release: mirror bundled channel deps at root

[scoootscooob]

Summary

• Problem: bundled Slack, Telegram, Discord, and Feishu runtime packages were still imported from root dist/*.js chunks, but they were not mirrored in the root npm manifest.
• Why it matters: fresh installs and upgrades could ship a broken package that depended on best-effort postinstall recovery, which matched the missing-module failures in bug: npm install -g openclaw crashes - stageRuntimeDependencies not staging @buape/carbon and @larksuiteoapi/node-sdk #62749, postinstall-bundled-plugins fails silently without SSH client, leaving runtime deps missing #62952, [Bug]:install 4.8 failed: Cannot find module '@buape/carbon' #62994, and [Bug]: Openclaw 2026.4.8 Setup onboard Error (@slack/web-api @buape/carbon grammy) #63043.
• What changed: mirrored the root-resolved bundled channel deps into the root manifest, declared them through openclaw.releaseChecks.rootDependencyMirrorAllowlist, and hardened the npm postpublish verifier to check mirrored deps plus run the installed openclaw --version binary.
• What did NOT change (scope boundary): I did not change bundled plugin staging behavior for extension-local node_modules, nor the self-update flow from Web UI "Update" button corrupts installation — missing core files, gateway unable to start #62984.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes bug: npm install -g openclaw crashes - stageRuntimeDependencies not staging @buape/carbon and @larksuiteoapi/node-sdk #62749
• Related postinstall-bundled-plugins fails silently without SSH client, leaving runtime deps missing #62952
• Related [Bug]:install 4.8 failed: Cannot find module '@buape/carbon' #62994
• Related [Bug]: Openclaw 2026.4.8 Setup onboard Error (@slack/web-api @buape/carbon grammy) #63043
• This PR fixes a bug or regression

Root Cause (if applicable)

• Root cause: bundled channel/plugin code was code-split into root dist/*.js chunks that resolve packages from the package root, but the root npm manifest did not mirror those runtime dependencies.
• Missing detection / guardrail: the existing release checks only validated a small set of mirrored deps and the postpublish verify path did not exercise the installed openclaw binary or validate mirrored root deps from bundled extension manifests.
• Contributing context (if known): the package still relied on best-effort postinstall repair, so environments where that recovery path failed surfaced user-visible missing-module crashes.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: test/openclaw-npm-postpublish-verify.test.ts
• Scenario the test should lock in: bundled extensions that declare root-mirrored runtime deps must be satisfied by the installed package root manifest, and published install verification must reject drift.
• Why this is the smallest reliable guardrail: it validates the packaged manifest contract directly without needing a full publish cycle.
• Existing test that already covers this (if any): test/release-check.test.ts already covers the generic root-mirror allowlist rules.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

• npm installs now carry the bundled channel runtime deps that root dist/*.js chunks actually import, instead of relying on postinstall recovery to backfill them.
• Postpublish verification now fails if the installed package loses those mirrored deps or if the installed openclaw binary cannot report its version.

Diagram (if applicable)

Before:
[npm install openclaw] -> [root dist chunk imports bundled channel package] -> [package missing at root] -> [runtime crash unless postinstall recovers]

After:
[npm install openclaw] -> [root manifest already mirrors root-resolved bundled channel deps] -> [runtime import resolves] -> [binary smoke + postpublish verify catch drift]

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS 15.7.1 host
• Runtime/container: Node 25 host tooling, repo release scripts
• Model/provider: N/A
• Integration/channel (if any): Slack / Telegram / Discord / Feishu packaging surfaces
• Relevant config (redacted): N/A

Steps

1. Build the repo release artifact surfaces.
2. Run the packaging checks and postpublish verifier unit tests.
3. Confirm root dist/*.js imports are mirrored in the root manifest through extension allowlists.

Expected

• Release checks pass.
• The packaged manifest explicitly mirrors root-resolved bundled channel deps.
• Postpublish verification would fail if those mirrored deps drift again.

