Skip to content

feat: add block-no-verify PreToolUse hook to prevent agents from bypassing git hooks #7677

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tupe12334 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add block-no-verify PreToolUse hook to prevent agents from bypassing git hooks #7677

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions .claude/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,15 @@
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "npx block-no-verify@1.1.2"
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For current npm/npx versions, when running npx @and the package is not installed locally, does npx prompt for confirmation by default? Is--yes the recommended way to make it non-interactive in automation/hooks?

💡 Result:

Yes, by default, when running npx <package>@<version> and the package is not installed locally (i.e., no matching version in local project dependencies or npx cache), npx prompts for confirmation before installing it from the registry to a cache folder. This behavior was introduced in npm 7+ for security reasons to prevent accidental execution of mistyped package names. --yes (or -y) is the recommended and officially documented way to suppress the prompt and automatically proceed with installation, making it suitable for non-interactive use in automation or hooks. Use npx --yes <package>@<version>. Alternatively, npm_config_yes=true npx ... works for backward compatibility with older npm versions.

Citations:

Add --yes flag to prevent interactive prompts in hook execution

The npx command prompts for install confirmation by default when a package isn't cached (npm 7+ security feature). In a PreToolUse hook running in a non-interactive environment—like CI/CD pipelines or automated tool execution—this prompt will hang or fail the hook entirely. Add the --yes flag to suppress the prompt and ensure reliable, non-blocking execution.

Suggested change 
-            "command": "npx block-no-verify@1.1.2"
+            "command": "npx --yes block-no-verify@1.1.2"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"command": "npx block-no-verify@1.1.2"
"command": "npx --yes block-no-verify@1.1.2"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.claude/settings.json at line 9, Update the PreToolUse hook command string
"npx block-no-verify@1.1.2" to include the non-interactive flag so it won't
prompt during execution; specifically modify the "command" value to add "--yes"
(i.e., "npx block-no-verify@1.1.2 --yes") to ensure the hook runs unattended in
CI/non-interactive environments.

}
]
}
]
}
}