fix(plugins): keep npm bridge updates scanned (#76765)

Keep externalized bundled npm bridge updates on the normal plugin security scanner path instead of granting source-linked official trust without artifact provenance. Thanks @Lucenx9.
2026-05-09 05:50:43 +00:00 · 2026-05-03 18:50:31 +02:00
parent 4e82cacc84
commit c5b559d4ee
3 changed files with 9 additions and 2 deletions
--- a/src/plugins/update.test.ts
+++ b/src/plugins/update.test.ts
@@ -2004,6 +2004,10 @@ describe("syncPluginsForUpdateChannel", () => {
        spec: "@openclaw/legacy-chat",
        mode: "update",
        expectedPluginId: "legacy-chat",
+      }),
+    );
+    expect(installPluginFromNpmSpecMock).not.toHaveBeenCalledWith(
+      expect.objectContaining({
        trustedSourceLinkedOfficialInstall: true,
      }),
    );
@@ -2150,6 +2154,10 @@ describe("syncPluginsForUpdateChannel", () => {
        spec: "@openclaw/legacy-chat",
        mode: "update",
        expectedPluginId: "legacy-chat",
+      }),
+    );
+    expect(installPluginFromNpmSpecMock).not.toHaveBeenCalledWith(
+      expect.objectContaining({
        trustedSourceLinkedOfficialInstall: true,
      }),
    );
--- a/src/plugins/update.ts
+++ b/src/plugins/update.ts
@@ -1435,7 +1435,6 @@ export async function syncPluginsForUpdateChannel(params: {
            spec: npmSpec,
            mode: "update",
            expectedPluginId: targetPluginId,
-            trustedSourceLinkedOfficialInstall: true,
            logger,
          });
        }
@@ -1444,7 +1443,6 @@ export async function syncPluginsForUpdateChannel(params: {
          spec: npmSpec,
          mode: "update",
          expectedPluginId: targetPluginId,
-          trustedSourceLinkedOfficialInstall: true,
          logger,
        });
      }