openclaw update silently downgrades and rewrites pinned direct-dependency versions

[Kaspre]

Problem

openclaw update --tag <version> overwrites a user-pinned version of @martian-engineering/lossless-claw in ~/.openclaw/npm/package.json and reinstalls the version Openclaw considers bundled with the target release. There is no warning, no --allow-downgrade style gate, and no way to opt out short of editing package.json again post-install.

When the bundled version is older than what the user had pinned, this is a silent downgrade — installed packages move backward across an openclaw update run, including past hotfix releases that were applied deliberately.

Reproduction

Starting state (verified):

• Openclaw 2026.5.19 installed
• ~/.openclaw/npm/package.json dependencies contains "@martian-engineering/lossless-claw": "0.11.2" (the current npm dist-tag latest, published 2026-05-20)
• node_modules/@martian-engineering/lossless-claw/package.json reports "version": "0.11.2"

Action:

openclaw update --tag 2026.5.20 --no-restart --yes

Observed (from update's own stdout):

Installing @martian-engineering/lossless-claw@0.10.0 into /home/captain/.openclaw/npm…

Post-update state:

• ~/.openclaw/npm/package.json dependencies now contains "@martian-engineering/lossless-claw": "0.10.0" (rewritten by openclaw update)
• node_modules/@martian-engineering/lossless-claw/package.json reports "version": "0.10.0" (downgraded from 0.11.2)

Versions 0.11.0, 0.11.1, and 0.11.2 — all published before the update was run — were silently skipped, and the previously-installed 0.11.2 was replaced by 0.10.0.

pnpm-lock.yaml still carries the 0.11.2 resolution entry, so the lockfile and package.json are inconsistent after the update.

LCM 0.11.2's peerDependency declares "openclaw": ">=2026.5.12", so the downgrade isn't required for 2026.5.20 compatibility — 0.11.2 is a valid choice.

Expected behavior

Two related expectations, the first stronger than the second:

1. openclaw update should never silently downgrade an installed dependency. If the bundled version is older than what is installed, the update should at minimum warn loudly and require a flag to proceed. Today the only signal is one line of stdout among hundreds, and the user discovers the regression after the fact when missing fixes resurface.

2. If a user has explicitly pinned a dependency in package.json, openclaw update should probably respect the pin rather than rewriting it, even when the pin is higher than the bundled version. The pin is an expression of intent. If respecting the pin would violate a peerDependency constraint of the target Openclaw release, that's a separate conversation worth surfacing (warning, prompt, dedicated flag) rather than silently overriding.

The downgrade-prevention case is the unambiguous half; the respect-the-pin case has more nuance and is open to design.

Impact

• LCM 0.11.2 contains hotfixes (Add Deepgram transcription support #712, [Bug]: Clawdbot control on web is very buggy on mobile #714, Agents: prevent silent message-tool drops #717) that were applied deliberately. An openclaw update to 2026.5.20 silently reverts to 0.10.0 and reintroduces the bugs those hotfixes addressed, with no message that a downgrade occurred.
• The same pattern would affect any other bundled-plugin dependency whose user-pinned version is newer than what the target Openclaw release considers bundled. LCM is the visible case today; the mechanism is general.
• After the update, package.json and pnpm-lock.yaml disagree about the resolved version, leaving the install in a state where a pnpm install --frozen-lockfile and a fresh pnpm install would produce different trees.

Notes

• PR fix: preserve managed plugin peer dependencies #81435 ("preserve managed plugin peer dependencies") and PR fix: plan managed npm peer pins with npm #81450 ("plan managed npm peer pins with npm") landed in the same area but target peer dependencies. @martian-engineering/lossless-claw appears as a direct entry in dependencies (not in managedPeerDependencies), so the recent fixes don't cover this path.
• The Openclaw tarball for 2026.5.20 does not list @martian-engineering/lossless-claw in either dependencies or peerDependencies, so the 0.10.0 version is being supplied from a bundled-plugin manifest internal to openclaw update. I haven't traced the exact source path; happy to dig if it's useful.

Environment: Linux 6.6.114.1-microsoft-standard-WSL2, Node v26.1.0, pnpm v10.33.4, openclaw 2026.5.20.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main and the latest shipped tag still let externalized bundled-plugin sync install the bridge npm spec and overwrite the managed npm root direct dependency, so a newer user pin can be replaced. The related peer-dependency PRs do not cover this direct dependency path.

Reproducibility: yes. The issue has a high-confidence source reproduction path: an enabled persisted bundled bridge with an older npm spec flows into installPluginFromNpmSpec, whose managed npm root writer overwrites the existing package dependency.

Next step
This is a valid, bounded update-path bug with clear likely files and a focused regression-test shape.

