Claude Code can run npm publish during a refactoring session, pushing half-finished code to the public npm registry. In Auto Mode, there's no confirmation prompt.
The npm-publish-guard hook (included by default in cc-safe-setup) blocks all publish commands:
# Blocks: npm publish, npm publish --tag, yarn publish, pnpm publish
npx cc-safe-setupAlso blocks: cargo publish, gem push, twine upload, pip publish. Each has a dedicated guard hook.
The hook allows npm publish --dry-run — you can test without actually publishing.
| Ecosystem | Hook | Blocks |
|---|---|---|
| npm/yarn/pnpm | npm-publish-guard | npm publish |
| Rust | cargo-publish-guard | cargo publish |
| Python | pip-publish-guard | twine upload |
| Ruby | gem-push-guard | gem push |
| PHP | composer-guard | composer global require |
npx cc-safe-setupnpm-publish-guard included by default. 667 hooks total.
cc-safe-setup · GitHub