js · @anthropic-ai/claude-codeHeads-up
@anthropic-ai/claude-code: Hugging Face hostname removed from WebFetch pre-approval list
The hostname huggingface.co is no longer pre-approved as a bare hostname for the WebFetch tool. Previously, any path on that domain was auto-approved without a
What changed
The hostname huggingface.co is no longer pre-approved as a bare hostname for the WebFetch tool. Previously, any path on that domain was auto-approved without a permission prompt or subject to --allowedTools restrictions, allowing potential data exfiltration via attacker-controlled repository files.
Who it affects
Users of @anthropic-ai/claude-code who have not yet received the auto-update fix, particularly those performing manual updates.
What to do today
Update to the latest version of @anthropic-ai/claude-code to apply the security fix.
The trail
Collected→
Audited→
Written→
Published