Feature: version constraints for enabledPlugins in project settings
Feature Request
Support semver version constraints in enabledPlugins to allow project maintainers to control which plugin versions are loaded.
Proposed Syntax
{
"enabledPlugins": {
"my-plugin@my-marketplace": ["^2.0.0"]
}
}
The JSON schema already accepts an array of strings for enabledPlugins values and describes it as supporting "extended format with version constraints," but this is not currently implemented.
Why: Security
When a project's .claude/settings.json uses extraKnownMarketplaces + enabledPlugins to distribute plugins to a team, there is no way to guard against breaking or malicious changes in a plugin update. A compromised or buggy plugin version would immediately propagate to every developer on the team.
With version constraints, project maintainers can:
- Pin to a known-good major version (
^2.0.0) — prevents untested major bumps from reaching developers - Pin to an exact version (
=2.0.0) — maximum control for security-sensitive environments - Set a minimum version (
>=2.1.0) — ensure a security fix is picked up by all team members
This is especially important for large teams (100+ developers) where plugins include hooks that execute shell commands. A version constraint in the checked-in project settings acts as a gate, requiring a deliberate commit to upgrade.
Current Workaround
None. The only option is true/false, which always installs whatever version the marketplace provides.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