npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

block-no-verify

v1.3.0

Published

CLI tool to block --no-verify flag in git commands. Prevents AI agents from bypassing git hooks.

Readme

block-no-verify

A security tool that blocks ways AI agents can bypass local git hooks. It flags the --no-verify flag, core.hooksPath overrides, and GitHub MCP tool calls that write through the GitHub API.

Powered by @polyhook/sdk — write the hook once, run it everywhere.

Why?

When using AI coding assistants like Claude Code, Cursor, Windsurf, Cline, or Amp, you might have git hooks (pre-commit, pre-push) that enforce code quality, run tests, or perform security checks. Agents can side-step those hooks in three common ways:

  • passing --no-verify to a git command,
  • overriding core.hooksPath (e.g. git -c core.hooksPath=/dev/null ...),
  • calling GitHub MCP tools such as mcp__github__push_files that commit or merge directly through the GitHub API, skipping the local hook chain entirely.

This package provides a CLI that blocks all three, working with any AI tool that supports command / tool-use hooks.

Used By

Supported Agents

See polyhook's supported tools list.

Installation

Add as a dev dependency to ensure a consistent, pinned version:

pnpm add -D block-no-verify
# or
npm install --save-dev block-no-verify

Then use it with pnpm exec block-no-verify or npm exec block-no-verify.

Platform Integration

Claude Code

Add to your .claude/settings.json. The first matcher handles shell commands (--no-verify, core.hooksPath); the second matches any GitHub MCP tool so direct-to-API writes are also blocked:

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "pnpm exec block-no-verify"
          }
        ]
      },
      {
        "matcher": "mcp__github__.*",
        "hooks": [
          {
            "type": "command",
            "command": "pnpm exec block-no-verify"
          }
        ]
      }
    ]
  }
}

Cursor

Cursor 1.7+ supports hooks via .cursor/hooks.json. The beforeShellExecution hook runs before any shell command.

Create .cursor/hooks.json in your project root:

{
  "version": 1,
  "hooks": {
    "beforeShellExecution": [
      {
        "command": "pnpm exec block-no-verify"
      }
    ]
  }
}

Note: Cursor hooks are in beta. See Cursor Hooks Documentation for the latest information.

Windsurf

Add to your .windsurf/settings.json:

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": ".*",
        "hooks": [
          {
            "type": "command",
            "command": "pnpm exec block-no-verify"
          }
        ]
      }
    ]
  }
}

Gemini CLI

Add to your .gemini/settings.json:

{
  "hooks": {
    "BeforeTool": [
      {
        "matcher": "run_shell_command",
        "hooks": [
          {
            "name": "block-no-verify",
            "type": "command",
            "command": "pnpm exec block-no-verify",
            "timeout": 5000
          }
        ]
      }
    ]
  }
}

Note: Hooks are disabled by default in Gemini CLI. See Gemini CLI Hooks Documentation for details.

Supported Git Commands

The following git commands are monitored for --no-verify:

  • git commit
  • git push
  • git merge
  • git cherry-pick
  • git rebase
  • git am

Blocked GitHub MCP Tools

The following GitHub MCP tools are blocked because they write through the GitHub API and therefore skip local git hooks:

  • mcp__github__create_or_update_file
  • mcp__github__delete_file
  • mcp__github__push_files
  • mcp__github__merge_pull_request
  • mcp__github__update_pull_request_branch

Read-only GitHub MCP tools (e.g. mcp__github__get_file_contents, mcp__github__list_pull_requests) are not blocked.

Behavior

| Command | Blocked? | Notes | | ------------------------ | -------- | --------------------------------------------- | | git commit --no-verify | Yes | | | git commit -n | Yes | -n is shorthand for --no-verify in commit | | git push --no-verify | Yes | | | git push -n | No | -n means --dry-run in push | | git merge --no-verify | Yes | | | git merge -n | No | -n means --no-commit in merge | | git commit -m "msg" | No | No --no-verify flag |

Contributing

See CONTRIBUTING.md for development setup and guidelines.

License

MIT

References