vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 05:50:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(update): trust externalized npm bridges

Browse Source
This commit is contained in:
Vincent Koc
2026-05-03 03:02:16 -07:00
parent 0393ec5b53
commit 423b5d6981
3 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -22,6 +22,7 @@ Docs: https://docs.openclaw.ai
- Plugins/externalization: pin beta-only official launch packages for ACPX, Google Chat, and LINE to explicit npm beta specs so catalog-driven installs do not trip the prerelease safety guard while npm `latest` still points at beta. Thanks @vincentkoc.
- CLI/doctor: keep missing-plugin repair from overriding official catalog metadata with runtime fallbacks, so ACPX repairs preserve the beta npm spec during the externalization rollout. Thanks @vincentkoc.
- Plugins/catalog: preserve ClawHub install specs when generating the packaged channel catalog so future storepack-first channel plugins keep their remote source instead of becoming npm-only. Thanks @vincentkoc.
- Plugins/update: treat OpenClaw-authored externalized-bundled npm bridges as trusted official installs so launch-code plugins can migrate out of the bundled tree without scanner false positives. Thanks @vincentkoc.
- Control UI/Talk: fix Talk (OpenAI Realtime WebRTC) CORS failure by stripping server-side-only attribution headers (`originator`, `version`, `User-Agent`) from browser offer headers; `api.openai.com/v1/realtime/calls` only allows `authorization` and `content-type` in its CORS preflight, so forwarding these headers caused the browser SDP exchange to fail. Fixes #76435. Thanks @hclsys.
- CLI/logs: auto-reconnect `openclaw logs --follow` on transient gateway disconnects (WebSocket close, timeout, connection drop) with bounded exponential backoff (up to 8 retries, capped at 30 s) and stderr retry warnings, while still exiting immediately on non-recoverable auth or configuration errors. Fixes #74782. (#75059) Thanks @shashank-poola.
- Plugins/onboarding: trust optional official plugin and web-search installs selected from the official catalog so npm security scanning treats them like other source-linked official install paths. Thanks @vincentkoc.

2
src/plugins/update.test.ts
View File

@@ -1930,6 +1930,7 @@ describe("syncPluginsForUpdateChannel", () => {
spec: "@openclaw/legacy-chat",
mode: "update",
expectedPluginId: "legacy-chat",
trustedSourceLinkedOfficialInstall: true,
}),
);
expect(result.changed).toBe(true);
@@ -2075,6 +2076,7 @@ describe("syncPluginsForUpdateChannel", () => {
spec: "@openclaw/legacy-chat",
mode: "update",
expectedPluginId: "legacy-chat",
trustedSourceLinkedOfficialInstall: true,
}),
);
expect(result.changed).toBe(true);

2
src/plugins/update.ts
View File

@@ -1391,6 +1391,7 @@ export async function syncPluginsForUpdateChannel(params: {
spec: npmSpec,
mode: "update",
expectedPluginId: targetPluginId,
trustedSourceLinkedOfficialInstall: true,
logger,
});
}
@@ -1399,6 +1400,7 @@ export async function syncPluginsForUpdateChannel(params: {
spec: npmSpec,
mode: "update",
expectedPluginId: targetPluginId,
trustedSourceLinkedOfficialInstall: true,
logger,
});
}