vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 04:00:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
41,630 Commits 1,843 Branches 149 Tags
8e533490ab0a94fec8b3bdb3b184ebb5ce2edaba
Commit Graph

96 Commits

Author SHA1 Message Date
hcl
d193d15f17 fix(plugins): explain source-only package diagnostics (#77835) (#77842) 2026-05-05 17:43:13 -07:00
Vincent Koc
54300e5270 fix(plugins): quiet official npm install scan warnings 2026-05-04 02:40:55 -07:00
Vincent Koc
a9282f3571 fix(plugins): reject blank runtime entries 2026-05-04 01:41:20 -07:00
Peter Steinberger
59c523c6b5 fix: reject source-only plugin package installs 2026-05-03 16:48:46 +01:00
Peter Steinberger
23ac9ccfd5 test: add codex npm plugin Docker live proof 2026-05-02 20:08:48 +01:00
Peter Steinberger
5ac0ff1812 fix: install ClawHub package dependencies 2026-05-02 06:57:04 +01:00
Peter Steinberger
355680f1f2 fix: trust official ClawHub archive installs 2026-05-02 06:07:22 +01:00
Peter Steinberger
87f43ca88c fix: trust official source-linked ClawHub plugins 2026-05-02 05:16:10 +01:00
Peter Steinberger
23fd8a90f9 refactor: simplify plugin module loading 2026-05-02 01:41:09 +01:00
Peter Steinberger
d2ae2a3fb0 fix(plugins): require declared runtime setup entries 2026-05-01 22:36:18 +01:00
Peter Steinberger
257a3c068d refactor: simplify plugin dependency loading 2026-05-01 21:56:40 +01:00
Peter Steinberger
ed8f50f240 refactor: simplify plugin dependency handling 
Simplify plugin installation and runtime loading around package-manager-owned dependencies, with Jiti reserved for local/TS fallback paths.

Also scans npm plugin install roots so hoisted transitive dependencies are covered by dependency denylist and node_modules symlink checks.
 2026-05-01 21:32:22 +01:00
Vincent Koc
412434a450 test(plugins): extend external install contract coverage 2026-04-29 02:48:58 -07:00
Peter Steinberger
d69eeeb2a8 fix: skip test-only plugin install scan findings 2026-04-27 15:00:55 +01:00
Peter Steinberger
c3b3da41fe fix: allow trusted openclaw peer symlinks 2026-04-27 14:40:02 +01:00
Peter Steinberger
f337c9019c refactor: share plugin package entry resolution 2026-04-26 11:11:58 +01:00
Peter Steinberger
f33a812c07 fix: validate plugin package extension entries 2026-04-26 11:01:10 +01:00
Peter Steinberger
ee2ab9a644 fix(plugins): install optional plugin dependencies 2026-04-26 07:00:16 +01:00
Shakker
f5f4477bae fix: reject manifestless plugin archives 2026-04-26 04:16:33 +01:00
Peter Steinberger
e93b3f60fa fix: harden openclaw peer dependency installs (#70462) 2026-04-23 20:28:02 +01:00
Anish Kataria
44820f859e fix(plugin-sdk): scan dependency tree before materialising openclaw symlink 
The dependency-tree security scan rejects node_modules symlinks whose
targets resolve outside the install root. Our trusted host-to-plugin
symlink violates that rule by design, so running the scan AFTER
linkOpenClawPeerDependencies would fail every install with
SECURITY_SCAN_FAILED.

Reorder afterInstall so the scan runs first (walking only the plugin's
own staged source, catching any pre-existing malicious openclaw-named
symlink a source might smuggle in), then the trusted link is
materialised on the now-safe tree.

Also use braces on guard clauses in the new unit tests to satisfy the
oxlint no-unreachable-single-statement-if rule.
 2026-04-23 20:28:02 +01:00
Anish Kataria
56dd249a07 test(plugin-sdk): add unit tests for linkOpenClawPeerDependencies 
Tests three cases via installPluginFromDir:
- symlink created when peerDependencies declares openclaw
- no symlink when peer list is empty
- idempotent re-install replaces existing symlink
- warns and skips when host root cannot be resolved

Also removes the single-element Set in favour of a direct name
comparison (peerName === "openclaw"), and adds Closes #54428 to
address the same root cause in the weixin connector.

Closes #54428
 2026-04-23 20:28:02 +01:00
Vincent Koc
bb4498cef7 test(plugins): align unreadable manifest traversal failure code 2026-04-15 12:10:24 +01:00
Mason Huang
edfa074e0f Tests: align pnpm test expectations with main (#67001) 
Merged via squash.

