Infra: require explicit opt-in for prerelease npm installs (#38117)

* Infra: tighten npm registry spec parsing * Infra: block implicit prerelease npm installs * Plugins: cover prerelease install policy * Infra: add npm registry spec tests * Hooks: cover prerelease install policy * Docs: clarify plugin guide version policy * Docs: clarify plugin install version policy * Docs: clarify hooks install version policy * Docs: clarify hook pack version policy
2026-05-04 18:10:22 +00:00 · 2026-03-06 11:13:30 -05:00
parent a274ef929f
commit f392b81e95
9 changed files with 337 additions and 25 deletions
--- a/src/hooks/install.test.ts
+++ b/src/hooks/install.test.ts
@@ -409,6 +409,28 @@ describe("installHooksFromNpmSpec", () => {
      actualIntegrity: "sha512-new",
    });
  });
+
+  it("rejects bare npm specs that resolve to prerelease versions", async () => {
+    const run = vi.mocked(runCommandWithTimeout);
+    mockNpmPackMetadataResult(run, {
+      id: "@openclaw/test-hooks@0.0.2-beta.1",
+      name: "@openclaw/test-hooks",
+      version: "0.0.2-beta.1",
+      filename: "test-hooks-0.0.2-beta.1.tgz",
+      integrity: "sha512-beta",
+      shasum: "betashasum",
+    });
+
+    const result = await installHooksFromNpmSpec({
+      spec: "@openclaw/test-hooks",
+      logger: { info: () => {}, warn: () => {} },
+    });
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toContain("prerelease version 0.0.2-beta.1");
+      expect(result.error).toContain('"@openclaw/test-hooks@beta"');
+    }
+  });
 });

 describe("gmail watcher", () => {