vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 21:20:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
36,942 Commits 1,843 Branches 149 Tags
d69eeeb2a82c6d7307bdcbde57b77ab9e25409ad
Commit Graph

83 Commits

Author SHA1 Message Date
Peter Steinberger
d69eeeb2a8 fix: skip test-only plugin install scan findings 2026-04-27 15:00:55 +01:00
Peter Steinberger
c3b3da41fe fix: allow trusted openclaw peer symlinks 2026-04-27 14:40:02 +01:00
Peter Steinberger
f337c9019c refactor: share plugin package entry resolution 2026-04-26 11:11:58 +01:00
Peter Steinberger
f33a812c07 fix: validate plugin package extension entries 2026-04-26 11:01:10 +01:00
Peter Steinberger
ee2ab9a644 fix(plugins): install optional plugin dependencies 2026-04-26 07:00:16 +01:00
Shakker
f5f4477bae fix: reject manifestless plugin archives 2026-04-26 04:16:33 +01:00
Peter Steinberger
e93b3f60fa fix: harden openclaw peer dependency installs (#70462) 2026-04-23 20:28:02 +01:00
Anish Kataria
44820f859e fix(plugin-sdk): scan dependency tree before materialising openclaw symlink 
The dependency-tree security scan rejects node_modules symlinks whose
targets resolve outside the install root. Our trusted host-to-plugin
symlink violates that rule by design, so running the scan AFTER
linkOpenClawPeerDependencies would fail every install with
SECURITY_SCAN_FAILED.

Reorder afterInstall so the scan runs first (walking only the plugin's
own staged source, catching any pre-existing malicious openclaw-named
symlink a source might smuggle in), then the trusted link is
materialised on the now-safe tree.

Also use braces on guard clauses in the new unit tests to satisfy the
oxlint no-unreachable-single-statement-if rule.
 2026-04-23 20:28:02 +01:00
Anish Kataria
56dd249a07 test(plugin-sdk): add unit tests for linkOpenClawPeerDependencies 
Tests three cases via installPluginFromDir:
- symlink created when peerDependencies declares openclaw
- no symlink when peer list is empty
- idempotent re-install replaces existing symlink
- warns and skips when host root cannot be resolved

Also removes the single-element Set in favour of a direct name
comparison (peerName === "openclaw"), and adds Closes #54428 to
address the same root cause in the weixin connector.

Closes #54428
 2026-04-23 20:28:02 +01:00
Vincent Koc
bb4498cef7 test(plugins): align unreadable manifest traversal failure code 2026-04-15 12:10:24 +01:00
Mason Huang
edfa074e0f Tests: align pnpm test expectations with main (#67001) 
Merged via squash.

Prepared head SHA: 29c8068053
Co-authored-by: hxy91819 <8814856+hxy91819@users.noreply.github.com>
Co-authored-by: hxy91819 <8814856+hxy91819@users.noreply.github.com>
Reviewed-by: @hxy91819
 2026-04-15 18:31:23 +08:00
Gustavo Madeira Santana
82a2db71e8 refactor(qa): split Matrix QA into optional plugin (#66723) 
Merged via squash.

Prepared head SHA: 27241bd089
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-14 16:28:57 -04:00
Peter Steinberger
c9067b6520 fix: preserve scoped plugin symlink installs 2026-04-10 21:22:16 +01:00
Peter Steinberger
a6edccad3d test: align plugin install denylist expectations 2026-04-10 19:42:38 +01:00
Peter Steinberger
56468cdb06 fix: align plugin install denylist scan tests 2026-04-10 18:57:52 +01:00
Michael Appel
9f97ad857a fix(security): pin axios to 1.15.0 and add dependency denylist for plugin installs [AI-assisted] (#63891) 
* fix: address issue

* fix: address review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* Plugins: fix install security CI regressions

* Plugins: make manifest traversal linear

* Plugins: bound manifest security traversal

* Plugins: block denied node_modules package dirs

* Plugins: match node_modules case-insensitively

* Plugins: block denied package symlink paths

* Tests: normalize blocked symlink assertion

* Plugins: fail closed on unreadable denied paths

* Plugins: block denied node_modules file aliases

* Plugins: inspect node_modules symlink targets

* Plugins: preserve symlink target package paths

* fix: address PR review feedback

* chore(changelog): add axios pin and dependency denylist entry

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>
 2026-04-10 11:20:05 -06:00
Vincent Koc
c9bc0dbe05 test(plugins): reuse suite temp root helper in install fixture tests 2026-04-06 05:54:29 +01:00
Gustavo Madeira Santana
9004ef65df Plugins: add install --force overwrite flag (#60544) 
Merged via squash.

Prepared head SHA: 28ae50b615
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-04-03 18:09:14 -04:00
Shakker
5b176c8cc5 test: split plugin install source coverage 2026-04-04 01:07:28 +09:00
joshavant
c22233d96c Revert "refactor(plugins): remove before_install hook" 2026-04-01 19:57:07 -05:00
ryanlee-gemini
fbe3ca4d7d fix(plugins): pass dangerouslyForceUnsafeInstall through archive and … (#58879) 
Merged via squash.

Prepared head SHA: 87eb27d902
Co-authored-by: ryanlee-gemini <181323138+ryanlee-gemini@users.noreply.github.com>
Co-authored-by: odysseus0 <8635094+odysseus0@users.noreply.github.com>
Reviewed-by: @odysseus0
 2026-04-01 02:52:01 -07:00
Vincent Koc
fcb802e826 refactor(plugins): remove before_install hook 2026-04-01 02:28:06 +09:00
Peter Steinberger
44b9936136 feat(plugins): add dangerous unsafe install override 2026-03-31 23:16:11 +09:00
Gustavo Madeira Santana
bbd495ed63 plugins: quiet scoped manifest id warnings 2026-03-30 19:35:09 -04:00
Jacob Tomlinson
7a953a5227 Plugins: block install when source scan fails (#57729) 
* Plugins: block unsafe install scan fallthrough

* Tests: normalize install scanner formatting

* Plugins: avoid duplicate scan failure messaging

* Plugins: preserve hook install block codes
 2026-03-30 15:36:08 +01:00
George Zhang
2607191d04 refactor(plugins): centralize before_install context shaping 2026-03-29 12:35:01 -07:00
George Zhang
b5d48d311c test(plugins): cover before_install policy metadata 2026-03-29 12:35:01 -07:00
George Zhang
ac3951d731 test(plugins): cover before_install install flows 2026-03-29 12:35:01 -07:00
Peter Steinberger
587e18cd3f chore: prepare 2026.3.28-beta.1 release 2026-03-28 22:24:51 +00:00
Peter Steinberger
8a24cbf450 chore: bump version to 2026.3.28 2026-03-28 22:05:21 +00:00
Peter Steinberger
de173f0e3e test: dedupe plugin utility install suites 2026-03-28 03:30:25 +00:00
Peter Steinberger
969294f8c5 test: dedupe plugin install and packaging suites 2026-03-28 03:00:51 +00:00
Peter Steinberger
72ba2b3653 chore: bump version metadata to 2026.3.27 2026-03-28 02:00:22 +00:00
Peter Steinberger
c8c669537f test: dedupe plugin contract and loader suites 2026-03-28 01:17:57 +00:00
Peter Steinberger
0b94382930 fix(plugins): prefer runtime version for host compatibility 2026-03-27 02:29:32 +00:00
Peter Steinberger
412a3eb1ac build: bump version to 2026.3.22 2026-03-22 11:58:33 -07:00
Peter Steinberger
04b283ffc2 fix: restore clawhub archive installs and gateway params 2026-03-22 18:31:52 +00:00
Peter Steinberger
ca986d05aa test: trim repeated archive install work 2026-03-22 18:05:44 +00:00
Peter Steinberger
1d2dff0c4e test: trim import-heavy startup paths 2026-03-22 16:34:09 +00:00
Vincent Koc
3ce5a8366a fix(plugins): enforce minimum host versions for installable plugins (#52094) 
* fix(plugins): enforce min host versions

* fix(plugins): tighten min host version validation

* chore(plugins): trim dead min host version code

* fix(plugins): handle malformed min host metadata

* fix(plugins): key manifest cache by host version
 2026-03-22 09:12:08 -07:00
Peter Steinberger
b70b7b0d94 test: trim more local test startup overhead 2026-03-22 09:35:36 +00:00
Peter Steinberger
94ec0d6aeb test: trim plugin-sdk import-heavy startup 2026-03-22 07:22:42 +00:00
Peter Steinberger
b2f9ab9a1f test: trim import-heavy startup paths 2026-03-22 05:59:46 +00:00
Peter Steinberger
d81772dbc7 test: trim import-heavy startup paths 2026-03-22 02:11:43 +00:00
Peter Steinberger
dd40741e18 feat(plugins): add compatible bundle support 2026-03-15 16:08:50 -07:00
Vincent Koc
8d44b16b7c Plugins: preserve scoped ids and reserve bundled duplicates (#47413) 
* Plugins: preserve scoped ids and reserve bundled duplicates

* Changelog: add plugin scoped id note

* Plugins: harden scoped install ids

* Plugins: reserve scoped install dirs

* Plugins: migrate legacy scoped update ids
 2026-03-15 09:07:10 -07:00
Vincent Koc
f392b81e95 Infra: require explicit opt-in for prerelease npm installs (#38117) 
* Infra: tighten npm registry spec parsing

* Infra: block implicit prerelease npm installs

* Plugins: cover prerelease install policy

* Infra: add npm registry spec tests

* Hooks: cover prerelease install policy

* Docs: clarify plugin guide version policy

* Docs: clarify plugin install version policy

* Docs: clarify hooks install version policy

* Docs: clarify hook pack version policy
 2026-03-06 11:13:30 -05:00
Peter Steinberger
90d8b40808 perf(test): simplify plugin install fixture archive loading 2026-03-03 01:09:07 +00:00
Peter Steinberger
4b3d9f4fb2 test(perf): trim fixture churn in install and cron suites 2026-03-03 00:20:46 +00:00
Peter Steinberger
6a42d09129 refactor: dedupe gateway config and infra flows 2026-03-03 00:15:14 +00:00