Claude Code v2.1.38 – 5 Bug Fixes and Security Patch

Claude Code v2.1.38: 5 Bug Fixes and Enhanced Security

• Fixed scroll, tab key, and session duplication bugs in the VS Code extension
• Improved heredoc parsing to prevent command injection
• Enhanced sandbox security by blocking writes to the .claude/skills directory

What’s Fixed in This Patch

Anthropic has released Claude Code v2.1.38. This version is a patch that addresses several issues that arose in v2.1.37.^{[GitHub Release]}

The most noticeable fix is the VS Code terminal scrolling issue. In v2.1.37, there was a bug where the terminal would jump to the top when scrolling, which has now been resolved. The issue where the Tab key was queuing slash commands instead of autocompleting has also been fixed.

Security-Related Improvements

There are two security-related changes. Heredoc delimiter parsing has been improved to prevent command smuggling.^{[GitHub Release]} Additionally, writes to the .claude/skills directory have been blocked in sandbox mode.

This measure prevents malicious prompts from manipulating skill files. Security is becoming increasingly important for AI coding tools, so these proactive measures are meaningful.^{[Claude Code GitHub]}

Things VS Code Extension Users Should Know

This release is particularly important for VS Code extension users. The issue of duplicate sessions being created when resuming a session has also been fixed. A bug where text disappeared between tool calls when not using streaming has also been resolved.

The bash permission matching issue for commands using environment variable wrappers has also been fixed. Overall, this is a release focused on stability and security. While there are no major feature additions, it’s worth updating if you’re a developer who uses Claude Code on a daily basis.

Frequently Asked Questions (FAQ)

Q: How do I update to Claude Code v2.1.38?

A: It will automatically update from the VS Code extension marketplace, or you can manually update by searching for Claude Code in the Extensions tab. CLI users can install the latest version via npm. You can easily handle it with the npm update command in the terminal.

Q: Can I upgrade directly from v2.1.37 to v2.1.38?

A: Yes. v2.1.38 is a patch release that fixes regression bugs in v2.1.37. If you’re a v2.1.37 user, it’s actually a good idea to update quickly. The scrolling bug and tab key issues are resolved, improving the user experience.

Q: What is heredoc command smuggling?

A: A heredoc is a way to pass multi-line text in a shell script. If delimiter parsing is incomplete, an attacker can inject unintended commands. This patch strengthens delimiter parsing to block this attack path.

If you found this helpful, please subscribe to AI Digester.

References

• Claude Code v2.1.38 Release – GitHub (2025-02-10)
• Claude Code Repository – GitHub (2025-02-10)
• Claude Code Documentation – Anthropic (2025-02-10)