diff --git a/CHANGELOG.md b/CHANGELOG.md index ed27f6ac8c6..e8d60cc0ab6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -62,6 +62,7 @@ Docs: https://docs.openclaw.ai - Codex app-server: enable Codex native code-mode-only for harness threads so deferred OpenClaw dynamic tools run through Codex's own searchable code execution surface instead of a PI-style wrapper. - Dependencies: refresh workspace pins and patch targets, including ACPX `@agentclientprotocol/claude-agent-acp` `0.33.1`, Codex ACP `0.14.0`, Baileys `7.0.0-rc10`, Google GenAI `2.0.1`, OpenAI `6.37.0`, AWS SDK `3.1045.0`, Kysely `0.29.0`, Tlon skill `0.3.6`, Aimock `1.19.5`, and tsdown `0.22.0`. - Dependencies: refresh workspace pins for Anthropic SDK, Smithy shared ini loading, Playwright, YAML, Aimock, TypeScript native preview, Vitest, Oxlint/Oxfmt, Vite, and pnpm 11.1.0. +- Dependencies: hard-pin non-peer direct dependency specs across bundled packages and add a changed-check guard so runtime installs resolve the exact versions tested by maintainers. - Dependencies: move embedded Pi packages to the `@earendil-works` namespace, refresh Twitch Twurple packages, and move `@openclaw/fs-safe` from the GitHub release pin to the published npm package. - Build: route Testbox changed-check delegation through Crabbox and remove the OpenClaw-specific Blacksmith Testbox helper scripts. - Agents/compaction: preserve scoped background exec/process session references across embedded compaction and after-turn runtime contexts without exposing sessions from unrelated scopes. Fixes #79284. (#79307) Thanks @TurboTheTurtle. diff --git a/extensions/acpx/package.json b/extensions/acpx/package.json index 3a0739cc0f8..c516752265a 100644 --- a/extensions/acpx/package.json +++ b/extensions/acpx/package.json @@ -11,7 +11,7 @@ "@agentclientprotocol/claude-agent-acp": "0.33.1", "@zed-industries/codex-acp": "0.14.0", "acpx": "0.7.0", - "zod": "^4.4.3" + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/amazon-bedrock-mantle/package.json b/extensions/amazon-bedrock-mantle/package.json index 5fd353a418f..0aecab94f37 100644 --- a/extensions/amazon-bedrock-mantle/package.json +++ b/extensions/amazon-bedrock-mantle/package.json @@ -6,7 +6,7 @@ "type": "module", "dependencies": { "@anthropic-ai/sdk": "0.95.2", - "@aws/bedrock-token-generator": "^1.1.0", + "@aws/bedrock-token-generator": "1.1.0", "@earendil-works/pi-ai": "0.74.0" }, "devDependencies": { diff --git a/extensions/anthropic-vertex/package.json b/extensions/anthropic-vertex/package.json index db7d28c4047..93d012175b8 100644 --- a/extensions/anthropic-vertex/package.json +++ b/extensions/anthropic-vertex/package.json @@ -5,7 +5,7 @@ "description": "OpenClaw Anthropic Vertex provider plugin", "type": "module", "dependencies": { - "@anthropic-ai/vertex-sdk": "^0.16.0", + "@anthropic-ai/vertex-sdk": "0.16.0", "@earendil-works/pi-agent-core": "0.74.0", "@earendil-works/pi-ai": "0.74.0" }, diff --git a/extensions/bonjour/package.json b/extensions/bonjour/package.json index d20912de4e1..3ad56bfd2bb 100644 --- a/extensions/bonjour/package.json +++ b/extensions/bonjour/package.json @@ -4,7 +4,7 @@ "description": "OpenClaw Bonjour/mDNS gateway discovery", "type": "module", "dependencies": { - "@homebridge/ciao": "^1.3.8" + "@homebridge/ciao": "1.3.8" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/browser/package.json b/extensions/browser/package.json index 2b06f5d0de9..757307c8c8c 100644 --- a/extensions/browser/package.json +++ b/extensions/browser/package.json @@ -6,11 +6,11 @@ "type": "module", "dependencies": { "@modelcontextprotocol/sdk": "1.29.0", - "commander": "^14.0.3", + "commander": "14.0.3", "express": "5.2.1", "playwright-core": "1.60.0", "typebox": "1.1.38", - "ws": "^8.20.0" + "ws": "8.20.0" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/canvas/package.json b/extensions/canvas/package.json index 4cfe74bee8f..445a1c7f9ef 100644 --- a/extensions/canvas/package.json +++ b/extensions/canvas/package.json @@ -9,11 +9,11 @@ }, "dependencies": { "@a2ui/lit": "0.9.3", - "@lit/context": "^1.1.6", - "chokidar": "^5.0.0", - "lit": "^3.3.2", + "@lit/context": "1.1.6", + "chokidar": "5.0.0", + "lit": "3.3.2", "typebox": "1.1.38", - "ws": "^8.20.0" + "ws": "8.20.0" }, "openclaw": { "extensions": [ diff --git a/extensions/clickclack/package.json b/extensions/clickclack/package.json index 73ba1f0001d..1ab76402dbf 100644 --- a/extensions/clickclack/package.json +++ b/extensions/clickclack/package.json @@ -10,8 +10,8 @@ "./runtime-api.js": "./runtime-api.ts" }, "dependencies": { - "ws": "^8.20.0", - "zod": "^4.4.3" + "ws": "8.20.0", + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/codex/package.json b/extensions/codex/package.json index 12f95543c90..5bc4eccc9ae 100644 --- a/extensions/codex/package.json +++ b/extensions/codex/package.json @@ -10,9 +10,9 @@ "dependencies": { "@earendil-works/pi-coding-agent": "0.74.0", "@openai/codex": "0.130.0", - "ajv": "^8.20.0", - "ws": "^8.20.0", - "zod": "^4.4.3" + "ajv": "8.20.0", + "ws": "8.20.0", + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/diagnostics-otel/package.json b/extensions/diagnostics-otel/package.json index 07c9e2a8302..6ebef42e89b 100644 --- a/extensions/diagnostics-otel/package.json +++ b/extensions/diagnostics-otel/package.json @@ -8,17 +8,17 @@ }, "type": "module", "dependencies": { - "@opentelemetry/api": "^1.9.1", - "@opentelemetry/api-logs": "^0.217.0", - "@opentelemetry/exporter-logs-otlp-proto": "^0.217.0", - "@opentelemetry/exporter-metrics-otlp-proto": "^0.217.0", - "@opentelemetry/exporter-trace-otlp-proto": "^0.217.0", - "@opentelemetry/resources": "^2.7.1", - "@opentelemetry/sdk-logs": "^0.217.0", - "@opentelemetry/sdk-metrics": "^2.7.1", - "@opentelemetry/sdk-node": "^0.217.0", - "@opentelemetry/sdk-trace-base": "^2.7.1", - "@opentelemetry/semantic-conventions": "^1.40.0" + "@opentelemetry/api": "1.9.1", + "@opentelemetry/api-logs": "0.217.0", + "@opentelemetry/exporter-logs-otlp-proto": "0.217.0", + "@opentelemetry/exporter-metrics-otlp-proto": "0.217.0", + "@opentelemetry/exporter-trace-otlp-proto": "0.217.0", + "@opentelemetry/resources": "2.7.1", + "@opentelemetry/sdk-logs": "0.217.0", + "@opentelemetry/sdk-metrics": "2.7.1", + "@opentelemetry/sdk-node": "0.217.0", + "@opentelemetry/sdk-trace-base": "2.7.1", + "@opentelemetry/semantic-conventions": "1.40.0" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/diffs/package.json b/extensions/diffs/package.json index 39584de4d90..0837a4bc27a 100644 --- a/extensions/diffs/package.json +++ b/extensions/diffs/package.json @@ -15,7 +15,7 @@ "@pierre/theme": "0.0.29", "playwright-core": "1.60.0", "typebox": "1.1.38", - "zod": "^4.4.3" + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/discord/package.json