Infra: require explicit opt-in for prerelease npm installs (#38117)

* Infra: tighten npm registry spec parsing * Infra: block implicit prerelease npm installs * Plugins: cover prerelease install policy * Infra: add npm registry spec tests * Hooks: cover prerelease install policy * Docs: clarify plugin guide version policy * Docs: clarify plugin install version policy * Docs: clarify hooks install version policy * Docs: clarify hook pack version policy
2026-04-30 20:00:21 +00:00 · 2026-03-06 11:13:30 -05:00
parent a274ef929f
commit f392b81e95
9 changed files with 337 additions and 25 deletions
--- a/docs/cli/hooks.md
+++ b/docs/cli/hooks.md
@@ -193,8 +193,13 @@ openclaw hooks install <npm-spec> --pin

 Install a hook pack from a local folder/archive or npm.

-Npm specs are **registry-only** (package name + optional version/tag). Git/URL/file
-specs are rejected. Dependency installs run with `--ignore-scripts` for safety.
+Npm specs are **registry-only** (package name + optional **exact version** or
+**dist-tag**). Git/URL/file specs and semver ranges are rejected. Dependency
+installs run with `--ignore-scripts` for safety.
+
+Bare specs and `@latest` stay on the stable track. If npm resolves either of
+those to a prerelease, OpenClaw stops and asks you to opt in explicitly with a
+prerelease tag such as `@beta`/`@rc` or an exact prerelease version.

 **What it does:**