The latest articles on DEV Community by DanyITnerd (@ksegit). https://dev.to/ksegit https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3901206%2F1bfecbc8-6d95-4251-9f55-05329ad1c09a.png https://dev.to/ksegit en DanyITnerd Mon, 27 Apr 2026 21:02:13 +0000 https://dev.to/ksegit/i-built-a-claude-code-plugin-that-blocks-hallucinated-package-versions-55mg https://dev.to/ksegit/i-built-a-claude-code-plugin-that-blocks-hallucinated-package-versions-55mg <h2> The Problem </h2> <p>If you use Claude Code (Anthropic's CLI coding agent), you've probably seen it do things like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>lodash@4.17.21 </code></pre> </div> <p>...when the latest version is actually different, or worse — install a version that doesn't even exist on the registry. Claude hallucinates package versions just like it hallucinates everything else.</p> <p>This is a supply-chain risk. You end up with outdated deps, missing security patches, or broken installs.</p> <h2> The Solution: Version Sentinel </h2> <p>I built <strong>Version Sentinel</strong> — a Claude Code plugin that uses the hook system to hard-block any dependency change until you've verified the version is real and current.</p> <h3> How it works </h3> <ol> <li> <strong>PreToolUse hooks</strong> intercept edits to manifest files (<code>package.json</code>, <code>requirements.txt</code>, <code>pyproject.toml</code>, <code>Cargo.toml</code>, <code>*.csproj</code>) and install commands (<code>npm install</code>, <code>pip install</code>, <code>cargo add</code>, <code>dotnet add</code>)</li> <li>If no fresh version check exists → <strong>action is blocked</strong> (exit code 2)</li> <li>You run WebSearch to verify the latest version, then <code>/vs-record</code> to log it</li> <li>Claude retries and the action goes through</li> <li> <strong>PostToolUse hooks</strong> auto-record successful installs so verified packages stay unblocked</li> </ol> <h3> Supported ecosystems </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Ecosystem</th> <th>Manifest</th> <th>Registry</th> </tr> </thead> <tbody> <tr> <td>npm</td> <td><code>package.json</code></td> <td>registry.npmjs.org</td> </tr> <tr> <td>pip</td> <td> <code>requirements*.txt</code>, <code>pyproject.toml</code> </td> <td>pypi.org</td> </tr> <tr> <td>Cargo</td> <td><code>Cargo.toml</code></td> <td>crates.io</td> </tr> <tr> <td>.NET</td> <td><code>*.csproj</code></td> <td>api.nuget.org</td> </tr> </tbody> </table></div> <h3> Bonus: <code>/check-versions</code> </h3> <p>Audits ALL dependencies in your project against upstream registries. Reports drift without blocking — shows you which deps are outdated and which are intentionally pinned.</p> <h2> Install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>claude plugin add KSEGIT/Version-Sentinel </code></pre> </div> <h2> Links </h2> <ul> <li> <strong>GitHub:</strong> <a href="https://github.com/KSEGIT/Version-Sentinel" rel="noopener noreferrer">KSEGIT/Version-Sentinel</a> </li> <li> <strong>License:</strong> MIT</li> <li> <strong>Prerequisites:</strong> bash, jq, curl, python3</li> </ul> <p>This is my first Claude Code plugin. Would love feedback — especially if you've run into the same version hallucination problem. What other guardrails would be useful?</p> claudecode ai