openclaw
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 4 additions & 0 deletions b/‎.github/CODEOWNERS‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/dependency-change-awareness.yml‎
Lines changed: 4 additions & 1 deletion b/‎.github/workflows/dependency-change-awareness.yml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎.github/workflows/labeler.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/labeler.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 1 addition & 0 deletions b/‎AGENTS.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/gateway/security/index.md‎
Lines changed: 42 additions & 0 deletions b/‎docs/gateway/security/index.md‎
Lines changed: 42 additions & 0 deletions
@@ -13,6 +13,10 @@
 /.github/workflows/codeql-critical-quality.yml @openclaw/openclaw-secops
 /.github/workflows/dependency-change-awareness.yml @openclaw/openclaw-secops
 /test/scripts/dependency-change-awareness-workflow.test.ts @openclaw/openclaw-secops
+/package-lock.json @openclaw/openclaw-secops
+/npm-shrinkwrap.json @openclaw/openclaw-secops
+/pnpm-lock.yaml @openclaw/openclaw-secops
+/scripts/generate-npm-shrinkwrap.mjs @openclaw/openclaw-secops
 /src/security/ @openclaw/openclaw-secops
 /src/secrets/ @openclaw/openclaw-secops
 /src/config/*secret*.ts @openclaw/openclaw-secops
 
@@ -34,6 +34,8 @@ jobs:
 
             const isDependencyFile = (filename) =>
               filename === "package.json" ||
+              filename === "package-lock.json" ||
+              filename === "npm-shrinkwrap.json" ||
               filename === "pnpm-lock.yaml" ||
               filename === "pnpm-workspace.yaml" ||
               filename === "ui/package.json" ||
@@ -143,7 +145,8 @@ jobs:
               "",
               "Maintainer follow-up:",
               "- Review whether the dependency changes are intentional.",
-              "- Inspect resolved package deltas when lockfile or workspace dependency policy changes are present.",
+              "- Inspect resolved package deltas when lockfile, shrinkwrap, or workspace dependency policy changes are present.",
+              "- Treat `package-lock.json` and `npm-shrinkwrap.json` diffs as security-review surfaces.",
               "- Run `pnpm deps:changes:report -- --base-ref origin/main --markdown /tmp/dependency-changes.md --json /tmp/dependency-changes.json` locally for detailed release-style evidence.",
             ].join("\n");
 
 
@@ -89,7 +89,7 @@ jobs:
               per_page: 100,
             });
 
-            const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb"]);
+            const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "npm-shrinkwrap.json", "yarn.lock", "bun.lockb"]);
             const totalChangedLines = files.reduce((total, file) => {
               const path = file.filename ?? "";
               if (path.startsWith("docs/") || excludedLockfiles.has(path)) {
@@ -603,7 +603,7 @@ jobs:
                 per_page: 100,
               });
 
-              const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "yarn.lock", "bun.lockb"]);
+              const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "npm-shrinkwrap.json", "yarn.lock", "bun.lockb"]);
               const totalChangedLines = files.reduce((total, file) => {
                 const path = file.filename ?? "";
                 if (path.startsWith("docs/") || excludedLockfiles.has(path)) {
 
@@ -161,6 +161,7 @@ Skills own workflows; root owns hard policy and routing.
 - Never commit real phone numbers, videos, credentials, live config.
 - Secrets: channel/provider creds in `~/.openclaw/credentials/`; model auth profiles in `~/.openclaw/agents/<agentId>/agent/auth-profiles.json`.
 - Dependency patches/overrides/vendor changes need explicit approval. `pnpm-workspace.yaml` patched dependencies use exact versions only.
+- Lockfiles/shrinkwrap are security surface: review `pnpm-lock.yaml`, `npm-shrinkwrap.json`, `package-lock.json`; npm package ships shrinkwrap, not package-lock.
 - Carbon pins owner-only: do not change `@buape/carbon` unless Shadow (`@thewilloftheshadow`, verified by `gh`) asks.
 - Releases/publish/version bumps need explicit approval. Use `$openclaw-release-maintainer`.
 - GHSA/advisories: `$openclaw-ghsa-maintainer` / `$security-triage`. Secret scanning: `$openclaw-secret-scanning-maintainer`.
 
@@ -28,6 +28,7 @@ Docs: https://docs.openclaw.ai
 - QA-Lab: include an opt-in `update.run` package self-upgrade sentinel for destructive latest-package recovery checks.
 - QA-Lab: add Codex plugin lifecycle and auth-profile fixture coverage for missing installs, pinned-version drift, first-turn install ordering, and doctor migration safety. (#80323, refs #80174) Thanks @100yenadmin.
 - Models/perf: pre-warm the provider auth-state map at gateway startup so `/models` and every model-listing call short-circuits the per-provider plugin / external-CLI discovery on the hot path. Per-call cost drops from ~20 s to ~5 ms (~4,100×); the one-time startup warm resets and re-warms after hot reloads. (#84816) Thanks @sjf.
+- Release/security: ship the root npm package and OpenClaw-owned npm plugins with generated shrinkwrap and require review for lockfile/shrinkwrap changes so published installs use locked dependency graphs.
 - Tests/perf: isolate doctor core health check unit coverage from real skills/workspace discovery so `doctor-core-checks` no longer dominates unit perf while keeping one real skills-readiness smoke. (#84493) Thanks @frankekn.
 
 ### Fixes
 
@@ -53,6 +53,48 @@ OpenClaw is both a product and an experiment: you're wiring frontier-model behav
 
 Start with the smallest access that still works, then widen it as you gain confidence.
 
+### Published package dependency lock
+
+OpenClaw source checkouts use `pnpm-lock.yaml`. The published `openclaw` npm
+package also includes `npm-shrinkwrap.json`, npm's publishable dependency
+lockfile, so package installs use the reviewed transitive dependency graph
+from the release instead of resolving a fresh graph at install time.
+
+This is a supply-chain hardening measure:
+
+- release installs are more reproducible;
+- transitive dependency updates become visible review surfaces;
+- the package tarball contains the dependency graph that release validators
+  checked;
+- `package-lock.json` stays out of the published package, because npm does not
+  treat it as the publishable lock contract.
+
+Shrinkwrap is not a sandbox and does not make every dependency trustworthy. It
+does not replace `openclaw security audit`, host isolation, npm provenance,
+signature/audit checks, or `--ignore-scripts` install smoke tests when those are
+appropriate. Treat it as a release reproducibility and review-control boundary.
+
+Maintainers should update and verify the shrinkwrap whenever the root package's
+published dependency graph changes:
+
+```bash
+pnpm deps:shrinkwrap:generate
+pnpm deps:shrinkwrap:check
+```
+
+Review `pnpm-lock.yaml`, `npm-shrinkwrap.json`, and any `package-lock.json`
+diff as security-sensitive. The package validators require shrinkwrap in new
+tarballs and reject `package-lock.json`.
+
+To inspect a published package:
+
+```bash
+npm pack openclaw@<version> --json --pack-destination /tmp/openclaw-pack
+tar -tf /tmp/openclaw-pack/openclaw-<version>.tgz | grep '^package/npm-shrinkwrap.json$'
+```
+
+Background: [npm-shrinkwrap.json](https://docs.npmjs.com/cli/v11/configuring-npm/npm-shrinkwrap-json).
+
 ### Deployment and host trust
 
 OpenClaw assumes the host and config boundary are trusted: