Skills
Claude Code v2.1.149 Fixes Git Worktree Sandbox Bypass: Write Allowlist Incorrectly Covered Entire Main Repository Root Instead of Only Shared .git Directory
Claude Code v2.1.149 (May 22) patched a security vulnerability where the sandbox write allowlist for git worktrees incorrectly covered the entire main repository root instead of only the shared .git directory. This means agents operating in worktrees could write to files in the main repo that should have been out of scope. A separate fix addressed PowerShell built-in cd functions (cd.., cd\, cd~, X:) that could change working directory undetected, bypassing permission checks. Both fixes are relevant for any team using worktree-based agent isolation.
↳ Follow the thread