[BUG] Sandbox blocks writes to `.vscode/` and `.idea/` inside `node_modules/`, breaking `pnpm install`

Resolved 💬 5 comments Opened May 22, 2026 by floppey Closed Jun 21, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Summary

The Bash tool sandbox denies all writes inside .vscode/ and .idea/ directories, regardless of where they appear in the filesystem. This is sensible at a project root, but it also blocks writes inside node_modules/, which breaks pnpm install for projects whose transitive dependencies ship those directories in their published tarballs.

sandbox.filesystem.allowWrite rules — even very specific ones like **/node_modules/**/.vscode/** — do not override the block. The protection appears to be hardcoded.

Reproduction

In any project where node_modules/ lives inside a sandboxed working directory:

touch node_modules/test/.vscode/settings.json
# touch: Operation not permitted

This also fails:

mkdir -p node_modules/test/.idea
touch node_modules/test/.idea/foo.xml
# touch: Operation not permitted

Real-world impact: pnpm install fails on packages like focus-visible@5.2.1 (ships .vscode/settings.json) and iconv-lite@0.6.3 (ships .idea/codeStyles/):

[ERR_PNPM_EPERM] [importPackage .../node_modules/.pnpm/focus-visible@5.2.1/...]
Operation not permitted (os error 1), reflink '...' ->
'.../node_modules/.pnpm/focus-visible@5.2.1/node_modules/focus-visible_tmp_XXXXX/.vscode/settings.json'

What I tried

Adding allowWrite rules to ~/.claude/settings.json:

{
  "sandbox": {
    "enabled": true,
    "filesystem": {
      "allowWrite": [
        "**/node_modules/**",
        "**/node_modules/**/.vscode/**",
        "**/node_modules/**/.idea/**"
      ]
    }
  }
}

After restart, the deny persists for .vscode/ and .idea/ paths under node_modules/. Other allow rules (e.g. for arbitrary filenames including settings.json not under .vscode/) do take effect, so the config is being read.

Why the current rule is too broad

The rule presumably exists because .vscode/tasks.json, .vscode/launch.json, and JetBrains .idea/runConfigurations/ can execute code when the IDE opens the workspace. That risk is real at the project root, where the IDE actually reads them.

Inside node_modules/<pkg>/.vscode/ or node_modules/<pkg>/.idea/, the IDE does not load those files — IDEs only read configs at the workspace root. The published-tarball case is purely sloppy packaging by the upstream library, not a code-execution vector.

Suggested fix

Any of these would unblock the use case:

  1. Scope the deny to project roots only. Block <workspaceFolder>/.vscode/** and <workspaceFolder>/.idea/**, but not **/node_modules/**/.vscode/** or **/node_modules/**/.idea/**.
  2. Let user allowWrite rules override the hardcoded deny. Document this as an opt-in escape hatch.
  3. Carve out node_modules/ by default. Treat **/node_modules/** as a sandbox-permitted zone, so package installs always work regardless of what packages happen to ship.

Option 3 matches what most build tooling already assumes — node_modules/ is regenerable and untrusted-by-default for editing.

Environment

  • Claude Code version: 2.1.148
  • OS: macOS 26.3.1
  • Shell: zsh
  • Package manager: pnpm 11.1.1

What Should Happen?

Claude should be able to run pnpm install even while in sandbox mode.

Error Messages/Logs

`pnpm install` fails on packages like `focus-visible@5.2.1` (ships `.vscode/settings.json`) and `iconv-lite@0.6.3` (ships `.idea/codeStyles/`):


[ERR_PNPM_EPERM] [importPackage .../node_modules/.pnpm/focus-visible@5.2.1/...]
Operation not permitted (os error 1), reflink '...' ->
'.../node_modules/.pnpm/focus-visible@5.2.1/node_modules/focus-visible_tmp_XXXXX/.vscode/settings.json'

Steps to Reproduce

In any project where node_modules/ lives inside a sandboxed working directory:

touch node_modules/test/.vscode/settings.json
# touch: Operation not permitted

This also fails:

mkdir -p node_modules/test/.idea
touch node_modules/test/.idea/foo.xml
# touch: Operation not permitted

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.148

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