b/extensions/discord/package.json index 476ac3ae687..fd55e4016fc 100644 --- a/extensions/discord/package.json +++ b/extensions/discord/package.json @@ -8,13 +8,13 @@ }, "type": "module", "dependencies": { - "@discordjs/voice": "^0.19.2", - "discord-api-types": "^0.38.47", - "https-proxy-agent": "^9.0.0", - "opusscript": "^0.1.1", + "@discordjs/voice": "0.19.2", + "discord-api-types": "0.38.47", + "https-proxy-agent": "9.0.0", + "opusscript": "0.1.1", "typebox": "1.1.38", "undici": "8.2.0", - "ws": "^8.20.0" + "ws": "8.20.0" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/document-extract/package.json b/extensions/document-extract/package.json index 9d5824c6bfc..030b237eaad 100644 --- a/extensions/document-extract/package.json +++ b/extensions/document-extract/package.json @@ -5,7 +5,7 @@ "description": "OpenClaw local document extraction plugin", "type": "module", "dependencies": { - "pdfjs-dist": "^5.7.284" + "pdfjs-dist": "5.7.284" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/feishu/package.json b/extensions/feishu/package.json index 45d8fe299d6..409055934ec 100644 --- a/extensions/feishu/package.json +++ b/extensions/feishu/package.json @@ -8,9 +8,9 @@ }, "type": "module", "dependencies": { - "@larksuiteoapi/node-sdk": "^1.63.1", + "@larksuiteoapi/node-sdk": "1.63.1", "typebox": "1.1.38", - "zod": "^4.4.3" + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/github-copilot/package.json b/extensions/github-copilot/package.json index dffd6945886..e05691c51b1 100644 --- a/extensions/github-copilot/package.json +++ b/extensions/github-copilot/package.json @@ -5,7 +5,7 @@ "description": "OpenClaw GitHub Copilot provider plugin", "type": "module", "dependencies": { - "@clack/prompts": "^1.3.0" + "@clack/prompts": "1.3.0" }, "devDependencies": { "@earendil-works/pi-ai": "0.74.0", diff --git a/extensions/google-meet/package.json b/extensions/google-meet/package.json index 17e2b2304a8..693c4907d1d 100644 --- a/extensions/google-meet/package.json +++ b/extensions/google-meet/package.json @@ -8,7 +8,7 @@ }, "type": "module", "dependencies": { - "commander": "^14.0.3", + "commander": "14.0.3", "typebox": "1.1.38" }, "devDependencies": { diff --git a/extensions/google/package.json b/extensions/google/package.json index c8d84f773fa..a6c52f84841 100644 --- a/extensions/google/package.json +++ b/extensions/google/package.json @@ -5,7 +5,7 @@ "description": "OpenClaw Google plugin", "type": "module", "dependencies": { - "@google/genai": "^2.0.1", + "@google/genai": "2.0.1", "@earendil-works/pi-ai": "0.74.0" }, "devDependencies": { diff --git a/extensions/googlechat/package.json b/extensions/googlechat/package.json index f1cbc38c9d2..6b56f6cf859 100644 --- a/extensions/googlechat/package.json +++ b/extensions/googlechat/package.json @@ -10,7 +10,7 @@ "dependencies": { "gaxios": "7.1.4", "google-auth-library": "10.6.2", - "zod": "^4.4.3" + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/irc/package.json b/extensions/irc/package.json index e534307d005..ab94683d581 100644 --- a/extensions/irc/package.json +++ b/extensions/irc/package.json @@ -39,6 +39,6 @@ } }, "dependencies": { - "zod": "^4.4.3" + "zod": "4.4.3" } } diff --git a/extensions/line/package.json b/extensions/line/package.json index 8697d23ad8e..f61933fc863 100644 --- a/extensions/line/package.json +++ b/extensions/line/package.json @@ -8,8 +8,8 @@ }, "type": "module", "dependencies": { - "@line/bot-sdk": "^11.0.0", - "zod": "^4.4.3" + "@line/bot-sdk": "11.0.0", + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/lobster/package.json b/extensions/lobster/package.json index 407494bc875..19bfbe9973c 100644 --- a/extensions/lobster/package.json +++ b/extensions/lobster/package.json @@ -9,7 +9,7 @@ "type": "module", "dependencies": { "@clawdbot/lobster": "2026.4.6", - "ajv": "^8.20.0", + "ajv": "8.20.0", "typebox": "1.1.38" }, "devDependencies": { diff --git a/extensions/matrix/package.json b/extensions/matrix/package.json index 73a2466f4df..fc42d811a6b 100644 --- a/extensions/matrix/package.json +++ b/extensions/matrix/package.json @@ -8,14 +8,14 @@ }, "type": "module", "dependencies": { - "@matrix-org/matrix-sdk-crypto-nodejs": "^0.5.1", + "@matrix-org/matrix-sdk-crypto-nodejs": "0.5.1", "@matrix-org/matrix-sdk-crypto-wasm": "18.2.0", - "fake-indexeddb": "^6.2.5", + "fake-indexeddb": "6.2.5", "markdown-it": "14.1.1", "matrix-js-sdk": "41.5.0-rc.0", - "music-metadata": "^11.12.3", + "music-metadata": "11.12.3", "typebox": "1.1.38", - "zod": "^4.4.3" + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/mattermost/package.json b/extensions/mattermost/package.json index 8eae5b2e5ac..9f5d0884d21 100644 --- a/extensions/mattermost/package.json +++ b/extensions/mattermost/package.json @@ -8,8 +8,8 @@ }, "type": "module", "dependencies": { - "ws": "^8.20.0", - "zod": "^4.4.3" + "ws": "8.20.0", + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/media-understanding-core/package.json b/extensions/media-understanding-core/package.json index 0b8edceb61f..706fa22cee5 100644 --- a/extensions/media-understanding-core/package.json +++ b/extensions/media-understanding-core/package.json @@ -5,7 +5,7 @@ "description": "OpenClaw media understanding runtime package", "type": "module", "dependencies": { - "sharp": "^0.34.5" + "sharp": "0.34.5" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/memory-core/package.json b/extensions/memory-core/package.json index 320cd3bb8bc..7f6ce1e5bae 100644 --- a/extensions/memory-core/package.json +++ b/extensions/memory-core/package.json @@ -5,8 +5,8 @@ "description": "OpenClaw core memory search plugin", "type": "module", "dependencies": { - "chokidar": "^5.0.0", - "json5": "^2.2.3", + "chokidar": "5.0.0", + "json5": "2.2.3", "typebox": "1.1.38" }, "devDependencies": { diff --git a/extensions/memory-lancedb/package.json b/extensions/memory-lancedb/package.json index 81bc3c63e3a..63f0f1d07e9 100644 --- a/extensions/memory-lancedb/package.json +++ b/extensions/memory-lancedb/package.json @@ -8,9 +8,9 @@ }, "type": "module", "dependencies": { - "@lancedb/lancedb": "^0.27.2", + "@lancedb/lancedb": "0.27.2", "apache-arrow": "18.1.0", - "openai": "^6.37.0", + "openai": "6.37.0", "typebox": "1.1.38" }, "devDependencies": { diff --git a/extensions/memory-wiki/package.json b/extensions/memory-wiki/package.json index 4aa1ffef2a7..d17769b59f9 100644 --- a/extensions/memory-wiki/package.json +++ b/extensions/memory-wiki/package.json @@ -6,8 +6,8 @@ "type": "module", "dependencies": { "typebox": "1.1.38", - "yaml": "^2.9.0", - "zod": "^4.4.3" + "yaml": "2.9.0", + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/microsoft/package.json b/extensions/microsoft/package.json index 0ae85e53ab6..33df5b413f4 100644 --- a/extensions/microsoft/package.json +++ b/extensions/microsoft/package.json @@ -5,7 +5,7 @@ "description": "OpenClaw Microsoft speech plugin", "type": "module", "dependencies": { - "node-edge-tts": "^1.2.10" + "node-edge-tts": "1.2.10" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/migrate-hermes/package.json b/extensions/migrate-hermes/package.json index e8b93d14f14..7976d0cee5a 100644 --- a/extensions/migrate-hermes/package.json +++ b/extensions/migrate-hermes/package.json @@ -5,7 +5,7 @@ "description": "Hermes to OpenClaw migration provider", "type": "module", "dependencies": { - "yaml": "^2.9.0" + "yaml": "2.9.0" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/msteams/package.json b/extensions/msteams/package.json index d7262f47352..005a410dcc3 100644 --- a/extensions/msteams/package.json +++ b/extensions/msteams/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", - "@types/jsonwebtoken": "^9.0.10", + "@types/jsonwebtoken": "9.0.10", "openclaw": "workspace:*" }, "peerDependencies": { diff --git a/extensions/nextcloud-talk/package.json b/extensions/nextcloud-talk/package.json index d4e62f81e11..23ae362fe22 100644 --- a/extensions/nextcloud-talk/package.json +++ b/extensions/nextcloud-talk/package.json @@ -55,6 +55,6 @@ } }, "dependencies": { - "zod": "^4.4.3" + "zod": "4.4.3" } } diff --git a/extensions/nostr/package.json b/extensions/nostr/package.json index 95ce3e12aa4..3be2657ee39 100644 --- a/extensions/nostr/package.json +++ b/extensions/nostr/package.json @@ -8,8 +8,8 @@ }, "type": "module", "dependencies": { - "nostr-tools": "^2.23.3", - "zod": "^4.4.3" + "nostr-tools": "2.23.3", + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/oc-path/package.json b/extensions/oc-path/package.json index 735609baa8f..768e90f4312 100644 --- a/extensions/oc-path/package.json +++ b/extensions/oc-path/package.json @@ -5,8 +5,8 @@ "description": "OpenClaw oc:// workspace path plugin", "type": "module", "dependencies": { - "commander": "^14.0.3", - "jsonc-parser": "^3.3.1", + "commander": "14.0.3", + "jsonc-parser": "3.3.1", "markdown-it": "14.1.1" }, "devDependencies": { diff --git a/extensions/openai/package.json b/extensions/openai/package.json index 5c4dbbb51bd..1a1acf06087 100644 --- a/extensions/openai/package.json +++ b/extensions/openai/package.json @@ -6,7 +6,7 @@ "type": "module", "dependencies": { "@earendil-works/pi-ai": "0.74.0", - "ws": "^8.20.0" + "ws": "8.20.0" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/openshell/package.json b/extensions/openshell/package.json index 94156f5611b..485af14ff26 100644 --- a/extensions/openshell/package.json +++ b/extensions/openshell/package.json @@ -6,7 +6,7 @@ "type": "module", "dependencies": { "openshell": "0.1.0", - "zod": "^4.4.3" + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/qa-channel/package.json b/extensions/qa-channel/package.json index 582e3e834bd..78d9bd8aed2 100644 --- a/extensions/qa-channel/package.json +++ b/extensions/qa-channel/package.json @@ -12,7 +12,7 @@ }, "dependencies": { "typebox": "1.1.38", - "zod": "^4.4.3" + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/qa-lab/package.json b/extensions/qa-lab/package.json index 4de9b109051..6bb81fd592c 100644 --- a/extensions/qa-lab/package.json +++ b/extensions/qa-lab/package.json @@ -8,8 +8,8 @@ "@copilotkit/aimock": "1.22.0", "@modelcontextprotocol/sdk": "1.29.0", "playwright-core": "1.60.0", - "yaml": "^2.9.0", - "zod": "^4.4.3" + "yaml": "2.9.0", + "zod": "4.4.3" }, "devDependencies": { "@openclaw/discord": "workspace:*", diff --git a/extensions/qqbot/package.json b/extensions/qqbot/package.json index 10f03dc5107..be484fb8064 100644 --- a/extensions/qqbot/package.json +++ b/extensions/qqbot/package.json @@ -9,15 +9,15 @@ }, "type": "module", "dependencies": { - "@tencent-connect/qqbot-connector": "^1.1.0", - "mpg123-decoder": "^1.0.3", - "silk-wasm": "^3.7.1", - "ws": "^8.20.0", - "zod": "^4.4.3" + "@tencent-connect/qqbot-connector": "1.1.0", + "mpg123-decoder": "1.0.3", + "silk-wasm": "3.7.1", + "ws": "8.20.0", + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", - "@types/ws": "^8.18.1", + "@types/ws": "8.18.1", "openclaw": "workspace:*" }, "peerDependencies": { diff --git a/extensions/signal/package.json b/extensions/signal/package.json index adc3e69e7d5..1f95f0e5f94 100644 --- a/extensions/signal/package.json +++ b/extensions/signal/package.json @@ -5,7 +5,7 @@ "description": "OpenClaw Signal channel plugin", "type": "module", "dependencies": { - "ws": "^8.20.0" + "ws": "8.20.0" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/slack/package.json b/extensions/slack/package.json index d7d0bcfd5eb..7066c07842d 100644 --- a/extensions/slack/package.json +++ b/extensions/slack/package.json @@ -5,10 +5,10 @@ "description": "OpenClaw Slack channel plugin", "type": "module", "dependencies": { - "@slack/bolt": "^4.7.2", - "@slack/types": "^2.21.1", - "@slack/web-api": "^7.15.2", - "https-proxy-agent": "^9.0.0", + "@slack/bolt": "4.7.2", + "@slack/types": "2.21.1", + "@slack/web-api": "7.15.2", + "https-proxy-agent": "9.0.0", "typebox": "1.1.38" }, "devDependencies": { diff --git a/extensions/synology-chat/package.json b/extensions/synology-chat/package.json index 4873bcb0297..67d370e94d6 100644 --- a/extensions/synology-chat/package.json +++ b/extensions/synology-chat/package.json @@ -41,6 +41,6 @@ } }, "dependencies": { - "zod": "^4.4.3" + "zod": "4.4.3" } } diff --git a/extensions/telegram/package.json b/extensions/telegram/package.json index 0164c19fd9f..a2a2ad3d7eb 100644 --- a/extensions/telegram/package.json +++ b/extensions/telegram/package.json @@ -5,9 +5,9 @@ "description": "OpenClaw Telegram channel plugin", "type": "module", "dependencies": { - "@grammyjs/runner": "^2.0.3", - "@grammyjs/transformer-throttler": "^1.2.1", - "grammy": "^1.42.0", + "@grammyjs/runner": "2.0.3", + "@grammyjs/transformer-throttler": "1.2.1", + "grammy": "1.42.0", "typebox": "1.1.38", "undici": "8.2.0" }, diff --git a/extensions/tlon/package.json b/extensions/tlon/package.json index 8fec003a495..895f7b09047 100644 --- a/extensions/tlon/package.json +++ b/extensions/tlon/package.json @@ -11,8 +11,8 @@ "@aws-sdk/client-s3": "3.1045.0", "@aws-sdk/s3-request-presigner": "3.1045.0", "@tloncorp/tlon-skill": "0.3.6", - "@urbit/aura": "^3.0.0", - "zod": "^4.4.3" + "@urbit/aura": "3.0.0", + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/twitch/package.json b/extensions/twitch/package.json index 03abf2837d0..4fd9154a87e 100644 --- a/extensions/twitch/package.json +++ b/extensions/twitch/package.json @@ -8,10 +8,10 @@ }, "type": "module", "dependencies": { - "@twurple/api": "^8.1.4", - "@twurple/auth": "^8.1.4", - "@twurple/chat": "^8.1.4", - "zod": "^4.4.3" + "@twurple/api": "8.1.4", + "@twurple/auth": "8.1.4", + "@twurple/chat": "8.1.4", + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/voice-call/package.json b/extensions/voice-call/package.json index da8eaedec65..781c45ee060 100644 --- a/extensions/voice-call/package.json +++ b/extensions/voice-call/package.json @@ -8,10 +8,10 @@ }, "type": "module", "dependencies": { - "commander": "^14.0.3", + "commander": "14.0.3", "typebox": "1.1.38", - "ws": "^8.20.0", - "zod": "^4.4.3" + "ws": "8.20.0", + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/extensions/web-readability/package.json b/extensions/web-readability/package.json index 092e4041eb2..3fdde5c7e97 100644 --- a/extensions/web-readability/package.json +++ b/extensions/web-readability/package.json @@ -5,8 +5,8 @@ "description": "OpenClaw local Readability web extraction plugin", "type": "module", "dependencies": { - "@mozilla/readability": "^0.6.0", - "linkedom": "^0.18.12" + "@mozilla/readability": "0.6.0", + "linkedom": "0.18.12" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*" diff --git a/extensions/webhooks/package.json b/extensions/webhooks/package.json index c5d048a58c9..901f3024e09 100644 --- a/extensions/webhooks/package.json +++ b/extensions/webhooks/package.json @@ -13,6 +13,6 @@ ] }, "dependencies": { - "zod": "^4.4.3" + "zod": "4.4.3" } } diff --git a/extensions/whatsapp/package.json b/extensions/whatsapp/package.json index 9aac8a5049a..bb42060e4bf 100644 --- a/extensions/whatsapp/package.json +++ b/extensions/whatsapp/package.json @@ -9,8 +9,8 @@ "type": "module", "dependencies": { "baileys": "7.0.0-rc10", - "https-proxy-agent": "^9.0.0", - "jimp": "^1.6.1", + "https-proxy-agent": "9.0.0", + "jimp": "1.6.1", "typebox": "1.1.38", "undici": "8.2.0" }, diff --git a/extensions/xai/package.json b/extensions/xai/package.json index c1914314305..619576d12c0 100644 --- a/extensions/xai/package.json +++ b/extensions/xai/package.json @@ -10,7 +10,7 @@ }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", - "ws": "^8.20.0" + "ws": "8.20.0" }, "openclaw": { "extensions": [ diff --git a/extensions/zalo/package.json b/extensions/zalo/package.json index 1a31c04955c..35e72a733b9 100644 --- a/extensions/zalo/package.json +++ b/extensions/zalo/package.json @@ -54,6 +54,6 @@ } }, "dependencies": { - "zod": "^4.4.3" + "zod": "4.4.3" } } diff --git a/extensions/zalouser/package.json b/extensions/zalouser/package.json index 7532c0c5d11..ca0cb571064 100644 --- a/extensions/zalouser/package.json +++ b/extensions/zalouser/package.json @@ -10,7 +10,7 @@ "dependencies": { "typebox": "1.1.38", "zca-js": "2.1.2", - "zod": "^4.4.3" + "zod": "4.4.3" }, "devDependencies": { "@openclaw/plugin-sdk": "workspace:*", diff --git a/package.json b/package.json index b9b73081baf..45ca29d73c8 100644 --- a/package.json +++ b/package.json @@ -1389,6 +1389,7 @@ "deadcode:unused-files": "node scripts/check-deadcode-unused-files.mjs", "deps:root-ownership": "node scripts/root-dependency-ownership-audit.mjs", "deps:root-ownership:check": "node scripts/root-dependency-ownership-audit.mjs --check", + "deps:pins:check": "node scripts/check-dependency-pins.mjs", "deps:sbom-risk": "node scripts/sbom-risk-report.mjs", "deps:sbom-risk:check": "node scripts/sbom-risk-report.mjs --check", "dev": "node scripts/run-node.mjs", @@ -1715,92 +1716,92 @@ "dependencies": { "@agentclientprotocol/sdk": "0.21.0", "@anthropic-ai/sdk": "0.95.2", - "@anthropic-ai/vertex-sdk": "^0.16.0", + "@anthropic-ai/vertex-sdk": "0.16.0", "@aws-sdk/client-bedrock": "3.1045.0", "@aws-sdk/client-bedrock-runtime": "3.1045.0", "@aws-sdk/credential-provider-node": "3.972.39", - "@aws/bedrock-token-generator": "^1.1.0", - "@clack/core": "^1.3.0", - "@clack/prompts": "^1.3.0", + "@aws/bedrock-token-generator": "1.1.0", + "@clack/core": "1.3.0", + "@clack/prompts": "1.3.0", "@earendil-works/pi-agent-core": "0.74.0", "@earendil-works/pi-ai": "0.74.0", "@earendil-works/pi-coding-agent": "0.74.0", "@earendil-works/pi-tui": "0.74.0", - "@google/genai": "^2.0.1", - "@grammyjs/runner": "^2.0.3", - "@grammyjs/transformer-throttler": "^1.2.1", - "@homebridge/ciao": "^1.3.8", + "@google/genai": "2.0.1", + "@grammyjs/runner": "2.0.3", + "@grammyjs/transformer-throttler": "1.2.1", + "@homebridge/ciao": "1.3.8", "@lydell/node-pty": "1.2.0-beta.12", "@modelcontextprotocol/sdk": "1.29.0", - "@mozilla/readability": "^0.6.0", - "@openclaw/fs-safe": "^0.2.2", - "@slack/bolt": "^4.7.2", - "@slack/types": "^2.21.1", - "@slack/web-api": "^7.15.2", - "ajv": "^8.20.0", - "audio-decode": "^2.2.3", - "chalk": "^5.6.2", - "chokidar": "^5.0.0", - "commander": "^14.0.3", - "croner": "^10.0.1", - "dotenv": "^17.4.2", + "@mozilla/readability": "0.6.0", + "@openclaw/fs-safe": "0.2.2", + "@slack/bolt": "4.7.2", + "@slack/types": "2.21.1", + "@slack/web-api": "7.15.2", + "ajv": "8.20.0", + "audio-decode": "2.2.3", + "chalk": "5.6.2", + "chokidar": "5.0.0", + "commander": "14.0.3", + "croner": "10.0.1", + "dotenv": "17.4.2", "express": "5.2.1", "file-type": "22.0.1", - "global-agent": "^4.1.3", - "grammy": "^1.42.0", - "https-proxy-agent": "^9.0.0", - "ipaddr.js": "^2.4.0", - "jiti": "^2.7.0", - "json5": "^2.2.3", - "jszip": "^3.10.1", + "global-agent": "4.1.3", + "grammy": "1.42.0", + "https-proxy-agent": "9.0.0", + "ipaddr.js": "2.4.0", + "jiti": "2.7.0", + "json5": "2.2.3", + "jszip": "3.10.1", "kysely": "0.29.0", - "linkedom": "^0.18.12", + "linkedom": "0.18.12", "markdown-it": "14.1.1", "minimatch": "10.2.5", - "node-edge-tts": "^1.2.10", - "openai": "^6.37.0", + "node-edge-tts": "1.2.10", + "openai": "6.37.0", "openshell": "0.1.0", - "pdfjs-dist": "^5.7.284", + "pdfjs-dist": "5.7.284", "playwright-core": "1.60.0", - "proxy-agent": "^8.0.1", + "proxy-agent": "8.0.1", "qrcode": "1.5.4", "tar": "7.5.15", "tokenjuice": "0.7.0", - "tree-sitter-bash": "^0.25.1", - "tslog": "^4.10.2", + "tree-sitter-bash": "0.25.1", + "tslog": "4.10.2", "typebox": "1.1.38", "undici": "8.2.0", - "web-push": "^3.6.7", - "web-tree-sitter": "^0.26.8", - "ws": "^8.20.0", - "yaml": "^2.9.0", - "zod": "^4.4.3" + "web-push": "3.6.7", + "web-tree-sitter": "0.26.8", + "ws": "8.20.0", + "yaml": "2.9.0", + "zod": "4.4.3" }, "devDependencies": { "@a2ui/lit": "0.9.3", "@copilotkit/aimock": "1.22.0", - "@grammyjs/types": "^3.26.0", - "@lit-labs/signals": "^0.2.0", - "@lit/context": "^1.1.6", - "@mdx-js/mdx": "^3.1.1", - "@types/express": "^5.0.6", - "@types/markdown-it": "^14.1.2", + "@grammyjs/types": "3.26.0", + "@lit-labs/signals": "0.2.0", + "@lit/context": "1.1.6", + "@mdx-js/mdx": "3.1.1", + "@types/express": "5.0.6", + "@types/markdown-it": "14.1.2", "@types/node": "25.7.0", - "@types/ws": "^8.18.1", + "@types/ws": "8.18.1", "@typescript/native-preview": "7.0.0-dev.20260511.1", - "@vitest/coverage-v8": "^4.1.6", + "@vitest/coverage-v8": "4.1.6", "jscpd": "4.1.0", - "jsdom": "^29.1.1", - "lit": "^3.3.2", + "jsdom": "29.1.1", + "lit": "3.3.2", "oxfmt": "0.49.0", - "oxlint": "^1.64.0", - "oxlint-tsgolint": "^0.22.1", + "oxlint": "1.64.0", + "oxlint-tsgolint": "0.22.1", "signal-utils": "0.21.1", "tsdown": "0.22.0", - "tsx": "^4.21.0", - "typescript": "^6.0.3", + "tsx": "4.21.0", + "typescript": "6.0.3", "unrun": "0.3.0", - "vitest": "^4.1.6" + "vitest": "4.1.6" }, "optionalDependencies": { "sqlite-vec": "0.1.9" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 