If you’ve been using MCP servers with OAuth authentication lately, you might have hit this one: Claude Code randomly loses the connection, and you have to log in again. Version 2.1.136 fixes that for good.
The OAuth Problem
This bug was particularly annoying because it didn’t show up right away. When multiple MCP servers were running concurrently and tried to refresh their OAuth tokens, a race condition kicked in — one server’s token refresh would overwrite another’s. The result: authentication suddenly gone, Claude Code asking you to log in again.
There was a second OAuth bug too: the login flow could get stuck in an infinite loop. Both are fixed in 2.1.136.
New Security Feature: hard_deny
More interesting for day-to-day use is the new settings.autoMode.hard_deny setting. Previously, you could define rules for which tools Claude shouldn’t run automatically in auto mode. But Claude could still ask for confirmation and execute the action with your approval.
With hard_deny, that changes: tools on this list are completely blocked — no prompt, no exception. If you want to make absolutely sure Claude never runs rm -rf on its own, you now have a hard boundary for that.
Windows Fix for VSCode
One day later, version 2.1.137 brought a fix specifically for Windows users: the VSCode extension was failing to activate on Windows. A short but important update — especially since the VSCode integration is the primary way many people use Claude Code.
Also Fixed
A smaller but annoying bug was also resolved: MCP servers would disappear from the session after running the /clear command. If you regularly clean up your context, you had to reconnect the servers afterward. That no longer happens.
Sources: