Sign up to save your podcasts
Or
Share Claude Code v2.1.113 — Native binary, sandbox hardening, and a UI-spoofing fix
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Claude Code v2.1.113 — Native binary, sandbox hardening, and a UI-spoofing fix
What's new in Claude Code v2.1.113
A structural change under the hood (native binary CLI) combined with five genuine security hardenings — deny-rule wrapper matching, find flag scoping, macOS /private path protection, the dangerouslyDisableSandbox permission prompt, and a real Bash UI-spoofing fix. Plus sandbox network deny-lists, faster /ultrareview, Remote Control parity for /extra-usage and @-file autocomplete, and a subagent stall timeout.
Native Claude Code binary
Why: The bundled-JavaScript CLI paid a Node startup cost on every invocation and pulled a full runtime into every install.
What: The CLI now spawns a native Claude Code binary via per-platform optional dependencies. No JS runtime needed at launch — faster starts, smaller footprint.
How: Automatic on upgrade. claude picks the right platform binary; no configuration required.
sandbox.network.deniedDomains
Why: A broad allowedDomains wildcard couldn't carve out a hostile subdomain you still wanted blocked.
What: New sandbox.network.deniedDomains setting blocks specific domains even when a broader wildcard would otherwise permit them. Deny wins.
How: Add "deniedDomains": ["evil.example.com"] under sandbox.network in settings.json.
/loop improvements
Why: Queued /loop wakeups couldn't be cancelled cleanly, and generic "Claude woke up" labels confused users.
What: Esc now cancels pending /loop wakeups; wakeups display as "Claude resuming /loop wakeup" for clarity.
How: Hit Esc during a wakeup wait to cancel.
/extra-usage on Remote Control
Why: Mobile/web Remote Control clients couldn't check plan usage without jumping back to the terminal.
What: /extra-usage now works from Remote Control sessions.
How: Type /extra-usage in any Remote Control session.
Remote Control @-file autocomplete
Why: Typing file paths blind on mobile was painful — no discovery, no completion.
What: Remote Control clients can now query @-file autocomplete suggestions, matching the local CLI.
How: Type @ in a Remote Control session.
Faster /ultrareview launch
Why: Sequential cold-launch checks and no progress signal made /ultrareview feel slow before any feedback.
What: Parallelized launch checks, a diffstat in the launch dialog, and an animated launching state.
How: /ultrareview or /ultrareview .
Subagent stall timeout
Why: A subagent that stalled mid-stream left the parent session waiting silently with no signal.
What: Stalls now fail with a clear error after 10 minutes instead of hanging indefinitely.
How: Automatic.
Bash multi-line comment fix (UI-spoofing)
Why: A multi-line Bash command whose first line was a comment only showed the comment in the transcript — a UI-spoofing vector for prompt injection.
What: The Bash tool now shows the full multi-line command in the transcript regardless of whether the first line is a comment.
How: No action. Upgrade to v2.1.113 and transcripts render full command bodies.
cd no-op + git no prompt
Why: cd && git status redundantly prompted because the compound-command rule treated the no-op cd as a separate step.
What: cd && git … no longer prompts when the cd is a no-op. Real directory changes still prompt.
How: Automatic.
macOS /private paths dangerous under Bash(rm:*)
Why: macOS maps /private/{etc,var,tmp,home} to /etc, /var, etc. An rm -rf /private/etc under Bash(rm:*) wouldn't trigger dangerous-path protection.
What: Both /etc and /private/etc spellings now treated as dangerous removal targets.
How: Automatic whenever Bash(rm:*) is allowed.
Exec-wrapper deny-rule matching
Why: Deny rules missed sudo rm, env FOO=1 rm, watch rm, and similar wrapped invocations — a bypass path for attackers or confused agents.
What: Bash deny rules now match commands wrapped in env, sudo, watch, ionice, setsid, and similar wrappers. Symmetric with allow-side stripping.
How: No action. Existing deny rules automatically cover wrapped variants.
find -exec / -delete no auto-approve
Why: Bash(find:*) allow rules auto-approved find . -exec rm -rf {} \; and find . -delete — destructive flags weren't inspected.
What: Bash(find:*) no longer auto-approves find -exec or -delete; those fall back to the prompt.
How: Approve explicitly when legitimately needed, or add a narrower allow rule.
dangerouslyDisableSandbox permission fix
Why: Commands using dangerouslyDisableSandbox could execute outside the sandbox without a permission prompt — a silent security-contract break.
What: Every dangerouslyDisableSandbox invocation now triggers the standard permission prompt.
How: Automatic. Lock the escape hatch entirely with "sandbox": { "allowUnsandboxedCommands": false }.
Session recap composing-text fix
Why: Session recap auto-fired while you had unsent text in the prompt, interrupting mid-thought.
What: Session recap now waits until the prompt buffer is empty or submitted.
How: Automatic. Force one manually with /recap.
Hosts: Alex Chen & Sarah Kim · Generated from the official Claude Code CHANGELOG.
