Require user consent before auto downloading update installers

Resolved 💬 4 comments Opened Mar 26, 2026 by Z1000k Closed Apr 25, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

When Claude Code detects a new version, it silently downloads the installer to the users downloads folder without any notification or consent prompt. I discovered a file called "Claude Setup.exe" had been downloaded to my pc without my knowledge. I had no idea it was there until I opened my browser. i thought it was some kind of malware and was ready to delete it. No software should write files to a users filesystem without explicit permission. This is a basic principle of user privacy and system autonomy. Yes the users agreed to use Claude Code but not to have files silently downloaded on their machines. Additionally, this behavior represents a real supply chain attack risk, if Anthropics update servers were ever compromised, malicious installers could be silently pushed to every Claude Code users pc's with no warning and no opportunity to intervene.

Proposed Solution

Show a notification i.e "A new version is available" and only proceed to download if the user clicks yes.

Alternative Solutions

There is no workaround. The download happens silently in the background with no way to prevent or disable it from within the app settings.

Priority

High - Significant impact on productivity

Feature Category

Configuration and settings

Use Case Example

_No response_

Additional Context

Reference: solarwinds and CCleaner supply chain attacks both exploited silent auto-update mechanisms. A consent based update prompt is standard practice in security conscious software i.e VS Code asks before updating. This is not just a UX issue its also a security architecture concern.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