Copilot CLI v0.0.423: Security & MCP Improvements
Copilot CLI adds shell command safety checks, MCP out-of-band auth support, and selection confirmation UI. Windows diff rendering fixed.
TL;DR
- New prompts for dangerous shell commands to prevent accidental exploits
- MCP servers can now request out-of-band user interactions like OAuth flows
- Confirmation step added for enum and boolean selections in elicitation
- /share gist blocked for EMU and GHE Cloud users
New
- Shell command safety prompts — Users are now prompted when commands contain potentially dangerous expansion or substitution patterns, blocking malicious exploits before execution.
- MCP out-of-band interactions — MCP servers can request users visit a URL for OAuth flows, API key entry, or other external authentication without blocking the CLI.
- Selection confirmation UI — Enum and boolean fields in elicitation now require Enter to confirm, with ✓ for confirmed values and ❯ for browsing cursor to prevent accidental selections.
- Improved explore agent — Better context sharing for large repositories and more precise results in the explore agent.
Fixed
- Windows CRLF handling — Diff mode now displays cleanly on Windows systems with CRLF line endings.
Breaking Changes
- /share gist blocked — EMU and GHE Cloud users can no longer use /share gist; clear error messaging explains the restriction.
Update with: npm install -g @github/copilot-cli@latest or check the release page for your platform.
Source: Copilot CLI