Actual

• pnpm release:check passed after pnpm build and pnpm ui:build.
• Targeted verifier tests passed.
• The four affected bundled extensions now declare the mirrored root deps they require.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: pnpm test test/openclaw-npm-postpublish-verify.test.ts, pnpm test test/release-check.test.ts, pnpm build, pnpm ui:build, pnpm release:check
• Edge cases checked: optional root mirror for @discordjs/opus; installed-package manifest drift detection for mirrored bundled deps
• What you did not verify: I did not fully re-test the separate Web UI self-update corruption path from Web UI "Update" button corrupts installation — missing core files, gateway unable to start #62984, and the local tarball global-install smoke was slower than the targeted release checks so I relied on the hardened verifier + release gate rather than waiting for that extra run.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Risks and Mitigations

• Risk: root dependency surface grows for the mirrored bundled channel packages.
  • Mitigation: each added mirror is now declared by the owning extension through rootDependencyMirrorAllowlist, checked by release-check, and validated again in postpublish verification.

[greptile-apps]

Greptile Summary

This PR fixes a class of missing-module crashes on fresh npm installs by mirroring the root-resolved runtime deps of four bundled channel extensions (Discord, Slack, Telegram, Feishu) into the root package.json, and by wiring those mirrors through an owned openclaw.releaseChecks.rootDependencyMirrorAllowlist field that a new postpublish verifier checks. The postpublish verifier also now smoke-tests the installed openclaw binary. All version specs are consistent between the extension manifests and the root manifest.

Confidence Score: 5/5

Safe to merge — fixes a real install-time crash with a well-scoped, verified change.

All findings are P2: one suggestion to surface malformed extension package.json parse errors instead of silently skipping them, and one suggestion to add a test for the version-spec mismatch branch. Neither blocks correct behavior today. The core logic (allowlist wiring, exact-spec matching, binary smoke-test) is correct and all version specs are consistent between extension manifests and the root.

No files require special attention.

Vulnerabilities

No security concerns identified. The change adds package metadata fields and a postpublish verification script; no new network calls, token handling, or execution surface is introduced.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: scripts/openclaw-npm-postpublish-verify.ts
Line: 100-113

Comment:
**Silent skip on malformed extension `package.json`**

When `JSON.parse` throws (e.g., a packaging step produces a truncated file), the catch block returns `[]`, so that extension's `rootDependencyMirrorAllowlist` is silently ignored and the mirrored-dep check passes for it. A corrupted `package.json` is itself a packaging failure worth surfacing — pushing an error string into the caller's errors array would prevent drift from going undetected. As written, a bad JSON file in `dist/extensions/*/package.json` causes the entire allowlist check for that extension to be skipped without any diagnostic.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: test/openclaw-npm-postpublish-verify.test.ts
Line: 62-126

Comment:
**No test for the version-spec mismatch branch**

The `collectInstalledMirroredRootDependencyManifestErrors` suite covers "missing root dep" and "dep in optionalDependencies" but never exercises the `rootSpec !== extensionSpec` branch (lines 165–169 of the script). A case where root declares `"^7.16.0"` while the extension declares `"^7.15.0"` would be silently missed. Adding a third `it` block that writes mismatched specs and asserts the version-mismatch error string would lock in that path.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "release: mirror bundled channel deps at ..." | Re-trigger Greptile}

[greptile-apps]

Silent skip on malformed extension package.json

When JSON.parse throws (e.g., a packaging step produces a truncated file), the catch block returns [], so that extension's rootDependencyMirrorAllowlist is silently ignored and the mirrored-dep check passes for it. A corrupted package.json is itself a packaging failure worth surfacing — pushing an error string into the caller's errors array would prevent drift from going undetected. As written, a bad JSON file in dist/extensions/*/package.json causes the entire allowlist check for that extension to be skipped without any diagnostic.

