From 423b5d69817ad5aaee7a9d5c8b1a77bf9fb00e2c Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Sun, 3 May 2026 03:02:16 -0700 Subject: [PATCH] fix(update): trust externalized npm bridges --- CHANGELOG.md | 1 + src/plugins/update.test.ts | 2 ++ src/plugins/update.ts | 2 ++ 3 files changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d038c78616..20299c77e2f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ Docs: https://docs.openclaw.ai - Plugins/externalization: pin beta-only official launch packages for ACPX, Google Chat, and LINE to explicit npm beta specs so catalog-driven installs do not trip the prerelease safety guard while npm `latest` still points at beta. Thanks @vincentkoc. - CLI/doctor: keep missing-plugin repair from overriding official catalog metadata with runtime fallbacks, so ACPX repairs preserve the beta npm spec during the externalization rollout. Thanks @vincentkoc. - Plugins/catalog: preserve ClawHub install specs when generating the packaged channel catalog so future storepack-first channel plugins keep their remote source instead of becoming npm-only. Thanks @vincentkoc. +- Plugins/update: treat OpenClaw-authored externalized-bundled npm bridges as trusted official installs so launch-code plugins can migrate out of the bundled tree without scanner false positives. Thanks @vincentkoc. - Control UI/Talk: fix Talk (OpenAI Realtime WebRTC) CORS failure by stripping server-side-only attribution headers (`originator`, `version`, `User-Agent`) from browser offer headers; `api.openai.com/v1/realtime/calls` only allows `authorization` and `content-type` in its CORS preflight, so forwarding these headers caused the browser SDP exchange to fail. Fixes #76435. Thanks @hclsys. - CLI/logs: auto-reconnect `openclaw logs --follow` on transient gateway disconnects (WebSocket close, timeout, connection drop) with bounded exponential backoff (up to 8 retries, capped at 30 s) and stderr retry warnings, while still exiting immediately on non-recoverable auth or configuration errors. Fixes #74782. (#75059) Thanks @shashank-poola. - Plugins/onboarding: trust optional official plugin and web-search installs selected from the official catalog so npm security scanning treats them like other source-linked official install paths. Thanks @vincentkoc. diff --git a/src/plugins/update.test.ts b/src/plugins/update.test.ts index 446aa345fe2..c3446611716 100644 --- a/src/plugins/update.test.ts +++ b/src/plugins/update.test.ts @@ -1930,6 +1930,7 @@ describe("syncPluginsForUpdateChannel", () => { spec: "@openclaw/legacy-chat", mode: "update", expectedPluginId: "legacy-chat", + trustedSourceLinkedOfficialInstall: true, }), ); expect(result.changed).toBe(true); @@ -2075,6 +2076,7 @@ describe("syncPluginsForUpdateChannel", () => { spec: "@openclaw/legacy-chat", mode: "update", expectedPluginId: "legacy-chat", + trustedSourceLinkedOfficialInstall: true, }), ); expect(result.changed).toBe(true); diff --git a/src/plugins/update.ts b/src/plugins/update.ts index c20aca14198..e53c0b0afec 100644 --- a/src/plugins/update.ts +++ b/src/plugins/update.ts @@ -1391,6 +1391,7 @@ export async function syncPluginsForUpdateChannel(params: { spec: npmSpec, mode: "update", expectedPluginId: targetPluginId, + trustedSourceLinkedOfficialInstall: true, logger, }); } @@ -1399,6 +1400,7 @@ export async function syncPluginsForUpdateChannel(params: { spec: npmSpec, mode: "update", expectedPluginId: targetPluginId, + trustedSourceLinkedOfficialInstall: true, logger, }); }