Full changelog: github.com/anthropics/claude-code/CHANGELOG.md
Claude Code docs: code.claude.com/docs
- (00:00) - Native Claude Code binary
View all episodes
By AndreiWhat's new in Claude Code v2.1.113
A structural change under the hood (native binary CLI) combined with five genuine security hardenings — deny-rule wrapper matching, find flag scoping, macOS /private path protection, the dangerouslyDisableSandbox permission prompt, and a real Bash UI-spoofing fix. Plus sandbox network deny-lists, faster /ultrareview, Remote Control parity for /extra-usage and @-file autocomplete, and a subagent stall timeout.
Native Claude Code binary
Why: The bundled-JavaScript CLI paid a Node startup cost on every invocation and pulled a full runtime into every install.
What: The CLI now spawns a native Claude Code binary via per-platform optional dependencies. No JS runtime needed at launch — faster starts, smaller footprint.
How: Automatic on upgrade. claude picks the right platform binary; no configuration required.
sandbox.network.deniedDomains
Why: A broad allowedDomains wildcard couldn't carve out a hostile subdomain you still wanted blocked.
What: New sandbox.network.deniedDomains setting blocks specific domains even when a broader wildcard would otherwise permit them. Deny wins.
How: Add "deniedDomains": ["evil.example.com"] under sandbox.network in settings.json.
/loop improvements
Why: Queued /loop wakeups couldn't be cancelled cleanly, and generic "Claude woke up" labels confused users.
What: Esc now cancels pending /loop wakeups; wakeups display as "Claude resuming /loop wakeup" for clarity.
How: Hit Esc during a wakeup wait to cancel.
/extra-usage on Remote Control
Why: Mobile/web Remote Control clients couldn't check plan usage without jumping back to the terminal.
What: /extra-usage now works from Remote Control sessions.
How: Type /extra-usage in any Remote Control session.
Remote Control @-file autocomplete
Why: Typing file paths blind on mobile was painful — no discovery, no completion.
What: Remote Control clients can now query @-file autocomplete suggestions, matching the local CLI.
How: Type @ in a Remote Control session.
Faster /ultrareview launch
Why: Sequential cold-launch checks and no progress signal made /ultrareview feel slow before any feedback.
What: Parallelized launch checks, a diffstat in the launch dialog, and an animated launching state.
How: /ultrareview or /ultrareview .
Subagent stall timeout
Why: A subagent that stalled mid-stream left the parent session waiting silently with no signal.
What: Stalls now fail with a clear error after 10 minutes instead of hanging indefinitely.
How: Automatic.
Bash multi-line comment fix (UI-spoofing)
Why: A multi-line Bash command whose first line was a comment only showed the comment in the transcript — a UI-spoofing vector for prompt injection.
What: The Bash tool now shows the full multi-line command in the transcript regardless of whether the first line is a comment.
How: No action. Upgrade to v2.1.113 and transcripts render full command bodies.
cd no-op + git no prompt
Why: cd && git status redundantly prompted because the compound-command rule treated the no-op cd as a separate step.
What: cd && git … no longer prompts when the cd is a no-op. Real directory changes still prompt.
How: Automatic.
macOS /private paths dangerous under Bash(rm:*)
Why: macOS maps /private/{etc,var,tmp,home} to /etc, /var, etc. An rm -rf /private/etc under Bash(rm:*) wouldn't trigger dangerous-path protection.
What: Both /etc and /private/etc spellings now treated as dangerous removal targets.
How: Automatic whenever Bash(rm:*) is allowed.
Exec-wrapper deny-rule matching
Why: Deny rules missed sudo rm, env FOO=1 rm, watch rm, and similar wrapped invocations — a bypass path for attackers or confused agents.
What: Bash deny rules now match commands wrapped in env, sudo, watch, ionice, setsid, and similar wrappers. Symmetric with allow-side stripping.
How: No action. Existing deny rules automatically cover wrapped variants.
find -exec / -delete no auto-approve
Why: Bash(find:*) allow rules auto-approved find . -exec rm -rf {} \; and find . -delete — destructive flags weren't inspected.
What: Bash(find:*) no longer auto-approves find -exec or -delete; those fall back to the prompt.
How: Approve explicitly when legitimately needed, or add a narrower allow rule.
dangerouslyDisableSandbox permission fix
Why: Commands using dangerouslyDisableSandbox could execute outside the sandbox without a permission prompt — a silent security-contract break.
What: Every dangerouslyDisableSandbox invocation now triggers the standard permission prompt.
How: Automatic. Lock the escape hatch entirely with "sandbox": { "allowUnsandboxedCommands": false }.
Session recap composing-text fix
Why: Session recap auto-fired while you had unsent text in the prompt, interrupting mid-thought.
What: Session recap now waits until the prompt buffer is empty or submitted.
How: Automatic. Force one manually with /recap.
Hosts: Alex Chen & Sarah Kim · Generated from the official Claude Code CHANGELOG.
Full changelog: github.com/anthropics/claude-code/CHANGELOG.md
Claude Code docs: code.claude.com/docs
- (00:00) - Native Claude Code binary