fix(plugins): keep npm bridge updates scanned (#76765)

Keep externalized bundled npm bridge updates on the normal plugin security scanner path instead of granting source-linked official trust without artifact provenance. Thanks @Lucenx9.
2026-05-06 05:40:44 +00:00 · 2026-05-03 18:50:31 +02:00
parent 4e82cacc84
commit c5b559d4ee
3 changed files with 9 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -201,6 +201,7 @@ Docs: https://docs.openclaw.ai
 - Agents/fallback: suppress duplicate current-turn user-message transcript writes after embedded fallback retries while still sending the retry prompt to the model. (#63696) Thanks @dashhuang.
 - Channels/Telegram: force a fresh final message when a visible non-preview bubble (tool/block/error) was delivered after the active answer preview, so multi-step assistant replies no longer end up with the final answer above intermediate output. Fixes #76529. Thanks @jack-stormentswe.
 - Channels/Telegram: require an observed Telegram send, edit, or fallback before treating a forum-topic final as delivered, so final replies generated in transcript no longer disappear from Telegram topics. Fixes #76554. (#76764) Thanks @bubucilo and @obviyus.
+- Plugins/update: keep externalized bundled npm bridge updates on the normal plugin security scanner path instead of granting source-linked official trust without artifact provenance. (#76765) Thanks @Lucenx9.

 ## 2026.5.2

--- a/src/plugins/update.test.ts
+++ b/src/plugins/update.test.ts
@@ -2004,6 +2004,10 @@ describe("syncPluginsForUpdateChannel", () => {
        spec: "@openclaw/legacy-chat",
        mode: "update",
        expectedPluginId: "legacy-chat",
+      }),
+    );
+    expect(installPluginFromNpmSpecMock).not.toHaveBeenCalledWith(
+      expect.objectContaining({
        trustedSourceLinkedOfficialInstall: true,
      }),
    );
@@ -2150,6 +2154,10 @@ describe("syncPluginsForUpdateChannel", () => {
        spec: "@openclaw/legacy-chat",
        mode: "update",
        expectedPluginId: "legacy-chat",
+      }),
+    );
+    expect(installPluginFromNpmSpecMock).not.toHaveBeenCalledWith(
+      expect.objectContaining({
        trustedSourceLinkedOfficialInstall: true,
      }),
    );
--- a/src/plugins/update.ts
+++ b/src/plugins/update.ts
@@ -1435,7 +1435,6 @@ export async function syncPluginsForUpdateChannel(params: {
            spec: npmSpec,
            mode: "update",
            expectedPluginId: targetPluginId,
-            trustedSourceLinkedOfficialInstall: true,
            logger,
          });
        }
@@ -1444,7 +1443,6 @@ export async function syncPluginsForUpdateChannel(params: {
          spec: npmSpec,
          mode: "update",
          expectedPluginId: targetPluginId,
-          trustedSourceLinkedOfficialInstall: true,
          logger,
        });
      }