From c5b559d4ee32ef1d995f767ab7e435ff0b7df18d Mon Sep 17 00:00:00 2001
From: Simone <lucenz@proton.me>
Date: Sun, 3 May 2026 18:50:31 +0200
Subject: [PATCH] fix(plugins): keep npm bridge updates scanned (#76765)

Keep externalized bundled npm bridge updates on the normal plugin security scanner path instead of granting source-linked official trust without artifact provenance.

Thanks @Lucenx9.
---
 CHANGELOG.md               | 1 +
 src/plugins/update.test.ts | 8 ++++++++
 src/plugins/update.ts      | 2 --
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 725aa48dd9e..fbbd683b44b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -201,6 +201,7 @@ Docs: https://docs.openclaw.ai
 - Agents/fallback: suppress duplicate current-turn user-message transcript writes after embedded fallback retries while still sending the retry prompt to the model. (#63696) Thanks @dashhuang.
 - Channels/Telegram: force a fresh final message when a visible non-preview bubble (tool/block/error) was delivered after the active answer preview, so multi-step assistant replies no longer end up with the final answer above intermediate output. Fixes #76529. Thanks @jack-stormentswe.
 - Channels/Telegram: require an observed Telegram send, edit, or fallback before treating a forum-topic final as delivered, so final replies generated in transcript no longer disappear from Telegram topics. Fixes #76554. (#76764) Thanks @bubucilo and @obviyus.
+- Plugins/update: keep externalized bundled npm bridge updates on the normal plugin security scanner path instead of granting source-linked official trust without artifact provenance. (#76765) Thanks @Lucenx9.
 
 ## 2026.5.2
 
diff --git a/src/plugins/update.test.ts b/src/plugins/update.test.ts
index 5cf68248ef4..0edabb9fbf6 100644
--- a/src/plugins/update.test.ts
+++ b/src/plugins/update.test.ts
@@ -2004,6 +2004,10 @@ describe("syncPluginsForUpdateChannel", () => {
         spec: "@openclaw/legacy-chat",
         mode: "update",
         expectedPluginId: "legacy-chat",
+      }),
+    );
+    expect(installPluginFromNpmSpecMock).not.toHaveBeenCalledWith(
+      expect.objectContaining({
         trustedSourceLinkedOfficialInstall: true,
       }),
     );
@@ -2150,6 +2154,10 @@ describe("syncPluginsForUpdateChannel", () => {
         spec: "@openclaw/legacy-chat",
         mode: "update",
         expectedPluginId: "legacy-chat",
+      }),
+    );
+    expect(installPluginFromNpmSpecMock).not.toHaveBeenCalledWith(
+      expect.objectContaining({
         trustedSourceLinkedOfficialInstall: true,
       }),
     );
diff --git a/src/plugins/update.ts b/src/plugins/update.ts
index d8e3e3e2256..bc715192e55 100644
--- a/src/plugins/update.ts
+++ b/src/plugins/update.ts
@@ -1435,7 +1435,6 @@ export async function syncPluginsForUpdateChannel(params: {
             spec: npmSpec,
             mode: "update",
             expectedPluginId: targetPluginId,
-            trustedSourceLinkedOfficialInstall: true,
             logger,
           });
         }
@@ -1444,7 +1443,6 @@ export async function syncPluginsForUpdateChannel(params: {
           spec: npmSpec,
           mode: "update",
           expectedPluginId: targetPluginId,
-          trustedSourceLinkedOfficialInstall: true,
           logger,
         });
       }