[BUG] DISABLE_AUTOUPDATER=1 does not prevent npm view calls to registry.npmjs.org on startup
What's Wrong?
Setting DISABLE_AUTOUPDATER=1 (and/or CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1) does not prevent Claude Code from running npm view @anthropic-ai/claude-code dist-tags --json --prefer-online multiple times for each claude instance. The env var only gates the install step, not the version check network call itself.
This causes an unwanted outbound connection to registry.npmjs.org, visible in firewalls like Little Snitch, with no way to suppress it.
What Should Happen?
When DISABLE_AUTOUPDATER=1 is set, no network calls to registry.npmjs.org should be made — not just the install, but the version check too.
Steps to Reproduce
- Set env vars before launching Claude Code:
````
export DISABLE_AUTOUPDATER=1
export CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1
- Start
claude - Observe outbound connection to
registry.npmjs.org(e.g. via Little Snitch, tcpdump, or similar) - The
npm view @anthropic-ai/claude-codecall fires regardless of the env vars
Root Cause (from source analysis)
In cli.js, the version check is triggered unconditionally during React component initialization:
// Runs on startup with no guard
G = SY6().then(gUY)
gUY dispatches based on install type — for non-native (npm/pnpm) installs it calls KU4, which spawns npm view:
function gUY(A) {
return (A.installationType === "native" ? YU4 : KU4)().catch(FUY)
}
async function KU4() {
let A = await RA("npm", ["view", PACKAGE_URL, "dist-tags", "--json", "--prefer-online"], {
abortSignal: AbortSignal.timeout(5000), cwd: nd6()
});
// ...
}
The DISABLE_AUTOUPDATER check (CF() via hY6()) only runs after the npm view call:
M = await LY6(J) // npm view fires FIRST
D = CF() // THEN checks DISABLE_AUTOUPDATER
The fix should move the CF() check before the version fetch, or have gUY bail out early when the autoupdater is disabled.
Additional Issue: pnpm install shadowing
For users who installed via pnpm add -g, the autoupdater's npm-based install silently reinstalls Claude Code under npm's global prefix (/opt/homebrew/lib/node_modules), shadowing the pnpm installation. This happens even with DISABLE_AUTOUPDATER=1 set in settings.json (the env block loads too late to prevent it).
Is this a regression?
I don't know — the version check may have never respected the env var.
Environment
- Claude Code Version: 2.1.79
- Platform: Anthropic API
- OS: macOS (Apple Silicon)
- Terminal: iTerm2
- Installed via:
pnpm add -g @anthropic-ai/claude-code
Related
- #7030
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