🐛 [Bug] Gateway crashing on plugin initialization due to empty dependencies in isolated package.json (npm v11 / Node v25)

[fnfscv]

🐛 [Bug] Gateway crashing on plugin initialization due to empty dependencies in isolated package.json (npm v11 / Node v25)

📌 Description

When initializing plugins, OpenClaw creates an isolated package.json for staging bundled runtime dependencies. However, it currently creates a package.json without a dependencies field:

{
  "name": "openclaw-runtime-deps-install",
  "private": true
}

When running with the latest Node v25.6.1 and npm v11, npm's arborist dedupe algorithm fails when parsing dependency trees without explicit versions, throwing a TypeError: Invalid Version: error.
This causes all plugins (telegram, browser, anthropic, etc.) to fail their dependency installation, resulting in a continuous gateway crash/restart loop.

🛠️ Root Cause

In /dist/bundled-runtime-deps-BdEAdjwi.js (or the corresponding source file), the package.json is hardcoded to omit dependencies, and the specs are passed directly via npm CLI arguments. In newer npm versions, building the ideal-tree in an empty package root with CLI specs causes version parsing to crash during deduping.

✅ Proposed Solution (Code Snippet)

Instead of an empty package, parse params.missingSpecs and populate the dependencies field in the generated package.json.

Before:

if (isolatedExecutionRoot) {
  fs.writeFileSync(path.join(installExecutionRoot, "package.json"),
    `${JSON.stringify({name:"openclaw-runtime-deps-install",private:true},null,2)}\n`, "utf8");
}

After:

if (isolatedExecutionRoot) {
  const __deps = {};
  for (const __s of params.missingSpecs) {
    const __i = __s.startsWith("@") ? __s.lastIndexOf("@") : __s.indexOf("@");
    if (__i > 0) __deps[__s.slice(0, __i)] = __s.slice(__i+1);
  }
  fs.writeFileSync(path.join(installExecutionRoot, "package.json"),
    `${JSON.stringify({name:"openclaw-runtime-deps-install",private:true,dependencies:__deps},null,2)}\n`,
    "utf8");
}

💻 Environment

• OS: macOS (Apple Silicon)
• Node: v25.6.1
• npm: v11.x
• OpenClaw version: 2026.4.24

By injecting the specs into the package.json, npm resolves the ideal-tree cleanly without raising the Invalid Version exception. I've tested this patch locally and it completely resolves the crash loop.

[Charpup]

Same bug also affects Node v22 / npm v10 — different symptom (destructive prune loop, not crash)

Confirming this bug also reproduces on Node v22.22.0 + npm v10, but with a different failure mode: instead of crashing, npm silently treats every package outside params.missingSpecs as extraneous and prunes it. Combined with concurrent lazy-stage triggers across multiple plugins, this creates a destructive perpetual loop — every 5–6 minutes a fresh cycle prunes the 87+ packages that the previous cycle just installed.

Environment

• OS: OpenCloudOS 9 (Linux 6.6.117-45.1)
• Node: v22.22.0
• npm: v10.x
• OpenClaw version: 2026.4.24

Symptom (no crash, but worse for production)

• Every 5–6 min, lazy-stage runs npm install --no-save <39 specs> against package.json with dependencies: {}
• npm dedupe parses fine on this older version, but classifies all other packages (from previously-staged plugins) as extraneous → prunes them
• Multi-plugin race: concurrent lazy-stage cycles mutually prune each other's deps (acpx / discord / feishu / kimi / memory-core / openai / qqbot / telegram all hit at once)
• spawnSync(npm) blocks event loop ~24–60s per cycle
• All channels (Discord, Feishu, etc.) HTTP/WS time out during the block
• Discord WebSocket session permanently degrades: close=1000 + resume=true loops, eventually invalid-session, resume=false

Forensic evidence

Direct command on a stuck deployment (before any mitigation):

$ cd /root/.openclaw && npm install --no-save chokidar@^5.0.0
added 2 packages, removed 87 packages

The removed 87 packages line is the smoking gun. Across cycles, packages like @anthropic-ai/sdk, @aws-sdk/client-bedrock, @google/genai, @mariozechner/pi-ai, @modelcontextprotocol/sdk, chokidar all get pruned and re-downloaded repeatedly.

Cache amplification effect

Because each cycle re-downloads from the registry, the npm cache balloons:

• /root/.npm/_cacache: ~10 GB (system npm cache)
• /root/.openclaw/plugin-runtime-deps/openclaw-2026.4.24-*/.openclaw-npm-cache: ~31 GB (plugin-side cache)
• Healthy baseline (single clean install): ~6–9 GB
• Cache bloat from this bug alone: ~25–35 GB on a 120 GB disk

Validation of the proposed fix

Manually applying the equivalent of the proposed patch on Node v22 / npm v10:

1. Read the authoritative manifest at /root/.openclaw/plugin-runtime-deps/openclaw-<version>-<hash>/.openclaw-runtime-deps.json (this file already contains the 39 version-locked specs)
2. Patch /root/.openclaw/package.json to declare those 39 entries in dependencies
3. Run npm install --legacy-peer-deps --no-package-lock --omit=dev

Result on this deployment:

• 383 packages added, 0 removed, 0 errors (the 0 removed confirms destructive prune is no longer triggered)
• Discord went from running, disconnected → running, connected and stayed up for hours

So the fix proposed in this issue (populate dependencies from params.missingSpecs) is the right one — it just also needs to land for the older Node/npm path because the destructive-prune symptom is far worse for production stability than the crash on Node 25.

Suggestion

Consider expediting the merge — the npm v11 crash is the obvious tip; the npm v10 destructive prune is a silent, slow-burn failure mode that has been costing users tens of GB of disk and hours of channel downtime per week.

Happy to share the systemd journal logs from the 2026-04-29 incident if useful.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. The report is actionable, current main still has the narrow empty-manifest omission in the helper targeted by the linked fix, and open PR #74966 explicitly links this issue for closure, so this issue should remain open until maintainers review, land, or supersede that PR.

Required change / next step:

Do not queue a competing ClawSweeper repair while open PR #74966 already carries the narrow implementation candidate for this issue; maintainer PR review is the next action.

Security review:

Security review: This is a non-PR issue triage, so no patch security review applies here; the linked dependency-installation PR should receive a normal supply-chain-sensitive review before merge.

Review details

Best possible solution:

Review PR #74966 against the current split runtime-deps materialization/install code, add or keep a regression test for empty generated manifests, validate the npm v10 destructive-prune and npm v11 crash paths if feasible, then land that fix or explicitly supersede it with an equivalent current-main patch.

Do we have a high-confidence way to reproduce the issue?

Yes for the shipped/reported path: the issue gives concrete OpenClaw, Node, npm, OS, and plugin-staging failure details, and the follow-up comment includes direct npm output showing packages being pruned. For current main, reproduction is incomplete without a targeted npm v10/v11 staging run.

Is this the best way to solve the issue?

Unclear. A manifest-backed full install plan is the right maintainable direction, but the exact linked PR should be reviewed against current main because the install path no longer matches the original release path one-for-one.

What I checked:

• current-manifest-helper: createNpmInstallExecutionManifest builds a dependency map from installSpecs but still conditionally omits the dependencies key when the generated map is empty. (src/plugins/bundled-runtime-deps-materialization.ts:157, ad7fa6c38774)
• current-install-path: The install context writes the generated package manifest before resolving and spawning the package manager, so the manifest shape is on the reported bundled runtime-deps staging path. (src/plugins/bundled-runtime-deps-install.ts:163, ad7fa6c38774)
• current-install-args: Current main now runs package-manager-neutral install args from the generated manifest rather than appending dependency specs to npm argv, which means the linked PR needs maintainer comparison against the changed main behavior. (src/plugins/bundled-runtime-deps-package-manager.ts:43, ad7fa6c38774)
• test-coverage-gap: Current tests assert non-empty generated manifests for external and isolated runtime-deps installs, but a search found no current-main regression test requiring an empty dependencies object. (src/plugins/bundled-runtime-deps.test.ts:503, ad7fa6c38774)
• shipped-release-context: The latest release tag v2026.4.27 still contains the same conditional dependencies omission in the monolithic bundled-runtime-deps implementation, along with npm CLI spec install handling on the shipped path. (src/plugins/bundled-runtime-deps.ts:1895, cbc2ba093146)
• linked-open-fix-pr: Provided GitHub context shows open, unmerged PR fix(plugins): always include dependencies field in isolated package.json for npm v11 compatibility #74966 titled 'fix(plugins): always include dependencies field in isolated package.json for npm v11 compatibility', with changes in bundled runtime deps code/tests and body text linking this issue for closure. (2e238a7de8cd)

Likely related people:

• clawsweeper[bot]: Blame for the current split materialization/install helpers and nearby tests points to commit 6dbaa0a, which carried the current runtime-deps implementation into this checkout. (role: introduced current implementation history marker; confidence: high; commits: 6dbaa0a27837; files: src/plugins/bundled-runtime-deps-materialization.ts, src/plugins/bundled-runtime-deps-install.ts, src/plugins/bundled-runtime-deps.test.ts)
• steipete: The latest shipped tag v2026.4.27 is the release commit by Peter Steinberger and contains the prior monolithic runtime-deps path relevant to the reported 2026.4.24 behavior. (role: release maintainer / adjacent follow-up owner; confidence: medium; commits: cbc2ba093146; files: src/plugins/bundled-runtime-deps.ts, CHANGELOG.md)
• vincentkoc: The active changelog credits @vincentkoc on Gateway and packaged-plugin reliability work including runtime-dependency repair, and the issue timeline shows vincentkoc was mentioned/subscribed for this report. (role: adjacent maintainer; confidence: medium; files: CHANGELOG.md, src/plugins/bundled-runtime-deps.ts)

Remaining risk / open question:

• No live Node v25/npm v11 or Node v22/npm v10 staging run was executed in this read-only review, so current-main runtime behavior is not end-to-end reproduced.
• Current main has already moved toward manifest-backed npm/pnpm installs without appending specs to npm argv, so PR fix(plugins): always include dependencies field in isolated package.json for npm v11 compatibility #74966 may need rebasing or adjustment before it is the exact best patch.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ad7fa6c38774.

[steipete]

Fixed on main in 2a54427. This will ride the next 2026.4.29 release rather than a 2026.4.27 backport.

The generated runtime-deps install manifest now always includes a dependencies object, including the empty-plan case, so npm does not crash on a missing field or treat active staged packages as extraneous during repair/install.

Verified:

• pnpm test src/plugins/bundled-runtime-deps.test.ts
• pnpm check:changed
• npm temp smoke confirming a full generated manifest plan keeps staged packages installed instead of pruning them