Two different node packs are registered in custom-node-list.json whose Git URL
basenames differ only by letter case:
- https://github.com/Inzaniak/comfyui-ranbooru (the original Ranbooru node)
- https://github.com/liming123332/ComfyUI-Ranbooru (an unrelated third-party fork)
Because package identity and the install folder are both derived from the
URL basename, and that key is lowercased, these two entries normalize to the
same identity ("comfyui-ranbooru"). The practical effect is that requesting one
package can install, or be satisfied by, the other — they are indistinguishable
to the Manager.
What I observed
Installing the Inzaniak package through ComfyUI-Manager resulted in the
liming123332 fork being present instead. The two are easy to tell apart on disk:
- Inzaniak (expected): has ranbooru.conf, assets/, English readme.md,
nodes like PromptMix / PromptBackground / LockSeed
- liming123332 fork (got this): has install.py, scripts/ranbooru.py, a .trae/
folder, a Chinese README.md, single node RanbooruPrompt
(I have not reproduced this in a clean environment, so I'm reporting the observed
behavior plus the code path that appears to explain it — happy to test a fix.)
This is likely to have security issues because it's fetching the latter package that could have malicious payloads or be generally unsound. My repro is on stable release, latest update.
Two different node packs are registered in custom-node-list.json whose Git URL
basenames differ only by letter case:
Because package identity and the install folder are both derived from the
URL basename, and that key is lowercased, these two entries normalize to the
same identity ("comfyui-ranbooru"). The practical effect is that requesting one
package can install, or be satisfied by, the other — they are indistinguishable
to the Manager.
What I observed
Installing the Inzaniak package through ComfyUI-Manager resulted in the
liming123332 fork being present instead. The two are easy to tell apart on disk:
(I have not reproduced this in a clean environment, so I'm reporting the observed
behavior plus the code path that appears to explain it — happy to test a fix.)
This is likely to have security issues because it's fetching the latter package that could have malicious payloads or be generally unsound. My repro is on stable release, latest update.