Review details

Best possible solution:

Keep this open and land a narrow update-path fix that preserves or explicitly blocks newer compatible managed npm direct dependencies during externalized bundled-plugin sync, with regression coverage for the Lossless Claw shape.

Do we have a high-confidence way to reproduce the issue?

Yes. The issue has a high-confidence source reproduction path: an enabled persisted bundled bridge with an older npm spec flows into installPluginFromNpmSpec, whose managed npm root writer overwrites the existing package dependency.

Is this the best way to solve the issue?

Yes for the downgrade-prevention half: the best fix is a narrow guard in externalized bundled-plugin sync or managed npm root planning before writing the dependency. The broader respect-all-pins behavior should stay out of scope unless maintainers choose that policy explicitly.

Label changes:

• add P1: The latest update path can silently replace a deliberately pinned plugin hotfix with an older dependency version during a normal update.
• add impact:data-loss: The issue is about OpenClaw rewriting user-maintained dependency state in the managed npm root package manifest.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P1: The latest update path can silently replace a deliberately pinned plugin hotfix with an older dependency version during a normal update.
• impact:data-loss: The issue is about OpenClaw rewriting user-maintained dependency state in the managed npm root package manifest.

Acceptance criteria:

• node scripts/run-vitest.mjs src/plugins/update.test.ts src/infra/npm-managed-root.test.ts
• node scripts/run-vitest.mjs src/cli/update-cli.test.ts
• git diff --check

What I checked:

• Current main derives the externalized plugin install spec from old bundled registry metadata: listPersistedBundledPluginLocationBridges builds a bridge only from enabled persisted bundled records, then uses the official catalog npm spec or the old record packageInstall.npm.spec as the install target. (src/cli/plugins-location-bridges.ts:26, b8e9ab9385c0)
• Current main installs that bridge npm spec during post-core update sync: syncPluginsForUpdateChannel calls installPluginFromNpmSpec({ spec: npmSpec, mode: "update" }) for externalized bundled plugin bridges; there is no check against a newer managed npm root dependency before this call. (src/plugins/update.ts:1961, b8e9ab9385c0)
• Managed npm root writes replace the dependency entry: upsertManagedNpmRootDependency preserves existing dependencies but then assigns [params.packageName]: params.dependencySpec, which overwrites a user's existing direct pin for the same package. (src/infra/npm-managed-root.ts:268, b8e9ab9385c0)
• Shipped release has the same update behavior: The latest release tag v2026.5.20 contains the same externalized bridge install path and the same dependency overwrite in managed npm root writes. (src/plugins/update.ts:1961, e510042870cf)
• Shipped docs already treat downgrades as confirmation-worthy: openclaw update docs say downgrades require confirmation because older versions can break configuration, which supports treating silent plugin dependency downgrade as a real update-path bug. Public docs: docs/cli/update.md. (docs/cli/update.md:60, e510042870cf)
• Dependency metadata supports the reporter's compatibility claim: npm reports @martian-engineering/lossless-claw latest as 0.11.2, and 0.11.2 declares peerDependencies.openclaw: >=2026.5.12; it is not inherently incompatible with OpenClaw 2026.5.20.

Likely related people:

• @steipete: git log -S syncPluginsForUpdateChannel shows Peter introduced channel-synced plugin updates in 99fc0fbac1eff73a52842f4bf7a8ac26da139b7c, and the related context shows him authored the managed npm peer planner PR. (role: feature-history owner; confidence: high; commits: 99fc0fbac1ef, d9ff8cfb012e; files: src/plugins/update.ts, src/infra/npm-managed-root.ts)
• martingarramon: Current-main blame for the externalized bridge sync, post-core update call, and managed npm root dependency upsert points to 7f4462e5c06d5b87c8eee4380dec1eff9fcbf691 in this checkout. (role: recent current-main contributor; confidence: medium; commits: 7f4462e5c06d; files: src/plugins/update.ts, src/infra/npm-managed-root.ts, src/cli/plugins-location-bridges.ts)
• @shakkernerd: The related peer-dependency preservation PR touched src/infra/npm-managed-root.ts, which is part of the same managed npm root write path implicated here. (role: adjacent recent contributor; confidence: medium; commits: 402b0df3b675; files: src/infra/npm-managed-root.ts)

Remaining risk / open question:

• I did not run a mutating openclaw update --tag against a real user install; the reproduction is source-backed plus npm metadata-backed.
• The broader request to respect every direct pin may need a separate policy choice, but preventing silent downgrades of newer compatible direct dependencies is narrow enough to fix.

Codex review notes: model gpt-5.5, reasoning high; reviewed against b8e9ab9385c0.