fix(security): register extension.manager.supports_csrf_post feature flag (4.2.1)

Expose CSRF-POST backend capability as a semantic contract via ComfyUI core's
feature_flags mechanism, so frontends (ComfyUI_frontend, extensions) can detect
it without parsing version strings. Pre-4.2.1 Manager does not set the flag —
clients observe its absence and should treat the backend as "incompatible with
POST-only state-mutation endpoints" and prompt the user to upgrade.

Follow-up patch to 4.2 (PR #2818); no endpoint or security behavior change.

Reported-by: XlabAI Team of Tencent Xuanwu Lab
CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)

Author: ltdrdata

CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to **ComfyUI-Manager** are documented in this file.
 The format is based on [Keep a Changelog 1.1.0](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html).
 
+## [4.2.1] - 2026-04-22
+
+### Added
+
+- Server-push feature flag `extension.manager.supports_csrf_post` registered at
+  startup, allowing ComfyUI-frontend (and other clients) to detect
+  CSRF-POST backend support as a semantic capability contract, without
+  relying on version string parsing. Pre-4.2.1 Manager does not set the
+  flag — clients should treat its absence as 'incompatible with NEW_UI'.
+
 ## [Unreleased]
 
 Security-hardening release on branch `fix/csrf-post-conversion`. Contains
@@ -120,4 +130,5 @@ below before upgrading programmatic clients.
   perform the change from a trusted entry point. Read access via `GET` is
   unaffected.
 
+[4.2.1]: https://github.com/Comfy-Org/ComfyUI-Manager/compare/v4.2...v4.2.1
 [Unreleased]: https://github.com/Comfy-Org/ComfyUI-Manager/compare/v4.1b6...HEAD

comfyui_manager/__init__.py

@@ -6,6 +6,25 @@
 from comfy.cli_args import args
 
 
+# Register server-push feature flag so frontends (ComfyUI_frontend) can
+# detect CSRF-POST backend capability as a semantic contract (vs version
+# string parsing). See PR #2818 for context; cmfront uses this flag to
+# decide whether to invoke POST state-mutation endpoints. Pre-4.2.1 Manager
+# does not set this flag — cmfront treats its absence as 'incompatible'.
+try:
+    from comfy_api import feature_flags as _core_feature_flags
+    _mgr_flags = (
+        _core_feature_flags.SERVER_FEATURE_FLAGS
+        .setdefault('extension', {})
+        .setdefault('manager', {})
+    )
+    _mgr_flags['supports_csrf_post'] = True
+except ImportError:
+    # Older ComfyUI core without comfy_api.feature_flags module.
+    # Manager functions but cmfront will not observe the flag.
+    pass
+
+
 def prestartup():
     from . import prestartup_script  # noqa: F401
     logging.info('[PRE] ComfyUI-Manager')

pyproject.toml

@@ -5,7 +5,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "comfyui-manager"
 license = { text = "GPL-3.0-only" }
-version = "4.2"
+version = "4.2.1"
 requires-python = ">= 3.9"
 description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
 readme = "README.md"