v2.1.51
Claude CodeSummary
This release introduces new capabilities for external builds with the `claude remote-control` subcommand and enhances plugin management by adding support for custom npm registries and version pinning. Several critical security issues related to hook execution and environment variable interpolation have been resolved, alongside performance improvements for BashTool and better context management for long conversations.
New Features
- Added `claude remote-control` subcommand for external builds, enabling local environment serving for all users.
- Added support for custom npm registries and specific version pinning when installing plugins from npm sources
- Added `CLAUDE_CODE_ACCOUNT_UUID`, `CLAUDE_CODE_USER_EMAIL`, and `CLAUDE_CODE_ORGANIZATION_UUID` environment variables for SDK callers to provide account info synchronously.
Bug Fixes
- Fixed a security issue where `statusLine` and `fileSuggestion` hook commands could execute without workspace trust acceptance in interactive mode.
- Fixed a security issue where HTTP hooks could interpolate arbitrary environment variables from header values; env var interpolation now requires an explicit `allowedEnvVars` list.
- Fixed a bug where duplicate `control_response` messages (e.g. from WebSocket reconnects) could cause API 400 errors by pushing duplicate assistant messages into the conversation.
- Fixed slash command autocomplete crashing when a plugin's SKILL.md description is a YAML array or other non-string type
Improvements
- Updated plugin marketplace default git timeout from 30s to 120s and added `CLAUDE_CODE_PLUGIN_GIT_TIMEOUT_MS` to configure.
- BashTool now skips login shell (`-l` flag) by default when a shell snapshot is available, improving command execution performance.
- Tool results larger than 50K characters are now persisted to disk (previously 100K), reducing context window usage and improving conversation longevity.
- HTTP hooks are now routed through the sandbox network proxy when sandboxing is enabled, enforcing the domain allowlist.
- The `/model` picker now shows human-readable labels (e.g., "Sonnet 4.5") instead of raw model IDs for pinned model versions, with an upgrade hint when a newer version is available.