this sprint.
Windows PowerShell users. v2.1.147 and v2.1.149 together address the most regressions in this category. v2.1.146 alone is insufficient — it fixed the pwsh winget/Microsoft Store installation failure but not the cd bypass vectors or the auto-updater improvements that arrived in v2.1.147. Jump directly to v2.1.154 rather than staging through intermediate versions.
Skill and hook authors. v2.1.152 changes the behavior of /simplify (now a forwarding wrapper around /code-review) and introduces disallowed-tools frontmatter. Audit any skill YAML that references /simplify directly. Also review SessionStart hook logic — it can now trigger /reload-skills and set session titles, which may interact with existing hook behavior in ways that aren't immediately obvious.
macOS users on large repos. v2.1.149 is critical. The vnode exhaustion bug affects any workflow that exercises the find Bash tool on deep directory structures. The failure mode — system-wide file operation errors — is difficult to attribute to Claude Code without prior knowledge of the bug. Any macOS user on a version below v2.1.149 running against a large monorepo should treat this as the highest-priority upgrade in their queue.
Custom API gateway operators. v2.1.153 is security-critical for anyone routing Claude Code through an internal proxy or custom gateway. The OAuth credential leak means the user's Anthropic credential could have been forwarded to the gateway host. Rotate credentials if you were running any version between v2.1.147 and v2.1.152 inclusive with a custom API gateway configured, then upgrade to v2.1.154.
Frequently Asked Questions
Why was v2.1.151 skipped in the May 2026 sprint?
No public explanation was provided. Anthropic occasionally reserves a version number for internal builds or aborted releases. In this sprint, v2.1.150 was also a non-event — it shipped as an internal infrastructure update with no user-facing changes. Both gaps appear without explanation in the public Claude Code CHANGELOG.
How do I pin a background session in Claude Code?
Press Ctrl+T on the target session. This shortcut was added in v2.1.147 (May 21, 2026). Pinned sessions survive idle eviction and Claude Code in-place auto-updates — the session restarts in-place when the tool updates, rather than being dropped. Under memory pressure, the runtime exhausts non-pinned sessions first; a pinned session is only released as a last resort. Open the agents view to confirm which sessions are currently pinned.
What is the difference between /code-review and /code-review --fix?
/code-review (renamed from /simplify in v2.1.146) outputs findings as a structured report — a list of suggestions to evaluate before deciding what to act on. /code-review --fix, added in v2.1.152, applies those findings directly to the working tree. Both accept an optional effort-level argument (e.g., high) that controls review depth and token consumption. The report-first workflow lets you inspect and gate which changes are applied; --fix is appropriate for mechanical, low-risk suggestions you want automated without manual application.
How do I prevent a skill from calling shell tools?
Declare disallowed-tools in the skill's YAML frontmatter. This feature has been available since v2.1.152. The restriction is enforced at the definition layer — no runtime permission prompt is required, and no per-session configuration is needed. Example: disallowed-tools: [Bash, Edit, Write] in the frontmatter block prevents those tools from being invoked regardless of session configuration. The constraint travels with the skill file, so it applies when the skill is shared with teammates or published to a plugin registry.
Which users are most exposed by the v2.1.149 security fixes?
Windows PowerShell users running git worktree workflows are most directly exposed. The PowerShell cd built-in bypass and the worktree sandbox over-allowlisting both require PowerShell and a multi-worktree setup to trigger. However, the Bash env-var bypass patched in v2.1.145 and the prefix/wildcard native executable gap in v2.1.149 affect all platforms. Any user below v2.1.145 has the broadest exposure; users between v2.1.145 and v2.1.148 inclusive have the three PowerShell and worktree vectors unpatched.
What to Watch in the Next Sprint
v2.1.154's dynamic workflows primitive — where Claude spawns tens to hundreds of background agents for complex multi-step tasks, tracked via /workflows — is the most forward-looking addition in this sprint. The infrastructure built in the preceding nine days reads as deliberate groundwork for making that scale of orchestration manageable: OTEL agent_id spans make multi-level agent calls traceable, per-category /usage breakdowns make cost attribution actionable, and pinned sessions keep long-running orchestration alive through updates. The next sprint will test whether that infrastructure holds under the load dynamic workflows impose.
The security finding density also warrants continued attention. Four bypass vectors closed in nine days, followed by an OAuth credential leak in v2.1.153, suggests active security review of the permission and sandbox model — appropriate given the expanding attack surface of autonomous agents with broad tool access. Teams running Claude Code in CI pipelines or automated workflows should establish a policy of staying within one or two versions of the latest release, rather than pinning to a specific version for extended periods.
For skill and hook authors, the v2.1.152 additions represent the most significant expansion of the skill authoring API in recent months. Community conventions around disallowed-tools, SessionStart hooks, and MessageDisplay hooks are still forming. This is a productive window to experiment with these primitives in production skill definitions before the ecosystem settles on patterns.
Last updated: 2026-05-29. Based on the official Claude Code CHANGELOG covering v2.1.144 through v2.1.154, cross-referenced with the GitHub Releases page.
