fallback, missing-origin warning, and ext:: rejection. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ELI-5
Your ComfyUI install can quietly fall behind — an old core or an old node pack
can silently degrade agents (BE-3352). This adds a new read-only command,
comfy outdated, that tells you, at a glance, whether your ComfyUI core andeach custom node pack is up to date with the latest release. It never
changes anything — it just reads git metadata /
pyproject.tomland asks theGitHub + Comfy registry APIs what "latest" is.
comfy outdated --jsonemits the standard envelope for agents. Latest-versionlookups are cached for 1h under
~/.cache/comfy-cli/outdated.json;--refreshbypasses the cache.
What & how
comfy outdated(comfy_cli/cmdline.py, besideupdate) —read-only, resolves the workspace via
workspace_manager.workspace_path(sameas
update), renders via the existingget_renderer().emit(pretty table /JSON envelope).
git describe --tags --always+ short HEAD for a git checkout,falling back to
comfyui_version.py's__version__thenpyproject.toml.Latest = GitHub
releases/latest, reusinginstall.get_latest_release(rate-limit-aware, honors
GITHUB_TOKEN).<workspace>/custom_nodes/*; a pack whosepyproject.tomlcarries a registry id+version is a registry pack (latest via the
comfy_cli.registryclient); a bare git clone is a git pack (git ls-remote HEADvs local HEAD).{core:{installed,commit,latest,outdated}, packs:[{name,source,installed,latest,outdated}], checked_at}.Registered a JSON schema (
comfy_cli/schemas/outdated.json) and wired it intodiscovery.COMMAND_SCHEMAS(the schema-registration ratchet test enforces this).--refreshbypasses. Any network failure degrades tolatest: null+ a warning and exit 0 — a report that can't reach thenetwork is still useful.
Tests
tests/comfy_cli/command/test_outdated.pybuilds a real fixture workspace(git-checkout core + one registry pack + one git pack, the git pack cloned from
a local bare remote so it's fully offline) with mocked GitHub/registry HTTP.
Covers: stale-install verdicts, up-to-date, network-failure →
latest: null+exit 0, the 1h warm cache (serves latest even when the network is down),
--refreshbypass, the JSON envelope contract (single clean line on stdout),and schema validation. Ran
ruff check+ruff format(clean on new files)and the full
tests/comfy_cli/command+tests/comfy_cli/outputsuites green.Judgment calls / deviations from the ticket
install.get_latest_releasefor core latest instead of hand-rollinga GitHub call. Its timeout is 5s (ticket suggested 10s) — reusing the
rate-limit-aware fetcher is worth the smaller budget, and warm-cache calls are
~0.8s regardless. Acceptance (<5s warm cache) is met.
RegistryAPI.install_node(id)(the client'slatest-version accessor, hits
/nodes/{id}/install) rather than a raw/nodes/{id}call — honors "reuse the registry client rather than hand-rolling."commit(short HEAD) and each pack'ssource(registry/git/unknown).git describe --alwaysto a bare SHA. Comparing a SHA to a version tag isincomparable, so
_is_outdatedreturns False there (rather than a false"outdated") while still treating SHA-vs-SHA differences (git packs) as behind.
Regression-tested.
extract_node_configuration(e.g. a packwith no license) are routed to stderr so they never corrupt the single JSON
envelope on stdout.
Not a capability-denial change (no dead-end / "not supported" path) — it's a
purely additive read-only report, so the negative-claim falsification gate
doesn't apply.