Fix npm global install deprecation warnings

[vincentkoc]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: npm install -g openclaw@latest on Node 22 + npm 10 emits multiple deprecation warnings from transitive dependencies.
• Why it matters: install noise looks like unresolved security/runtime debt and causes confusion in first-run setup.
• What changed:
  • moved @discordjs/opus from optionalDependencies to optional peer dependency (still supported at runtime, but no longer auto-installed)
  • bumped node-llama-cpp peer from 3.15.1 to 3.16.2 (removes old cmake-js/npmlog/tar@6 chain)
  • pinned Google auth stack versions to warning-free releases via direct deps + pnpm overrides (google-auth-library@10.5.0, gaxios@7.1.2, alias node-domexception -> @nolyfill/domexception)
• What did NOT change (scope boundary): no changes to runtime command behavior or channel logic; this PR only adjusts dependency resolution/install footprint.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Deprecated npm dependencies warnings on install (v2026.2.24) #26816
• Related Fix deprecated npm install warnings (#26816) #26853

User-visible / Behavior Changes

• Fresh global installs (npm install -g openclaw@latest) no longer emit the previously observed deprecation warnings in the tested Node 22 + npm 10 setup.
• Discord native opus decoder is no longer auto-installed; OpenClaw keeps @discordjs/opus support when present and falls back to opusscript otherwise (existing runtime fallback path).

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS (repro command emulates package install behavior used on Windows report)
• Runtime/container: Node 22.20.0, npm 10.9.4 (via npx -y npm@10)
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): isolated temp npm_config_prefix + npm_config_cache

Steps

1. npm pack --ignore-scripts from this branch
2. npx -y npm@10 install -g ./openclaw-2026.2.26.tgz --loglevel=warn in isolated temp prefix/cache
3. Check install log for npm warn deprecated

Expected

• No deprecation warnings.

Actual

• No deprecation warnings observed after this change set.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Before (current main package tarball):

tar@6.2.1, rimraf@3.0.2, npmlog@6.0.2, npmlog@5.0.1, node-domexception@1.0.0,
inflight@1.0.6, glob@7.2.3, glob@10.5.0, gauge@4.0.4, gauge@3.0.2,
are-we-there-yet@3.0.1, are-we-there-yet@2.0.0

After (this branch package tarball):

NO_DEPRECATED_WARNINGS

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • repeated clean npm@10 global installs from packed artifact with isolated prefix/cache
  • warning set after each commit to confirm staged reduction
• Edge cases checked:
  • ensured src/memory/embeddings.test.ts still passes after node-llama-cpp peer bump
• What you did not verify:
  • end-to-end runtime tests for every provider/channel
  • Windows-native shell run (install semantics validated via npm 10 CLI flow)

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly:
  • revert this PR, then republish next patch release
• Files/config to restore:
  • package.json
  • pnpm-lock.yaml
• Known bad symptoms reviewers should watch for:
  • unexpected provider auth regressions from google-auth-library pin
  • environments relying on auto-installed @discordjs/opus

Risks and Mitigations

• Risk: pinning google-auth-library / gaxios below latest could miss upstream bugfixes.
  • Mitigation: pinned within semver-compatible range for @google/genai, kept change narrow, and validated install behavior + targeted unit tests.
• Risk: moving @discordjs/opus to optional peer changes install defaults.
  • Mitigation: runtime already has explicit opusscript fallback path; native package remains supported when users install it.

[greptile-apps]

Greptile Summary

Eliminates npm install deprecation warnings by pinning Google auth dependencies to warning-free versions, bumping node-llama-cpp peer dependency, and converting @discordjs/opus to an optional peer dependency.

Key changes:

• Pinned google-auth-library@10.5.0 and gaxios@7.1.2 via direct dependencies and pnpm overrides
• Aliased node-domexception to @nolyfill/domexception to avoid deprecated package
• Bumped node-llama-cpp peer from 3.15.1 to 3.16.2 (removes old cmake-js/npmlog/tar@6 chain)
• Moved @discordjs/opus from optionalDependencies to optional peer dependency (runtime fallback to opusscript already exists in src/discord/voice/manager.ts:157-184)

Verification needed:

• Google Chat extension requires google-auth-library@^10.6.1 but will be forced to use 10.5.0 via pnpm override - verify no regressions

Confidence Score: 4/5

• Safe to merge after verifying Google Chat functionality with downgraded google-auth-library version
• Changes are well-structured and tested for install warnings. The @discordjs/opus move is safe (verified fallback exists), node-llama-cpp bump was tested. Minor concern: google-auth-library downgrade from 10.6.1 to 10.5.0 via override needs runtime verification for Google Chat extension
• Verify Google Chat extension still works with google-auth-library@10.5.0 (extension expects ^10.6.1)

_{Last reviewed commit: 130fef7}

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

extensions/googlechat/package.json
verify Google Chat still works - pnpm override forces google-auth-library down to 10.5.0 but this extension specifies ^10.6.1

Prompt To Fix With AI

This is a comment left during a code review.
Path: extensions/googlechat/package.json
Line: 8

Comment:
verify Google Chat still works - pnpm override forces `google-auth-library` down to `10.5.0` but this extension specifies `^10.6.1`

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e627ee4178

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[vincentkoc]

Addressed the review point about google-auth-library override scope in 9ace237b6:

• Removed global pnpm.overrides entries for google-auth-library and gaxios.
• Kept root direct deps pinned (google-auth-library@10.5.0, gaxios@7.1.2) so global install deprecation warnings stay fixed.
• Verified lockfile now resolves extensions/googlechat at its declared google-auth-library@10.6.1 (no workspace version skew).

Also pushed 031ad8725 to finish Dependabot tuning:

• interval: daily across update ecosystems.
• cooldown.default-days: 2 preserved.
• registries.npm-npmjs retained with token auth.

Validated .github/dependabot.yml against the Dependabot v2 schema.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 031ad8725f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[vincentkoc]

Addressed in 11ad688ad:

• Moved @discordjs/opus back to optionalDependencies.
• Removed it from peerDependencies/peerDependenciesMeta.
• Regenerated lockfile so root importer uses optionalDependencies and @discordjs/opus snapshots are marked optional: true again.

This restores failure-tolerant pnpm install semantics for contributors/CI.

Note: this does reintroduce npm deprecation warnings from the @discordjs/node-pre-gyp chain during npm@10 install -g (inflight, npmlog, rimraf, are-we-there-yet, glob, gauge, tar). I can follow up with a separate approach if we want both optional install semantics and warning-free global installs.