862a0e3f4b1..f651ae2ff73 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -31,7 +31,7 @@ overrides: protobufjs: 7.5.5 uuid: 14.0.0 -packageExtensionsChecksum: sha256-dYQ0sWkVmDP3h45qaFTG+rd1lBoV5PWy5sLOMeDND7g= +packageExtensionsChecksum: sha256-oc/FAHkBR844HBfph1RZWyRMHHBpIFya25tyv5SGf6s= patchedDependencies: '@agentclientprotocol/claude-agent-acp@0.33.1': 3995624bb834cc60fea1461c7ef33f1fcdd8fb58b8f43f2f1490bc689f6e1be2 @@ -48,7 +48,7 @@ importers: specifier: 0.95.1 version: 0.95.1(zod@4.4.3) '@anthropic-ai/vertex-sdk': - specifier: ^0.16.0 + specifier: 0.16.0 version: 0.16.0(zod@4.4.3) '@aws-sdk/client-bedrock': specifier: 3.1045.0 @@ -60,13 +60,13 @@ importers: specifier: 3.972.39 version: 3.972.39 '@aws/bedrock-token-generator': - specifier: ^1.1.0 + specifier: 1.1.0 version: 1.1.0 '@clack/core': - specifier: ^1.3.0 + specifier: 1.3.0 version: 1.3.0 '@clack/prompts': - specifier: ^1.3.0 + specifier: 1.3.0 version: 1.3.0 '@earendil-works/pi-agent-core': specifier: 0.74.0 @@ -81,16 +81,16 @@ importers: specifier: 0.74.0 version: 0.74.0 '@google/genai': - specifier: ^2.0.1 + specifier: 2.0.1 version: 2.0.1(@modelcontextprotocol/sdk@1.29.0(zod@4.4.3)) '@grammyjs/runner': - specifier: ^2.0.3 + specifier: 2.0.3 version: 2.0.3(grammy@1.42.0) '@grammyjs/transformer-throttler': - specifier: ^1.2.1 + specifier: 1.2.1 version: 1.2.1(grammy@1.42.0) '@homebridge/ciao': - specifier: ^1.3.8 + specifier: 1.3.8 version: 1.3.8 '@lydell/node-pty': specifier: 1.2.0-beta.12 @@ -99,40 +99,40 @@ importers: specifier: 1.29.0 version: 1.29.0(zod@4.4.3) '@mozilla/readability': - specifier: ^0.6.0 + specifier: 0.6.0 version: 0.6.0 '@openclaw/fs-safe': - specifier: ^0.2.2 + specifier: 0.2.2 version: 0.2.2 '@slack/bolt': - specifier: ^4.7.2 + specifier: 4.7.2 version: 4.7.2(@types/express@5.0.6) '@slack/types': - specifier: ^2.21.1 + specifier: 2.21.1 version: 2.21.1 '@slack/web-api': - specifier: ^7.15.2 + specifier: 7.15.2 version: 7.15.2 ajv: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 audio-decode: - specifier: ^2.2.3 + specifier: 2.2.3 version: 2.2.3 chalk: - specifier: ^5.6.2 + specifier: 5.6.2 version: 5.6.2 chokidar: - specifier: ^5.0.0 + specifier: 5.0.0 version: 5.0.0 commander: - specifier: ^14.0.3 + specifier: 14.0.3 version: 14.0.3 croner: - specifier: ^10.0.1 + specifier: 10.0.1 version: 10.0.1 dotenv: - specifier: ^17.4.2 + specifier: 17.4.2 version: 17.4.2 express: specifier: 5.2.1 @@ -141,31 +141,31 @@ importers: specifier: 22.0.1 version: 22.0.1 global-agent: - specifier: ^4.1.3 + specifier: 4.1.3 version: 4.1.3 grammy: - specifier: ^1.42.0 + specifier: 1.42.0 version: 1.42.0 https-proxy-agent: - specifier: ^9.0.0 + specifier: 9.0.0 version: 9.0.0 ipaddr.js: - specifier: ^2.4.0 + specifier: 2.4.0 version: 2.4.0 jiti: - specifier: ^2.7.0 + specifier: 2.7.0 version: 2.7.0 json5: - specifier: ^2.2.3 + specifier: 2.2.3 version: 2.2.3 jszip: - specifier: ^3.10.1 + specifier: 3.10.1 version: 3.10.1 kysely: specifier: 0.29.0 version: 0.29.0 linkedom: - specifier: ^0.18.12 + specifier: 0.18.12 version: 0.18.12 markdown-it: specifier: 14.1.1 @@ -174,22 +174,22 @@ importers: specifier: 10.2.5 version: 10.2.5 node-edge-tts: - specifier: ^1.2.10 + specifier: 1.2.10 version: 1.2.10 openai: - specifier: ^6.37.0 + specifier: 6.37.0 version: 6.37.0(ws@8.20.0)(zod@4.4.3) openshell: specifier: 0.1.0 version: 0.1.0 pdfjs-dist: - specifier: ^5.7.284 + specifier: 5.7.284 version: 5.7.284 playwright-core: specifier: 1.60.0 version: 1.60.0 proxy-agent: - specifier: ^8.0.1 + specifier: 8.0.1 version: 8.0.1 qrcode: specifier: 1.5.4 @@ -201,10 +201,10 @@ importers: specifier: 0.7.0 version: 0.7.0 tree-sitter-bash: - specifier: ^0.25.1 + specifier: 0.25.1 version: 0.25.1 tslog: - specifier: ^4.10.2 + specifier: 4.10.2 version: 4.10.2 typebox: specifier: 1.1.38 @@ -213,19 +213,19 @@ importers: specifier: 8.2.0 version: 8.2.0 web-push: - specifier: ^3.6.7 + specifier: 3.6.7 version: 3.6.7 web-tree-sitter: - specifier: ^0.26.8 + specifier: 0.26.8 version: 0.26.8 ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 yaml: - specifier: ^2.9.0 + specifier: 2.9.0 version: 2.9.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@a2ui/lit': @@ -235,52 +235,52 @@ importers: specifier: 1.22.0 version: 1.22.0(vitest@4.1.6) '@grammyjs/types': - specifier: ^3.26.0 + specifier: 3.26.0 version: 3.26.0 '@lit-labs/signals': - specifier: ^0.2.0 + specifier: 0.2.0 version: 0.2.0 '@lit/context': - specifier: ^1.1.6 + specifier: 1.1.6 version: 1.1.6 '@mdx-js/mdx': - specifier: ^3.1.1 + specifier: 3.1.1 version: 3.1.1 '@types/express': - specifier: ^5.0.6 + specifier: 5.0.6 version: 5.0.6 '@types/markdown-it': - specifier: ^14.1.2 + specifier: 14.1.2 version: 14.1.2 '@types/node': specifier: 25.7.0 version: 25.7.0 '@types/ws': - specifier: ^8.18.1 + specifier: 8.18.1 version: 8.18.1 '@typescript/native-preview': specifier: 7.0.0-dev.20260511.1 version: 7.0.0-dev.20260511.1 '@vitest/coverage-v8': - specifier: ^4.1.6 + specifier: 4.1.6 version: 4.1.6(@vitest/browser@4.1.6)(vitest@4.1.6) jscpd: specifier: 4.1.0 version: 4.1.0 jsdom: - specifier: ^29.1.1 + specifier: 29.1.1 version: 29.1.1(@noble/hashes@2.0.1) lit: - specifier: ^3.3.2 + specifier: 3.3.2 version: 3.3.2 oxfmt: specifier: 0.49.0 version: 0.49.0 oxlint: - specifier: ^1.64.0 + specifier: 1.64.0 version: 1.64.0(oxlint-tsgolint@0.22.1) oxlint-tsgolint: - specifier: ^0.22.1 + specifier: 0.22.1 version: 0.22.1 signal-utils: specifier: 0.21.1 @@ -289,16 +289,16 @@ importers: specifier: 0.22.0 version: 0.22.0(@typescript/native-preview@7.0.0-dev.20260511.1)(tsx@4.21.0)(typescript@6.0.3)(unrun@0.3.0) tsx: - specifier: ^4.21.0 + specifier: 4.21.0 version: 4.21.0 typescript: - specifier: ^6.0.3 + specifier: 6.0.3 version: 6.0.3 unrun: specifier: 0.3.0 version: 0.3.0 vitest: - specifier: ^4.1.6 + specifier: 4.1.6 version: 4.1.6(@opentelemetry/api@1.9.1)(@types/node@25.7.0)(@vitest/browser-playwright@4.1.6)(@vitest/coverage-v8@4.1.6)(jsdom@29.1.1(@noble/hashes@2.0.1))(vite@8.0.12(@types/node@25.7.0)(esbuild@0.27.7)(jiti@2.7.0)(tsx@4.21.0)(yaml@2.9.0)) optionalDependencies: sqlite-vec: @@ -317,7 +317,7 @@ importers: specifier: 0.7.0 version: 0.7.