Security and other standards for publishing to the Registry
Custom nodes must provide valuable functionality to the ComfyUI community
Avoid:
Do not interfere with other custom nodes’ operations (installation, updates, removal)
Must comply with all applicable laws and regulations
Nodes must be fully functional, well documented, and actively maintained.
Forked nodes must:
Below are standards that must be met to publish custom nodes to the registry.
Custom nodes should be secure. We will start working with custom nodes that violate these standards to be rewritten. If there is some major functionality that should be exposed by core, please request it in the rfcs repo.
The use of eval
and exec
functions is prohibited in custom nodes due to security concerns.
These functions can enable arbitrary code execution, creating potential Remote Code Execution (RCE) vulnerabilities when processing user inputs. Workflows containing nodes that pass user inputs into eval
or exec
could be exploited for various cyberattacks, including:
Runtime package installation through subprocess calls is not permitted.
Code obfuscation is prohibited in custom nodes.
Obfuscated code: