claude-code

v2.1.147 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 13d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 13d

Workflow tool enables deterministic multi-agent orchestration; REPL and Workflow sandboxes hardened against escape attacks. Breaking: /simplify renamed /code-review, cleanup-and-fix behavior removed.

Why it matters: Sandbox hardening reduces escape attack risk. /simplify→/code-review is a breaking change requiring script updates. Test Workflow tool for deterministic multi-agent orchestration.

Summary

AI summary

Renamed /simplify to /code-review with effort‑level control, hardened sandboxes, and fixed enterprise login enforcement.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Hardens REPL and Workflow sandboxes against escape attacks. Hardens REPL and Workflow sandboxes against escape attacks. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Fixes enterprise login restrictions not enforced against third-party sessions. Fixes enterprise login restrictions not enforced against third-party sessions. Source: llm_adapter@2026-05-21 Confidence: low	—
Breaking	Medium	Renames /simplify to /code-review; removes cleanup-and-fix behavior. Renames /simplify to /code-review; removes cleanup-and-fix behavior. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Adds Workflow tool for deterministic multi-agent orchestration. Adds Workflow tool for deterministic multi-agent orchestration. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Pinned background sessions stay alive when idle, restart in place for updates, and are shed only after non-pinned sessions under memory pressure. Pinned background sessions stay alive when idle, restart in place for updates, and are shed only after non-pinned sessions under memory pressure. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Feature	Medium	Auto-updater retries transient network failures, reports specific error categories and OS error codes on failure, and shows current version when update fails. Auto-updater retries transient network failures, reports specific error categories and OS error codes on failure, and shows current version when update fails. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Feature	Medium	Pinned background sessions persist when idle, restart for updates. Pinned background sessions persist when idle, restart for updates. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Auto-updater retries network failures, reports specific error codes. Auto-updater retries network failures, reports specific error codes. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	/code-review reports correctness bugs at chosen effort level and can post inline GitHub PR comments via --comment flag. /code-review reports correctness bugs at chosen effort level and can post inline GitHub PR comments via --comment flag. Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Performance	Medium	Improves diff rendering performance for large file edits. Improves diff rendering performance for large file edits. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Prompt history no longer records consecutive duplicate entries. Prompt history no longer records consecutive duplicate entries. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixes PowerShell tool dropping output for default formatter commands. Fixes PowerShell tool dropping output for default formatter commands. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixes & character escaping to & breaking copy-paste. Fixes & character escaping to & breaking copy-paste. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes /help rendering with broken tab header on small terminals. Fixes /help rendering with broken tab header on small terminals. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes shell snapshot dropping underscore-prefixed user functions. Fixes shell snapshot dropping underscore-prefixed user functions. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes hook if conditions with pattern matching not working. Fixes hook if conditions with pattern matching not working. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes Windows PowerShell permission rules not matching on subsequent runs. Fixes Windows PowerShell permission rules not matching on subsequent runs. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes PowerShell tool failure on Windows with winget-installed pwsh. Fixes PowerShell tool failure on Windows with winget-installed pwsh. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes Windows worktree removal incorrectly following NTFS junctions. Fixes Windows worktree removal incorrectly following NTFS junctions. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes /background refusing sessions with skill or custom command input. Fixes /background refusing sessions with skill or custom command input. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes auto mode suppressing AskUserQuestion relied on by user. Fixes auto mode suppressing AskUserQuestion relied on by user. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes /theme dialogs not responding to Esc key. Fixes /theme dialogs not responding to Esc key. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes doubled plugin component counts with overlapping paths. Fixes doubled plugin component counts with overlapping paths. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes backgrounded sessions re-prompting for already-granted permissions. Fixes backgrounded sessions re-prompting for already-granted permissions. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Unknown slash commands now show error instead of failing silently. Unknown slash commands now show error instead of failing silently. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes plugin agents dropping all but last Agent type declared. Fixes plugin agents dropping all but last Agent type declared. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes /effort opening with slider at wrong level. Fixes /effort opening with slider at wrong level. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes MCP pagination dropping resources, templates past page 1. Fixes MCP pagination dropping resources, templates past page 1. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes full-screen strobing in Windows Terminal background sessions. Fixes full-screen strobing in Windows Terminal background sessions. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes uncaught exception at end of Agent SDK streaming sessions. Fixes uncaught exception at end of Agent SDK streaming sessions. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes rare hang when waiting for scroll to settle on Windows. Fixes rare hang when waiting for scroll to settle on Windows. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes stale and doubled rows in agent view list with CJK. Fixes stale and doubled rows in agent view list with CJK. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes pasted text delivered as placeholder instead of content. Fixes pasted text delivered as placeholder instead of content. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	On Windows, "Yes, and don't ask again" for PowerShell scripts now writes a matching rule for subsequent runs. On Windows, "Yes, and don't ask again" for PowerShell scripts now writes a matching rule for subsequent runs. Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Bugfix	Low	Corrects & character escaping to & which broke copy‑pasting URLs from command output. Corrects & character escaping to & which broke copy‑pasting URLs from command output. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Bugfix	Low	Shell snapshot no longer drops user functions whose names start with a single underscore. Shell snapshot no longer drops user functions whose names start with a single underscore. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Bugfix	Low	Plugin agents now retain all declared Agent(...) types in tools: frontmatter instead of dropping all but the last. Plugin agents now retain all declared Agent(...) types in tools: frontmatter instead of dropping all but the last. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Bugfix	Low	Hook if conditions like PowerShell(git push) now match correctly; previously only PowerShell() worked. Hook if conditions like PowerShell(git push) now match correctly; previously only PowerShell() worked. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Bugfix	Low	PowerShell tool no longer fails with exit code 1 when pwsh is installed via winget or the Microsoft Store on Windows. PowerShell tool no longer fails with exit code 1 when pwsh is installed via winget or the Microsoft Store on Windows. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Bugfix	Low	On Windows, removing a background‑job worktree no longer follows NTFS junctions into the main repository. On Windows, removing a background‑job worktree no longer follows NTFS junctions into the main repository. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Bugfix	Low	/background now accepts sessions whose only typed input was a skill or custom slash command. /background now accepts sessions whose only typed input was a skill or custom slash command. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Bugfix	Low	/theme "New custom theme" and color editor dialogs respond to the Esc key. /theme "New custom theme" and color editor dialogs respond to the Esc key. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Bugfix	Low	Eliminates stale and doubled rows in agent view list caused by wide (CJK) characters in background session results. Eliminates stale and doubled rows in agent view list caused by wide (CJK) characters in background session results. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Bugfix	Low	Plugin component counts in `claude plugin details` and `/plugin` are no longer doubled when manifest paths overlap default directories. Plugin component counts in `claude plugin details` and `/plugin` are no longer doubled when manifest paths overlap default directories. Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Bugfix	Low	Fixes /help tab header breakage and limited command display on small terminals when not fullscreen. Fixes /help tab header breakage and limited command display on small terminals when not fullscreen. Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Bugfix	Low	Auto mode no longer suppresses AskUserQuestion when explicitly relied upon; classifier now treats user answers as intent signal. Auto mode no longer suppresses AskUserQuestion when explicitly relied upon; classifier now treats user answers as intent signal. Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Bugfix	Low	/help tab header no longer broken and shows more than one command per page on small terminals when not fullscreen. /help tab header no longer broken and shows more than one command per page on small terminals when not fullscreen. Source: granite4.1:30b@2026-05-21-audit Confidence: low	—

Full changelog

What's changed

Added the Workflow tool for deterministic multi-agent orchestration. It is off by default — set CLAUDE_CODE_WORKFLOWS=1 to enable
Pinned background sessions (Ctrl+T in claude agents) now stay alive when idle, are restarted in place to apply Claude Code updates, and are shed under memory pressure only after non-pinned sessions
Renamed /simplify to /code-review. It now reports correctness bugs at a chosen effort level (e.g., /code-review high); pass --comment to post findings as inline GitHub PR comments. The old cleanup-and-fix behavior has been removed
Hardened REPL and Workflow tool sandboxes against prototype-pollution and thenable-based escapes
Improved auto-updater: retries transient network failures, reports specific error categories and OS error codes on failure, and shows the current version when an update fails
Improved diff rendering performance for large file edits
Prompt history no longer records consecutive duplicate entries — recalling a prompt with arrow-up and submitting it again won't add another copy
Fixed enterprise login restrictions (forceLoginOrgUUID and forceLoginMethod managed-settings) not being enforced against third-party-provider and API-key sessions
Fixed & in ! command output displaying as &, which broke copy-pasting URLs from commands like gcloud auth login on headless machines
Fixed unknown slash commands silently doing nothing in headless/SDK mode — they now show an error message
Fixed /help rendering a broken tab header and showing only one command per page on small terminals when not in fullscreen mode
Fixed shell snapshot dropping user functions whose names start with a single underscore, which broke aliases referencing them
Fixed plugin agents that declare multiple Agent(...) types in tools: frontmatter dropping all but the last entry
Fixed hook if conditions like PowerShell(git push*) never matching — only PowerShell(*) worked
Fixed PowerShell tool dropping output for commands that rely on the default formatter
Fixed: on Windows, "Yes, and don't ask again" for a PowerShell script invocation now writes a rule that actually matches on subsequent runs
Fixed PowerShell tool failing on Windows with exit code 1 when pwsh is installed via winget or the Microsoft Store
Fixed /effort opening with the slider on the wrong level — it now starts at your current effort
Fixed paginating MCP servers dropping resources, templates, and prompts past page 1
Fixed full-screen strobing in attached background sessions on Windows Terminal while Claude is streaming
Fixed: on Windows, removing a background-job worktree no longer follows NTFS junctions into the main repo
Fixed /background refusing sessions whose only typed input was a skill or custom slash command
Fixed auto mode suppressing AskUserQuestion when the user or a skill explicitly relies on it; the auto-mode classifier now sees the user's answers as intent signal
Fixed /theme "New custom theme" and color editor dialogs not responding to Esc
Fixed an uncaught exception at the end of streaming sessions when running via the Agent SDK
Fixed a rare hang when waiting for scroll to settle on Windows
Fixed stale and doubled rows in the agent view list on Windows when background session results contain wide (CJK) characters
Fixed pasted text being delivered to agents as an unreadable [Pasted text #N] placeholder instead of the actual content
Fixed plugin component counts in claude plugin details and /plugin being doubled when a plugin's manifest listed paths overlapping its default directories
Fixed backgrounded sessions re-prompting for tool permissions you already granted with "don't ask again"
Fixed GNOME Terminal right-click and middle-click paste not inserting text
Fixed CLAUDE_CODE_SUBAGENT_MODEL not applying to teammate processes spawned by agent teams
Fixed slash commands followed by a tab or newline being treated as an unknown command
Fixed several spacing and layout glitches in the /plugin, /status, /mobile, /sandbox, and /permissions menus
Fixed stripped images prompting the model to repeatedly re-read media that was no longer present

Breaking Changes

Renamed `/simplify` to `/code-review`; old cleanup‑and‑fix behavior removed

Security Fixes

Hardened REPL and Workflow tool sandboxes against prototype‑pollution and thenable‑based escapes

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track claude-code

Get notified when new releases ship.

About claude-code

All releases →

Related context

Related tools

Earlier breaking changes

v2.1.160 Renames dynamic‑workflow trigger keyword from `workflow` to `ultracode`; `workflow` no longer triggers a run
v2.1.160 Deprecates and removes the `CLAUDE_CODE_OPUS_4_6_FAST_MODE_OVERRIDE` environment variable; it is now a no‑op