diff --git a/CHANGELOG.md b/CHANGELOG.md index f494a3f29ab..3042ffd4df2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ Docs: https://docs.openclaw.ai - Agents/ACP: skip the `sessions_send` A2A ping-pong flow when a parent sends to its own background oneshot ACP child, preventing parent/child echo loops while preserving normal A2A delivery for non-parent senders. (#69817) Thanks @scotthuang. - Agents/subagents: stop terminal failed subagent runs from freezing or announcing captured reply text, so failover-exhausted runs report a clean failure instead of replaying stale assistant/tool output. - Security/external content: strip common self-hosted LLM chat-template special-token literals, including Qwen/ChatML, Llama, Gemma, Mistral, Phi, and GPT-OSS markers, from wrapped external content and metadata, preventing tokenizer-layer role-boundary spoofing against OpenAI-compatible backends that preserve special tokens in user text. +- npm/install: mirror the `node-domexception` alias into root `package.json` `overrides`, so npm installs stop surfacing the deprecated `google-auth-library -> gaxios -> node-fetch -> fetch-blob -> node-domexception` chain pulled through Pi/Google runtime deps. Thanks @vincentkoc. - Auth/commands: require owner identity (an owner-candidate match or internal `operator.admin`) for owner-enforced commands instead of treating wildcard channel `allowFrom` or empty owner-candidate lists as sufficient, so non-owner senders can no longer reach owner-only commands through a permissive fallback when `enforceOwnerForCommands=true` and `commands.ownerAllowFrom` is unset. (#69774) Thanks @drobison00. - Control UI/CSP: tighten `img-src` to `'self' data:` only, and make Control UI avatar helpers drop remote `http(s)` and protocol-relative URLs so the UI falls back to the built-in logo/badge instead of issuing arbitrary remote image fetches. Same-origin avatar routes (relative paths) and `data:image/...` avatars still render. (#69773) - CLI/channels: keep `status`, `health`, `channels list`, and `channels status` on read-only channel metadata when Telegram, Slack, Discord, or third-party channel plugins are configured, avoiding full bundled plugin runtime imports on those cold paths. Fixes #69042. (#69479) Thanks @gumadeiras. diff --git a/package.json b/package.json index 07abc45de2c..c25467daa3c 100644 --- a/package.json +++ b/package.json @@ -1606,7 +1606,8 @@ }, "overrides": { "axios": "1.15.0", - "follow-redirects": "1.16.0" + "follow-redirects": "1.16.0", + "node-domexception": "npm:@nolyfill/domexception@1.0.28" }, "engines": { "node": ">=22.14.0" @@ -1629,7 +1630,7 @@ "minimatch": "10.2.4", "path-to-regexp": "8.4.0", "qs": "6.14.2", - "node-domexception": "npm:@nolyfill/domexception@^1.0.28", + "node-domexception": "npm:@nolyfill/domexception@1.0.28", "@sinclair/typebox": "0.34.49", "tar": "7.5.13", "tough-cookie": "4.1.3", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 2d2d259a2b9..fcc7e27dd9a 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -20,7 +20,7 @@ overrides: minimatch: 10.2.4 path-to-regexp: 8.4.0 qs: 6.14.2 - node-domexception: npm:@nolyfill/domexception@^1.0.28 + node-domexception: npm:@nolyfill/domexception@1.0.28 '@sinclair/typebox': 0.34.49 tar: 7.5.13 tough-cookie: 4.1.3 diff --git a/test/scripts/root-package-overrides.test.ts b/test/scripts/root-package-overrides.test.ts new file mode 100644 index 00000000000..86c0961ad2f --- /dev/null +++ b/test/scripts/root-package-overrides.test.ts @@ -0,0 +1,25 @@ +import fs from "node:fs"; +import path from "node:path"; +import { describe, expect, it } from "vitest"; + +type RootPackageManifest = { + overrides?: Record; + pnpm?: { + overrides?: Record; + }; +}; + +function readRootManifest(): RootPackageManifest { + const manifestPath = path.resolve(process.cwd(), "package.json"); + return JSON.parse(fs.readFileSync(manifestPath, "utf8")) as RootPackageManifest; +} + +describe("root package override guardrails", () => { + it("pins the node-domexception alias exactly in npm and pnpm overrides", () => { + const manifest = readRootManifest(); + const pnpmOverride = manifest.pnpm?.overrides?.["node-domexception"]; + + expect(pnpmOverride).toBe("npm:@nolyfill/domexception@1.0.28"); + expect(manifest.overrides?.["node-domexception"]).toBe(pnpmOverride); + }); +});