Prepared head SHA: 29c8068053
Co-authored-by: hxy91819 <8814856+hxy91819@users.noreply.github.com>
Co-authored-by: hxy91819 <8814856+hxy91819@users.noreply.github.com>
Reviewed-by: @hxy91819
 2026-04-15 18:31:23 +08:00
Gustavo Madeira Santana
82a2db71e8 refactor(qa): split Matrix QA into optional plugin (#66723) 
Merged via squash.

Prepared head SHA: 27241bd089
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-14 16:28:57 -04:00
Peter Steinberger
c9067b6520 fix: preserve scoped plugin symlink installs 2026-04-10 21:22:16 +01:00
Peter Steinberger
a6edccad3d test: align plugin install denylist expectations 2026-04-10 19:42:38 +01:00
Peter Steinberger
56468cdb06 fix: align plugin install denylist scan tests 2026-04-10 18:57:52 +01:00
Michael Appel
9f97ad857a fix(security): pin axios to 1.15.0 and add dependency denylist for plugin installs [AI-assisted] (#63891) 
* fix: address issue

* fix: address review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* Plugins: fix install security CI regressions

* Plugins: make manifest traversal linear

* Plugins: bound manifest security traversal

* Plugins: block denied node_modules package dirs

* Plugins: match node_modules case-insensitively

* Plugins: block denied package symlink paths

* Tests: normalize blocked symlink assertion

* Plugins: fail closed on unreadable denied paths

* Plugins: block denied node_modules file aliases

* Plugins: inspect node_modules symlink targets

* Plugins: preserve symlink target package paths

* fix: address PR review feedback

* chore(changelog): add axios pin and dependency denylist entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:20:05 -06:00
Vincent Koc
c9bc0dbe05 test(plugins): reuse suite temp root helper in install fixture tests 2026-04-06 05:54:29 +01:00
Gustavo Madeira Santana
9004ef65df Plugins: add install --force overwrite flag (#60544) 
Merged via squash.

Prepared head SHA: 28ae50b615
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-03 18:09:14 -04:00
Shakker
5b176c8cc5 test: split plugin install source coverage 2026-04-04 01:07:28 +09:00
joshavant
c22233d96c Revert "refactor(plugins): remove before_install hook" 2026-04-01 19:57:07 -05:00
ryanlee-gemini
fbe3ca4d7d fix(plugins): pass dangerouslyForceUnsafeInstall through archive and … (#58879) 
Merged via squash.

Prepared head SHA: 87eb27d902
Co-authored-by: ryanlee-gemini <181323138+ryanlee-gemini@users.noreply.github.com>
Co-authored-by: odysseus0 <8635094+odysseus0@users.noreply.github.com>
Reviewed-by: @odysseus0
 2026-04-01 02:52:01 -07:00
Vincent Koc
fcb802e826 refactor(plugins): remove before_install hook 2026-04-01 02:28:06 +09:00
Peter Steinberger
44b9936136 feat(plugins): add dangerous unsafe install override 2026-03-31 23:16:11 +09:00
Gustavo Madeira Santana
bbd495ed63 plugins: quiet scoped manifest id warnings 2026-03-30 19:35:09 -04:00
Jacob Tomlinson
7a953a5227 Plugins: block install when source scan fails (#57729) 
* Plugins: block unsafe install scan fallthrough

* Tests: normalize install scanner formatting

* Plugins: avoid duplicate scan failure messaging

* Plugins: preserve hook install block codes
 2026-03-30 15:36:08 +01:00
George Zhang
2607191d04 refactor(plugins): centralize before_install context shaping 2026-03-29 12:35:01 -07:00
George Zhang
b5d48d311c test(plugins): cover before_install policy metadata 2026-03-29 12:35:01 -07:00
George Zhang
ac3951d731 test(plugins): cover before_install install flows 2026-03-29 12:35:01 -07:00
Peter Steinberger
587e18cd3f chore: prepare 2026.3.28-beta.1 release 2026-03-28 22:24:51 +00:00
Peter Steinberger
8a24cbf450 chore: bump version to 2026.3.28 2026-03-28 22:05:21 +00:00
Peter Steinberger
de173f0e3e test: dedupe plugin utility install suites 2026-03-28 03:30:25 +00:00
Peter Steinberger
969294f8c5 test: dedupe plugin install and packaging suites 2026-03-28 03:00:51 +00:00
Peter Steinberger
72ba2b3653 chore: bump version metadata to 2026.3.27 2026-03-28 02:00:22 +00:00
Peter Steinberger
c8c669537f test: dedupe plugin contract and loader suites 2026-03-28 01:17:57 +00:00
Peter Steinberger
0b94382930 fix(plugins): prefer runtime version for host compatibility 2026-03-27 02:29:32 +00:00
Peter Steinberger
412a3eb1ac build: bump version to 2026.3.22 2026-03-22 11:58:33 -07:00
Peter Steinberger
04b283ffc2 fix: restore clawhub archive installs and gateway params 2026-03-22 18:31:52 +00:00