Claude Code can run npm install, pip install, and other package managers freely. When it encounters a missing module, its natural behavior is to install it — without asking. This creates supply chain risks and dependency bloat.
Unauthorized npm install adds 300MB to node_modules
Claude encountered a missing module during refactoring and ran npm install lodash without permission. The lockfile changed, node_modules grew by 300MB, and the CI pipeline broke because the new dependency wasn't in the approved list.
Supply chain risk from unknown packages
AI models can be manipulated into installing malicious packages through typosquatting or hallucinated package names. A pip install of a non-existent package name could install a malicious lookalike.
The dependency-install-guard hook intercepts package manager commands:
npm install <package> / npm i <package> — blocked unless allowlistedpip install <package> — blocked (use pip install -r requirements.txt instead)gem install <package> — blockedcargo add <package> — blockedgo get <package> — blockednpm install (no args) — installs from existing lockfile ✓npm ci — clean install from lockfile ✓pip install -r requirements.txt — from requirements file ✓pip install -e . — editable install ✓Option 1: Install the full safety suite (includes dependency guard):
npx cc-safe-setupOption 2: Install just the dependency guard:
npx cc-safe-setup --install-example dependency-install-guardCheck your setup
npx cc-health-check
20-point diagnostic. Score 80+ means production-ready.
Prevent rm -rf · Prevent force push · Prevent secret leaks · Prevent git reset --hard · Prevent syntax errors · Prevent temp file accumulation
cc-safe-setup · 667 hooks · 9,200+ tests · GitHub
New: Hook if field — reduce overhead (v2.1.85)
Learn more: Production Guide · All Tools