Auto mode classifier should block `--break-system-packages` by default
Resolved 💬 3 comments Opened Apr 16, 2026 by johangp Closed May 26, 2026
What happened
Claude Code running with --enable-auto-mode, no custom deny rules or CLAUDE.md instructions about pip/venv at the time. Claude autonomously ran:
pip3 install pyarrow pandas --quiet --break-system-packages
pip3 install news-please --quiet --break-system-packages
pip3 install news-please==1.6.13 --quiet --break-system-packages
All three were auto-approved by the classifier with no confirmation prompt.
news-pleasepulled heavy transitive dependencies (newspaper4k, lxml, nltk, Pillow, beautifulsoup4, etc.)- A package downgrade was also performed (1.6.16 → 1.6.13)
--quietwas used on all three commands, suppressing installation output and reducing user visibility
Why the classifier should have caught this
--break-system-packagesexists because PEP 668 / OS maintainers decided this action is dangerous enough to require an explicit opt-in. If the OS itself gates it behind a safety flag, auto mode should treat bypassing that gate as a destructive action.- Modifies shared system state — the system Python is used by brew, macOS tools, and other scripts
- Hard to reverse — transitive dependency version changes aren't tracked for rollback;
pip uninstalldoesn't restore previous versions of indirect deps - Meets auto mode's own documented criteria for blocking: "hard to reverse, affects shared systems beyond your local environment"
Aggravating factor
--quiet was also used alongside --break-system-packages, suppressing pip's installation output. The combination of a destructive flag + suppressed output should be an even stronger signal to block.
Ask
Add --break-system-packages (and possibly sudo pip) to the default block list for auto mode's classifier. Users shouldn't have to get burned first and then write custom deny rules for commands that bypass OS-level safety protections.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