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -358,7 +358,7 @@ importers: specifier: 0.95.1 version: 0.95.1(zod@4.4.3) '@aws/bedrock-token-generator': - specifier: ^1.1.0 + specifier: 1.1.0 version: 1.1.0 '@earendil-works/pi-ai': specifier: 0.74.0 @@ -381,7 +381,7 @@ importers: extensions/anthropic-vertex: dependencies: '@anthropic-ai/vertex-sdk': - specifier: ^0.16.0 + specifier: 0.16.0 version: 0.16.0(zod@4.4.3) '@earendil-works/pi-agent-core': specifier: 0.74.0 @@ -409,7 +409,7 @@ importers: extensions/bonjour: dependencies: '@homebridge/ciao': - specifier: ^1.3.8 + specifier: 1.3.8 version: 1.3.8 devDependencies: '@openclaw/plugin-sdk': @@ -428,7 +428,7 @@ importers: specifier: 1.29.0 version: 1.29.0(zod@4.4.3) commander: - specifier: ^14.0.3 + specifier: 14.0.3 version: 14.0.3 express: specifier: 5.2.1 @@ -440,7 +440,7 @@ importers: specifier: 1.1.38 version: 1.1.38 ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 devDependencies: '@openclaw/plugin-sdk': @@ -462,19 +462,19 @@ importers: specifier: 0.9.3 version: 0.9.3(signal-polyfill@0.2.2) '@lit/context': - specifier: ^1.1.6 + specifier: 1.1.6 version: 1.1.6 chokidar: - specifier: ^5.0.0 + specifier: 5.0.0 version: 5.0.0 lit: - specifier: ^3.3.2 + specifier: 3.3.2 version: 3.3.2 typebox: specifier: 1.1.38 version: 1.1.38 ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 devDependencies: '@openclaw/plugin-sdk': @@ -496,10 +496,10 @@ importers: extensions/clickclack: dependencies: ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -524,13 +524,13 @@ importers: specifier: 0.130.0 version: 0.130.0 ajv: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -570,37 +570,37 @@ importers: extensions/diagnostics-otel: dependencies: '@opentelemetry/api': - specifier: ^1.9.1 + specifier: 1.9.1 version: 1.9.1 '@opentelemetry/api-logs': - specifier: ^0.217.0 + specifier: 0.217.0 version: 0.217.0 '@opentelemetry/exporter-logs-otlp-proto': - specifier: ^0.217.0 + specifier: 0.217.0 version: 0.217.0(@opentelemetry/api@1.9.1) '@opentelemetry/exporter-metrics-otlp-proto': - specifier: ^0.217.0 + specifier: 0.217.0 version: 0.217.0(@opentelemetry/api@1.9.1) '@opentelemetry/exporter-trace-otlp-proto': - specifier: ^0.217.0 + specifier: 0.217.0 version: 0.217.0(@opentelemetry/api@1.9.1) '@opentelemetry/resources': - specifier: ^2.7.1 + specifier: 2.7.1 version: 2.7.1(@opentelemetry/api@1.9.1) '@opentelemetry/sdk-logs': - specifier: ^0.217.0 + specifier: 0.217.0 version: 0.217.0(@opentelemetry/api@1.9.1) '@opentelemetry/sdk-metrics': - specifier: ^2.7.1 + specifier: 2.7.1 version: 2.7.1(@opentelemetry/api@1.9.1) '@opentelemetry/sdk-node': - specifier: ^0.217.0 + specifier: 0.217.0 version: 0.217.0(@opentelemetry/api@1.9.1) '@opentelemetry/sdk-trace-base': - specifier: ^2.7.1 + specifier: 2.7.1 version: 2.7.1(@opentelemetry/api@1.9.1) '@opentelemetry/semantic-conventions': - specifier: ^1.40.0 + specifier: 1.40.0 version: 1.40.0 devDependencies: '@openclaw/plugin-sdk': @@ -628,7 +628,7 @@ importers: specifier: 1.1.38 version: 1.1.38 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -638,16 +638,16 @@ importers: extensions/discord: dependencies: '@discordjs/voice': - specifier: ^0.19.2 + specifier: 0.19.2 version: 0.19.2(@emnapi/core@1.10.0)(@emnapi/runtime@1.10.0)(opusscript@0.1.1) discord-api-types: - specifier: ^0.38.47 + specifier: 0.38.47 version: 0.38.47 https-proxy-agent: - specifier: ^9.0.0 + specifier: 9.0.0 version: 9.0.0 opusscript: - specifier: ^0.1.1 + specifier: 0.1.1 version: 0.1.1 typebox: specifier: 1.1.38 @@ -656,7 +656,7 @@ importers: specifier: 8.2.0 version: 8.2.0 ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 devDependencies: '@openclaw/plugin-sdk': @@ -672,7 +672,7 @@ importers: specifier: ^0.1.89 version: 0.1.99 pdfjs-dist: - specifier: ^5.7.284 + specifier: 5.7.284 version: 5.7.284 devDependencies: '@openclaw/plugin-sdk': @@ -706,13 +706,13 @@ importers: extensions/feishu: dependencies: '@larksuiteoapi/node-sdk': - specifier: ^1.63.1 + specifier: 1.63.1 version: 1.63.1 typebox: specifier: 1.1.38 version: 1.1.38 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -758,7 +758,7 @@ importers: extensions/github-copilot: dependencies: '@clack/prompts': - specifier: ^1.3.0 + specifier: 1.3.0 version: 1.3.0 devDependencies: '@earendil-works/pi-ai': @@ -774,7 +774,7 @@ importers: specifier: 0.74.0 version: 0.74.0(@modelcontextprotocol/sdk@1.29.0(zod@4.4.3))(ws@8.20.0)(zod@4.4.3) '@google/genai': - specifier: ^2.0.1 + specifier: 2.0.1 version: 2.0.1(@modelcontextprotocol/sdk@1.29.0(zod@4.4.3)) devDependencies: '@openclaw/plugin-sdk': @@ -784,7 +784,7 @@ importers: extensions/google-meet: dependencies: commander: - specifier: ^14.0.3 + specifier: 14.0.3 version: 14.0.3 typebox: specifier: 1.1.38 @@ -806,7 +806,7 @@ importers: specifier: 10.6.2 version: 10.6.2 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -855,7 +855,7 @@ importers: extensions/irc: dependencies: zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -881,10 +881,10 @@ importers: extensions/line: dependencies: '@line/bot-sdk': - specifier: ^11.0.0 + specifier: 11.0.0 version: 11.0.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -922,7 +922,7 @@ importers: specifier: 2026.4.6 version: 2026.4.6 ajv: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 typebox: specifier: 1.1.38 @@ -935,13 +935,13 @@ importers: extensions/matrix: dependencies: '@matrix-org/matrix-sdk-crypto-nodejs': - specifier: ^0.5.1 + specifier: 0.5.1 version: 0.5.1 '@matrix-org/matrix-sdk-crypto-wasm': specifier: 18.2.0 version: 18.2.0 fake-indexeddb: - specifier: ^6.2.5 + specifier: 6.2.5 version: 6.2.5 markdown-it: specifier: 14.1.1 @@ -950,13 +950,13 @@ importers: specifier: 41.5.0-rc.0 version: 41.5.0-rc.0 music-metadata: - specifier: ^11.12.3 + specifier: 11.12.3 version: 11.12.3 typebox: specifier: 1.1.38 version: 1.1.38 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -969,10 +969,10 @@ importers: extensions/mattermost: dependencies: ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -985,7 +985,7 @@ importers: extensions/media-understanding-core: dependencies: sharp: - specifier: ^0.34.5 + specifier: 0.34.5 version: 0.34.5 devDependencies: '@openclaw/plugin-sdk': @@ -995,10 +995,10 @@ importers: extensions/memory-core: dependencies: chokidar: - specifier: ^5.0.0 + specifier: 5.0.0 version: 5.0.0 json5: - specifier: ^2.2.3 + specifier: 2.2.3 version: 2.2.3 typebox: specifier: 1.1.38 @@ -1014,13 +1014,13 @@ importers: extensions/memory-lancedb: dependencies: '@lancedb/lancedb': - specifier: ^0.27.2 + specifier: 0.27.2 version: 0.27.2(apache-arrow@18.1.0) apache-arrow: specifier: 18.1.0 version: 18.1.0 openai: - specifier: ^6.37.0 + specifier: 6.37.0 version: 6.37.0(ws@8.20.0)(zod@4.4.3) typebox: specifier: 1.1.38 @@ -1036,10 +1036,10 @@ importers: specifier: 1.1.38 version: 1.1.38 yaml: - specifier: ^2.9.0 + specifier: 2.9.0 version: 2.9.