
Claude Code v2.1.209 to v2.1.210 Major Updates
This page has been translated by machine translation. View original
This is Ishikawa from the Cloud Business Division. Here is a summary of the Claude Code updates for v2.1.209 and v2.1.210 (both released on July 14, 2026).
Update Summary
This covers 2 versions (v2.1.209 / v2.1.210, released July 14, 2026) with 34 changes. Of these, 23 are bug fixes, and only 1 is a new feature addition. Many of the changes relate to fixes around background agents (claude agents) and changes to how sub-agent, sandbox, and permission handling works.
Notable Updates
- New Feature: A live elapsed time counter has been added to collapsed tool summary lines (v2.1.210)
- Bug Fix: An issue was fixed where sub-agents with
isolation: 'worktree'could execute git-modifying commands against the main repository checkout instead of their own worktree (v2.1.210) - Security: The Agent tool has been hardened against indirect prompt injection via content read by sub-agents, and an issue where
.claude/*symlinks appearing later were not reflected in the sandbox write-deny list has also been fixed (v2.1.210)
Target Versions and Period
| Version | Release Date |
|---|---|
| v2.1.209 | 2026-07-14 |
| v2.1.210 | 2026-07-14 |
New Features
- A live elapsed time counter has been added to collapsed tool summary lines. This ensures that long-running tool calls no longer appear to be stuck, allowing you to confirm that time is progressing (v2.1.210)
Security
Here is a summary of changes related to sub-agent, sandbox, and permission handling.
- The Agent tool has been hardened against indirect prompt injection via content read by sub-agents (v2.1.210)
- An issue was fixed where
.claude/*symlinks appearing later were not reflected in the sandbox write-deny list (v2.1.210) - An issue was fixed where the
ultracodekeyword opt-in was being triggered by non-human input such as webhook payloads and relayed PR comments (v2.1.210) - An issue was fixed where rendered text fragments were being mixed into crash telemetry when UI components returned content outside of styled text elements (v2.1.210)
- As an improvement to auto mode, the permission classifier now uses Sonnet 5 as the default for external sessions. It is validated on the first request of a session and then fixed for the duration of the session. This is presented as an improvement related to permission determination rather than a vulnerability fix (v2.1.210)
Improvements
- The message for Bash/PowerShell tools when a command times out and is automatically moved to the background has been improved, allowing the model to distinguish between a hang and an explicit request for background execution (v2.1.210)
- Memory writes that would cause the MEMORY.md index to exceed the read limit now result in an explicit error instead of being silently truncated (v2.1.210)
- The agent footer hint now displays the number of background agents waiting for input. When the count changes, it is briefly highlighted in color (v2.1.210)
- In screen reader mode, permission mode changes when toggling with Shift+Tab are now announced (v2.1.210)
- In the agent view, the original session that was navigated to with ← is now kept explicitly indicated even after the selection is moved by mouse hover or arrow keys (v2.1.210)
- Chart color validation in the bundled dataviz skill has been improved to be based on perceptual OKLab color differences, with color vision diversity thresholds readjusted (v2.1.210)
Fixes (Major Items)
Here is a selection focusing on fixes related to stability and usability.
- Fixed sub-agent with worktree isolation modifying the main repository: Sub-agents with
isolation: 'worktree'could execute git-modifying commands against the main repository checkout instead of their own isolated worktree (v2.1.210) - Fixed
claude attachfailures during session transitions: Failures with "job not found" and "agent is still starting" could occur. Attach now waits for the daemon to settle, and terminal resizes during a slow attach are applied after completion (v2.1.210) - Fixed hook timeouts being misreported as user rejections: When a hook callback timed out, the model was told the user had rejected it, causing unattended sessions to stop and wait indefinitely (v2.1.210)
- Fixed plugin-provided MCP servers being discarded: This occurred when MCP servers were re-synced during a session (v2.1.210)
- Fixed plan approval overwriting plan files: Plan approval without edits was displaying "(edited by user)" and overwriting the plan file with an old snapshot (v2.1.210)
- Fixed
$1/$2disappearing in skills and commands: Unmatched positional placeholders were being silently removed. They are now preserved as-is (v2.1.210) - Fixed background worker crash loops: These occurred when a client reset its connection to the background service (v2.1.210)
- Fixed
git worktree lockresiduals: Force-killed background sessions were leaving locks permanently. A periodic sweep now releases locks whose owning process has disappeared (v2.1.210) - In addition, numerous minor bugs have been fixed, including dialog display issues for
/modeland similar inclaude agentsbackground sessions (v2.1.209), paste markers being mixed into external editors, "No matches found" display during Grep pagination, and--effort ultracodespecification being dropped, among others.
Note that while this is not a bug fix, Fable will be temporarily displayed as unavailable in the advisor picker as a temporary measure until a server-side issue causing Fable advisor failures is resolved (v2.1.210).
Deprecations
A startup warning has been added for permission rules written as Write(path), NotebookEdit(path), and Glob(path) (v2.1.210). You are advised to use Edit(path) or Read(path) instead.
The CHANGELOG only mentions the addition of the warning and this replacement guidance, and does not state that existing configurations will stop working. However, if you are using these rules in settings.json or elsewhere, a warning will appear at startup, so you may want to consider updating them.
Closing
v2.1.209 and v2.1.210 were released on the same day. With only 1 new feature addition, this is a release centered on changes related to the reliability of background agents and the safety of sub-agent and sandbox handling. If you are running sub-agents in parallel using isolation: 'worktree' or operating unattended sessions with hooks, relevant fixes are included.
If you have Write(path) / NotebookEdit(path) / Glob(path) written in your permission rules, warnings will now appear at startup. If any of the changes are of interest, try updating and checking them out.
References
