Feature: version constraints for enabledPlugins in project settings

Resolved 💬 3 comments Opened Apr 12, 2026 by RoyTouw77 Closed May 24, 2026

Feature Request

Support semver version constraints in enabledPlugins to allow project maintainers to control which plugin versions are loaded.

Proposed Syntax

{
  "enabledPlugins": {
    "my-plugin@my-marketplace": ["^2.0.0"]
  }
}

The JSON schema already accepts an array of strings for enabledPlugins values and describes it as supporting "extended format with version constraints," but this is not currently implemented.

Why: Security

When a project's .claude/settings.json uses extraKnownMarketplaces + enabledPlugins to distribute plugins to a team, there is no way to guard against breaking or malicious changes in a plugin update. A compromised or buggy plugin version would immediately propagate to every developer on the team.

With version constraints, project maintainers can:

  • Pin to a known-good major version (^2.0.0) — prevents untested major bumps from reaching developers
  • Pin to an exact version (=2.0.0) — maximum control for security-sensitive environments
  • Set a minimum version (>=2.1.0) — ensure a security fix is picked up by all team members

This is especially important for large teams (100+ developers) where plugins include hooks that execute shell commands. A version constraint in the checked-in project settings acts as a gate, requiring a deliberate commit to upgrade.

Current Workaround

None. The only option is true/false, which always installs whatever version the marketplace provides.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