Require user consent before auto downloading update installers
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
When Claude Code detects a new version, it silently downloads the installer to the users downloads folder without any notification or consent prompt. I discovered a file called "Claude Setup.exe" had been downloaded to my pc without my knowledge. I had no idea it was there until I opened my browser. i thought it was some kind of malware and was ready to delete it. No software should write files to a users filesystem without explicit permission. This is a basic principle of user privacy and system autonomy. Yes the users agreed to use Claude Code but not to have files silently downloaded on their machines. Additionally, this behavior represents a real supply chain attack risk, if Anthropics update servers were ever compromised, malicious installers could be silently pushed to every Claude Code users pc's with no warning and no opportunity to intervene.
Proposed Solution
Show a notification i.e "A new version is available" and only proceed to download if the user clicks yes.
Alternative Solutions
There is no workaround. The download happens silently in the background with no way to prevent or disable it from within the app settings.
Priority
High - Significant impact on productivity
Feature Category
Configuration and settings
Use Case Example
_No response_
Additional Context
Reference: solarwinds and CCleaner supply chain attacks both exploited silent auto-update mechanisms. A consent based update prompt is standard practice in security conscious software i.e VS Code asks before updating. This is not just a UX issue its also a security architecture concern.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