Re: [PR] feat: add block-no-verify hook to prevent AI agents from bypassing git hooks [superset]

Fri, 20 Mar 2026 10:14:36 -0700 


Copilot commented on code in PR #38751:
URL: https://github.com/apache/superset/pull/38751#discussion_r2966974670


##########
.claude/settings.json:
##########
@@ -6,7 +6,11 @@
         "hooks": [
           {
             "type": "command",
-            "command": "jq -r '.tool_input.command // \"\"' | grep -qE '^git 
commit' && cd \"$CLAUDE_PROJECT_DIR\" && echo '🔍 Running pre-commit before 
commit...' && pre-commit run || true"
+            "command": "npx --yes [email protected]"
+          },
+          {
+            "type": "command",
+            "command": "jq -r '.tool_input.command // \"\"' | grep -qE '^git 
commit' && cd \"$CLAUDE_PROJECT_DIR\" && echo 'Running pre-commit before 
commit...' && pre-commit run || true"

Review Comment:
   The new PreToolUse hook runs `npx --yes [email protected]` 
unconditionally for every `Bash` tool call. This creates a hard dependency on 
Node/npm (and potentially npm registry access) for *all* Bash commands; if 
`npx` is unavailable or the package can’t be fetched, it will block unrelated 
Bash tool usage. Consider gating this to git commands (by inspecting 
`.tool_input.command` like the pre-commit hook does) and/or implementing the 
`--no-verify` check in shell/jq to avoid runtime npm installs, depending on how 
strict you want the failure mode to be.
   ```suggestion
               "command": "cmd=$(jq -r '.tool_input.command // \"\"'); if 
printf '%s\n' \"$cmd\" | grep -qE '^git commit'; then if printf '%s\n' \"$cmd\" 
| grep -q -- '--no-verify'; then echo 'Error: use of --no-verify is blocked for 
git commit commands.' >&2; exit 1; fi; fi"
             },
             {
               "type": "command",
               "command": \"jq -r '.tool_input.command // \\\"\\\"' | grep -qE 
'^git commit' && cd \\\"$CLAUDE_PROJECT_DIR\\\" && echo 'Running pre-commit 
before commit...' && pre-commit run || true\"
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to