During my research of this issue I also found that people were still able to download my flagged custom node if they used the latest or nightly versions. Also if the security scan hadn't finished and it was still marked as NodeVersionStatusPending the version WOULD show up in ComfyUI Manager, it would only disappear after the security scan finished and marked it as flagged. It seems like it sort of defeats the purpose of using NodeVersionStatusActive and the security scans if people can still download them through the manager. Perhaps a shield icon 🛡 next to versions that have been scanned and passed or approved could inform people of this?
Pic with 1.12.2 is while the status was pending, pic without is AFTER the security scan when the version gets flagged as
NodeVersionStatusFlagged and needing review.
So if the security scan hasn't finished people could be downloading malicious code and thinking it's been reviewed or scanned or is safe.
During my research of this issue I also found that people were still able to download my flagged custom node if they used the latest or nightly versions. Also if the security scan hadn't finished and it was still marked as NodeVersionStatusPending the version WOULD show up in ComfyUI Manager, it would only disappear after the security scan finished and marked it as flagged. It seems like it sort of defeats the purpose of using
NodeVersionStatusActiveand the security scans if people can still download them through the manager. Perhaps a shield icon 🛡 next to versions that have been scanned and passed or approved could inform people of this?Pic with 1.12.2 is while the status was pending, pic without is AFTER the security scan when the version gets flagged as
NodeVersionStatusFlagged and needing review.
So if the security scan hasn't finished people could be downloading malicious code and thinking it's been reviewed or scanned or is safe.