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1052,7 +1052,7 @@ importers: extensions/microsoft: dependencies: node-edge-tts: - specifier: ^1.2.10 + specifier: 1.2.10 version: 1.2.10 devDependencies: '@openclaw/plugin-sdk': @@ -1077,7 +1077,7 @@ importers: extensions/migrate-hermes: dependencies: yaml: - specifier: ^2.9.0 + specifier: 2.9.0 version: 2.9.0 devDependencies: '@openclaw/plugin-sdk': @@ -1133,7 +1133,7 @@ importers: specifier: workspace:* version: link:../../packages/plugin-sdk '@types/jsonwebtoken': - specifier: ^9.0.10 + specifier: 9.0.10 version: 9.0.10 openclaw: specifier: workspace:* @@ -1142,7 +1142,7 @@ importers: extensions/nextcloud-talk: dependencies: zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1155,10 +1155,10 @@ importers: extensions/nostr: dependencies: nostr-tools: - specifier: ^2.23.3 + specifier: 2.23.3 version: 2.23.3(typescript@6.0.3) zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1177,10 +1177,10 @@ importers: extensions/oc-path: dependencies: commander: - specifier: ^14.0.3 + specifier: 14.0.3 version: 14.0.3 jsonc-parser: - specifier: ^3.3.1 + specifier: 3.3.1 version: 3.3.1 markdown-it: specifier: 14.1.1 @@ -1218,7 +1218,7 @@ importers: specifier: 0.74.0 version: 0.74.0(@modelcontextprotocol/sdk@1.29.0(zod@4.4.3))(ws@8.20.0)(zod@4.4.3) ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 devDependencies: '@openclaw/plugin-sdk': @@ -1249,7 +1249,7 @@ importers: specifier: 0.1.0 version: 0.1.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1268,7 +1268,7 @@ importers: specifier: 1.1.38 version: 1.1.38 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1290,10 +1290,10 @@ importers: specifier: 1.60.0 version: 1.60.0 yaml: - specifier: ^2.9.0 + specifier: 2.9.0 version: 2.9.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/discord': @@ -1337,26 +1337,26 @@ importers: extensions/qqbot: dependencies: '@tencent-connect/qqbot-connector': - specifier: ^1.1.0 + specifier: 1.1.0 version: 1.1.0 mpg123-decoder: - specifier: ^1.0.3 + specifier: 1.0.3 version: 1.0.3 silk-wasm: - specifier: ^3.7.1 + specifier: 3.7.1 version: 3.7.1 ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': specifier: workspace:* version: link:../../packages/plugin-sdk '@types/ws': - specifier: ^8.18.1 + specifier: 8.18.1 version: 8.18.1 openclaw: specifier: workspace:* @@ -1395,7 +1395,7 @@ importers: extensions/signal: dependencies: ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 devDependencies: '@openclaw/plugin-sdk': @@ -1415,16 +1415,16 @@ importers: extensions/slack: dependencies: '@slack/bolt': - specifier: ^4.7.2 + specifier: 4.7.2 version: 4.7.2(@types/express@5.0.6) '@slack/types': - specifier: ^2.21.1 + specifier: 2.21.1 version: 2.21.1 '@slack/web-api': - specifier: ^7.15.2 + specifier: 7.15.2 version: 7.15.2 https-proxy-agent: - specifier: ^9.0.0 + specifier: 9.0.0 version: 9.0.0 typebox: specifier: 1.1.38 @@ -1449,7 +1449,7 @@ importers: extensions/synology-chat: dependencies: zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1475,13 +1475,13 @@ importers: extensions/telegram: dependencies: '@grammyjs/runner': - specifier: ^2.0.3 + specifier: 2.0.3 version: 2.0.3(grammy@1.42.0) '@grammyjs/transformer-throttler': - specifier: ^1.2.1 + specifier: 1.2.1 version: 1.2.1(grammy@1.42.0) grammy: - specifier: ^1.42.0 + specifier: 1.42.0 version: 1.42.0 typebox: specifier: 1.1.38 @@ -1512,10 +1512,10 @@ importers: specifier: 0.3.6 version: 0.3.6 '@urbit/aura': - specifier: ^3.0.0 + specifier: 3.0.0 version: 3.0.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1550,16 +1550,16 @@ importers: extensions/twitch: dependencies: '@twurple/api': - specifier: ^8.1.4 + specifier: 8.1.4 version: 8.1.4(@twurple/auth@8.1.4) '@twurple/auth': - specifier: ^8.1.4 + specifier: 8.1.4 version: 8.1.4 '@twurple/chat': - specifier: ^8.1.4 + specifier: 8.1.4 version: 8.1.4(@twurple/auth@8.1.4) zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1593,16 +1593,16 @@ importers: extensions/voice-call: dependencies: commander: - specifier: ^14.0.3 + specifier: 14.0.3 version: 14.0.3 typebox: specifier: 1.1.38 version: 1.1.38 ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1633,10 +1633,10 @@ importers: extensions/web-readability: dependencies: '@mozilla/readability': - specifier: ^0.6.0 + specifier: 0.6.0 version: 0.6.0 linkedom: - specifier: ^0.18.12 + specifier: 0.18.12 version: 0.18.12 devDependencies: '@openclaw/plugin-sdk': @@ -1646,7 +1646,7 @@ importers: extensions/webhooks: dependencies: zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1659,10 +1659,10 @@ importers: specifier: 7.0.0-rc10 version: 7.0.0-rc10(patch_hash=a9aea1790d2c65b1ae543c77faca4119bbfb91ee3b6ca6c38d1cad4f5702ada2)(audio-decode@2.2.3)(jimp@1.6.1)(sharp@0.34.5) https-proxy-agent: - specifier: ^9.0.0 + specifier: 9.0.0 version: 9.0.0 jimp: - specifier: ^1.6.1 + specifier: 1.6.1 version: 1.6.1 typebox: specifier: 1.1.38 @@ -1691,7 +1691,7 @@ importers: specifier: workspace:* version: link:../../packages/plugin-sdk ws: - specifier: ^8.20.0 + specifier: 8.20.0 version: 8.20.0 extensions/xiaomi: @@ -1709,7 +1709,7 @@ importers: extensions/zalo: dependencies: zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1728,7 +1728,7 @@ importers: specifier: 2.1.2 version: 2.1.2 zod: - specifier: ^4.4.3 + specifier: 4.4.3 version: 4.4.3 devDependencies: '@openclaw/plugin-sdk': @@ -1749,41 +1749,41 @@ importers: ui: dependencies: '@create-markdown/preview': - specifier: ^2.0.3 + specifier: 2.0.3 version: 2.0.3(shiki@3.23.0) '@noble/ed25519': specifier: 3.1.0 version: 3.1.0 dompurify: - specifier: ^3.4.2 + specifier: 3.4.2 version: 3.4.2 json5: - specifier: ^2.2.3 + specifier: 2.2.3 version: 2.2.3 lit: - specifier: ^3.3.2 + specifier: 3.3.2 version: 3.3.2 markdown-it: - specifier: ^14.1.1 + specifier: 14.1.1 version: 14.1.1 markdown-it-task-lists: - specifier: ^2.1.1 + specifier: 2.1.1 version: 2.1.1 marked: - specifier: ^18.0.3 + specifier: 18.0.3 version: 18.0.3 devDependencies: '@types/markdown-it': - specifier: ^14.1.2 + specifier: 14.1.2 version: 14.1.2 '@vitest/browser-playwright': specifier: 4.1.6 version: 4.1.6(playwright@1.60.0)(vite@8.0.12(@types/node@25.7.0)(esbuild@0.27.7)(jiti@2.7.0)(tsx@4.21.0)(yaml@2.9.0))(vitest@4.1.6) jsdom: - specifier: ^29.1.1 + specifier: 29.1.1 version: 29.1.1(@noble/hashes@2.0.1) playwright: - specifier: ^1.60.0 + specifier: 1.60.0 version: 1.60.0 vite: specifier: 8.0.12 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index e57c5eeffe4..352be284a70 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -84,7 +84,7 @@ allowBuilds: packageExtensions: "@earendil-works/pi-coding-agent": dependencies: - strip-ansi: ^7.2.0 + strip-ansi: 7.2.0 peerDependencyRules: allowedVersions: diff --git a/qa/convex-credential-broker/package.json b/qa/convex-credential-broker/package.json