fix(install): mirror node-domexception override for npm (#69819)

* fix(install): mirror node-domexception override for npm

* docs(changelog): credit npm install override fix

* fix(install): pin domexception override exactly

* docs(changelog): drop leftover npm fix merge markers

* Update CHANGELOG.md

CHANGELOG.md

@@ -23,6 +23,7 @@ Docs: https://docs.openclaw.ai
 - Agents/ACP: skip the `sessions_send` A2A ping-pong flow when a parent sends to its own background oneshot ACP child, preventing parent/child echo loops while preserving normal A2A delivery for non-parent senders. (#69817) Thanks @scotthuang.
 - Agents/subagents: stop terminal failed subagent runs from freezing or announcing captured reply text, so failover-exhausted runs report a clean failure instead of replaying stale assistant/tool output.
 - Security/external content: strip common self-hosted LLM chat-template special-token literals, including Qwen/ChatML, Llama, Gemma, Mistral, Phi, and GPT-OSS markers, from wrapped external content and metadata, preventing tokenizer-layer role-boundary spoofing against OpenAI-compatible backends that preserve special tokens in user text.
+- npm/install: mirror the `node-domexception` alias into root `package.json` `overrides`, so npm installs stop surfacing the deprecated `google-auth-library -> gaxios -> node-fetch -> fetch-blob -> node-domexception` chain pulled through Pi/Google runtime deps. Thanks @vincentkoc.
 - Auth/commands: require owner identity (an owner-candidate match or internal `operator.admin`) for owner-enforced commands instead of treating wildcard channel `allowFrom` or empty owner-candidate lists as sufficient, so non-owner senders can no longer reach owner-only commands through a permissive fallback when `enforceOwnerForCommands=true` and `commands.ownerAllowFrom` is unset. (#69774) Thanks @drobison00.
 - Control UI/CSP: tighten `img-src` to `'self' data:` only, and make Control UI avatar helpers drop remote `http(s)` and protocol-relative URLs so the UI falls back to the built-in logo/badge instead of issuing arbitrary remote image fetches. Same-origin avatar routes (relative paths) and `data:image/...` avatars still render. (#69773)
 - CLI/channels: keep `status`, `health`, `channels list`, and `channels status` on read-only channel metadata when Telegram, Slack, Discord, or third-party channel plugins are configured, avoiding full bundled plugin runtime imports on those cold paths. Fixes #69042. (#69479) Thanks @gumadeiras.

package.json

@@ -1606,7 +1606,8 @@
   },
   "overrides": {
     "axios": "1.15.0",
-    "follow-redirects": "1.16.0"
+    "follow-redirects": "1.16.0",
+    "node-domexception": "npm:@nolyfill/domexception@1.0.28"
   },
   "engines": {
     "node": ">=22.14.0"
@@ -1629,7 +1630,7 @@
       "minimatch": "10.2.4",
       "path-to-regexp": "8.4.0",
       "qs": "6.14.2",
-      "node-domexception": "npm:@nolyfill/domexception@^1.0.28",
+      "node-domexception": "npm:@nolyfill/domexception@1.0.28",
       "@sinclair/typebox": "0.34.49",
       "tar": "7.5.13",
       "tough-cookie": "4.1.3",

pnpm-lock.yaml

@@ -20,7 +20,7 @@ overrides:
   minimatch: 10.2.4
   path-to-regexp: 8.4.0
   qs: 6.14.2
-  node-domexception: npm:@nolyfill/domexception@^1.0.28
+  node-domexception: npm:@nolyfill/domexception@1.0.28
   '@sinclair/typebox': 0.34.49
   tar: 7.5.13
   tough-cookie: 4.1.3

test/scripts/root-package-overrides.test.ts

@@ -0,0 +1,25 @@
+import fs from "node:fs";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+
+type RootPackageManifest = {
+  overrides?: Record<string, string>;
+  pnpm?: {
+    overrides?: Record<string, string>;
+  };
+};
+
+function readRootManifest(): RootPackageManifest {
+  const manifestPath = path.resolve(process.cwd(), "package.json");
+  return JSON.parse(fs.readFileSync(manifestPath, "utf8")) as RootPackageManifest;
+}
+
+describe("root package override guardrails", () => {
+  it("pins the node-domexception alias exactly in npm and pnpm overrides", () => {
+    const manifest = readRootManifest();
+    const pnpmOverride = manifest.pnpm?.overrides?.["node-domexception"];
+
+    expect(pnpmOverride).toBe("npm:@nolyfill/domexception@1.0.28");
+    expect(manifest.overrides?.["node-domexception"]).toBe(pnpmOverride);
+  });
+});