index 9431da4012f..3b93835d94f 100644 --- a/qa/convex-credential-broker/package.json +++ b/qa/convex-credential-broker/package.json @@ -10,6 +10,6 @@ "dev": "convex dev" }, "dependencies": { - "convex": "^1.35.1" + "convex": "1.35.1" } } diff --git a/scripts/check-changed.mjs b/scripts/check-changed.mjs index 947b34b826a..294b5a61d94 100644 --- a/scripts/check-changed.mjs +++ b/scripts/check-changed.mjs @@ -125,6 +125,7 @@ export function createChangedCheckPlan(result, options = {}) { add("guarded extension wildcard re-exports", ["lint:extensions:no-guarded-wildcard-reexports"]); add("plugin-sdk wildcard re-exports", ["lint:extensions:no-plugin-sdk-wildcard-reexports"]); add("duplicate scan target coverage", ["dup:check:coverage"]); + add("dependency pin guard", ["deps:pins:check"]); if (result.docsOnly) { return { diff --git a/scripts/check-dependency-pins.mjs b/scripts/check-dependency-pins.mjs new file mode 100644 index 00000000000..9fa1764fbc6 --- /dev/null +++ b/scripts/check-dependency-pins.mjs @@ -0,0 +1,115 @@ +#!/usr/bin/env node + +import { execFileSync } from "node:child_process"; +import fs from "node:fs"; +import path from "node:path"; +import { fileURLToPath } from "node:url"; +import YAML from "yaml"; + +const PACKAGE_DEPENDENCY_SECTIONS = ["dependencies", "devDependencies", "optionalDependencies"]; +const WORKSPACE_DEPENDENCY_SECTIONS = ["overrides"]; +const EXACT_SEMVER_PATTERN = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?$/u; +const EXACT_NPM_ALIAS_PATTERN = + /^npm:(?:@[^/\s]+\/)?[^@\s]+@\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?$/u; +const PINNED_GIT_PATTERN = /(?:#|\/commit\/)[0-9a-f]{40}$/iu; + +function listTrackedPackageJsonFiles(cwd) { + return execFileSync("git", ["ls-files", "-z", "--", "*package.json"], { + cwd, + encoding: "utf8", + }) + .split("\0") + .filter(Boolean) + .toSorted((left, right) => left.localeCompare(right)); +} + +function readJson(filePath) { + return JSON.parse(fs.readFileSync(filePath, "utf8")); +} + +function isAllowedPinnedSpec(spec) { + if (typeof spec !== "string") { + return false; + } + if (EXACT_SEMVER_PATTERN.test(spec) || EXACT_NPM_ALIAS_PATTERN.test(spec)) { + return true; + } + if (spec === "workspace:*" || spec.startsWith("file:") || spec.startsWith("link:")) { + return true; + } + if (/^(?:git\+|github:|gitlab:|bitbucket:)/u.test(spec)) { + return PINNED_GIT_PATTERN.test(spec); + } + return false; +} + +function collectPackageJsonViolations(cwd) { + const violations = []; + for (const relativePath of listTrackedPackageJsonFiles(cwd)) { + const packageJson = readJson(path.join(cwd, relativePath)); + for (const section of PACKAGE_DEPENDENCY_SECTIONS) { + for (const [name, spec] of Object.entries(packageJson[section] ?? {})) { + if (!isAllowedPinnedSpec(spec)) { + violations.push({ file: relativePath, section, name, spec }); + } + } + } + } + return violations; +} + +function collectDependencyMapViolations(file, section, dependencyMap, violations) { + for (const [name, spec] of Object.entries(dependencyMap ?? {})) { + if (!isAllowedPinnedSpec(spec)) { + violations.push({ file, section, name, spec }); + } + } +} + +function collectWorkspaceViolations(cwd) { + const file = "pnpm-workspace.yaml"; + const workspacePath = path.join(cwd, file); + if (!fs.existsSync(workspacePath)) { + return []; + } + const workspace = YAML.parse(fs.readFileSync(workspacePath, "utf8")); + const violations = []; + for (const section of WORKSPACE_DEPENDENCY_SECTIONS) { + collectDependencyMapViolations(file, section, workspace?.[section], violations); + } + for (const [packageName, extension] of Object.entries(workspace?.packageExtensions ?? {})) { + collectDependencyMapViolations( + file, + `packageExtensions.${packageName}.dependencies`, + extension?.dependencies, + violations, + ); + } + return violations; +} + +export function collectDependencyPinViolations(cwd = process.cwd()) { + return [...collectPackageJsonViolations(cwd), ...collectWorkspaceViolations(cwd)]; +} + +export async function main() { + const violations = collectDependencyPinViolations(); + if (violations.length === 0) { + return; + } + + console.error("Dependency specs must be pinned exactly outside peer dependency contracts:"); + for (const violation of violations) { + console.error( + `- ${violation.file}:${violation.section}:${violation.name} -> ${JSON.stringify(violation.spec)}`, + ); + } + process.exitCode = 1; +} + +if (process.argv[1] && path.resolve(process.argv[1]) === fileURLToPath(import.meta.url)) { + main().catch((error) => { + console.error(error); + process.exit(1); + }); +} diff --git a/test/scripts/changed-lanes.test.ts b/test/scripts/changed-lanes.test.ts index 7d07a676ff5..842d629624a 100644 --- a/test/scripts/changed-lanes.test.ts +++ b/test/scripts/changed-lanes.test.ts @@ -473,6 +473,7 @@ describe("scripts/changed-lanes", () => { "guarded extension wildcard re-exports", "plugin-sdk wildcard re-exports", "duplicate scan target coverage", + "dependency pin guard", "typecheck core tests", "lint core", "lint scripts", @@ -752,6 +753,7 @@ describe("scripts/changed-lanes", () => { "lint:extensions:no-guarded-wildcard-reexports", "lint:extensions:no-plugin-sdk-wildcard-reexports", "dup:check:coverage", + "deps:pins:check", "release-metadata:check", "ios:version:check", "config:schema:check", @@ -952,6 +954,7 @@ describe("scripts/changed-lanes", () => { args: ["lint:extensions:no-plugin-sdk-wildcard-reexports"], }, { name: "duplicate scan target coverage", args: ["dup:check:coverage"] }, + { name: "dependency pin guard", args: ["deps:pins:check"] }, ]); }); @@ -972,6 +975,7 @@ describe("scripts/changed-lanes", () => { args: ["lint:extensions:no-plugin-sdk-wildcard-reexports"], }, { name: "duplicate scan target coverage", args: ["dup:check:coverage"] }, + { name: "dependency pin guard", args: ["deps:pins:check"] }, ]); }); }); diff --git a/ui/package.json b/ui/package.json index 542884f3eff..71c55e36094 100644 --- a/ui/package.json +++ b/ui/package.json @@ -9,20 +9,20 @@ "test": "vitest run --config vitest.config.ts" }, "dependencies": { - "@create-markdown/preview": "^2.0.3", + "@create-markdown/preview": "2.0.3", "@noble/ed25519": "3.1.0", - "dompurify": "^3.4.2", - "json5": "^2.2.3", - "lit": "^3.3.2", - "markdown-it": "^14.1.1", - "markdown-it-task-lists": "^2.1.1", - "marked": "^18.0.3" + "dompurify": "3.4.2", + "json5": "2.2.3", + "lit": "3.3.2", + "markdown-it": "14.1.1", + "markdown-it-task-lists": "2.1.1", + "marked": "18.0.3" }, "devDependencies": { - "@types/markdown-it": "^14.1.2", + "@types/markdown-it": "14.1.2", "@vitest/browser-playwright": "4.1.6", - "jsdom": "^29.1.1", - "playwright": "^1.60.0", + "jsdom": "29.1.1", + "playwright": "1.60.0", "vite": "8.0.12", "vitest": "4.1.6" }