Prompt To Fix With AI

This is a comment left during a code review.
Path: scripts/openclaw-npm-postpublish-verify.ts
Line: 100-113

Comment:
**Silent skip on malformed extension `package.json`**

When `JSON.parse` throws (e.g., a packaging step produces a truncated file), the catch block returns `[]`, so that extension's `rootDependencyMirrorAllowlist` is silently ignored and the mirrored-dep check passes for it. A corrupted `package.json` is itself a packaging failure worth surfacing — pushing an error string into the caller's errors array would prevent drift from going undetected. As written, a bad JSON file in `dist/extensions/*/package.json` causes the entire allowlist check for that extension to be skipped without any diagnostic.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

No test for the version-spec mismatch branch

The collectInstalledMirroredRootDependencyManifestErrors suite covers "missing root dep" and "dep in optionalDependencies" but never exercises the rootSpec !== extensionSpec branch (lines 165–169 of the script). A case where root declares "^7.16.0" while the extension declares "^7.15.0" would be silently missed. Adding a third it block that writes mismatched specs and asserts the version-mismatch error string would lock in that path.

Prompt To Fix With AI

This is a comment left during a code review.
Path: test/openclaw-npm-postpublish-verify.test.ts
Line: 62-126

Comment:
**No test for the version-spec mismatch branch**

The `collectInstalledMirroredRootDependencyManifestErrors` suite covers "missing root dep" and "dep in optionalDependencies" but never exercises the `rootSpec !== extensionSpec` branch (lines 165–169 of the script). A case where root declares `"^7.16.0"` while the extension declares `"^7.15.0"` would be silently missed. Adding a third `it` block that writes mismatched specs and asserts the version-mismatch error string would lock in that path.

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6516538970

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Resolve installed binary from npm global bin path

The new binary smoke check hardcodes join(prefixDir, "bin", "openclaw"), but npm’s global bin location is platform-dependent ({prefix}/bin on Unix and {prefix} on Windows). On Windows this path will be wrong, so postpublish verification fails with ENOENT even when npm install -g --prefix ... succeeded. Resolve the bin path via npm’s global-bin logic (or branch on win32 and invoke openclaw.cmd).

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Fail verification when bundled manifest parsing fails

Bundled extension package.json parse failures are silently ignored (catch { return [] }), which means mirror checks are skipped for broken extensions instead of failing verification. If a published artifact contains a malformed dist/extensions/<id>/package.json, collectInstalledMirroredRootDependencyManifestErrors can incorrectly pass and miss dependency drift. This should report an explicit error for unreadable/invalid extension manifests.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9192a6e98f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Resolve installed CLI from npm global bin location

Fresh evidence in this commit: readInstalledBinaryVersion hardcodes execFileSync(join(prefixDir, "bin", "openclaw"), ...). npm’s global executable path is platform-specific, and on Windows the shim is created under the prefix root as openclaw.cmd rather than {prefix}/bin/openclaw, so this verifier reports ENOENT even after a successful npm install -g --prefix ...; that makes postpublish verification fail on Windows-only environments.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 86f293e643

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Fail when bundled extension manifest is absent

readBundledExtensionPackageJsons silently continues when dist/extensions/<id>/package.json is missing, so postpublish verification skips mirror checks for that extension entirely. In a packaging regression (or a dangling symlink that makes existsSync return false), this allows collectInstalledMirroredRootDependencyManifestErrors to pass even though the bundled extension artifact is incomplete and its required mirrored root dependencies were never validated.

Useful? React with 👍 / 👎.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Symlink-based path traversal when reading bundled extension manifests

1. 🟡 Symlink-based path traversal when reading bundled extension manifests

Property	Value
Severity	Medium
CWE	CWE-22
Location	scripts/openclaw-npm-postpublish-verify.ts:124-156

Description

The post-publish verification script walks dist/extensions/*/package.json and resolves real paths, but it does not ensure that the resolved extension directory stays within the package tree.

If an entry under dist/extensions is (or is treated as) a directory while actually being a symlink/junction to an arbitrary location, the script will:

• accept the entry (entry.isDirectory() may be true for symlinked dirs/junctions on some platforms/filesystems)
• compute packageJsonPath under that entry and existsSync / lstatSync it
• realpathSync(extensionDirPath) and realpathSync(packageJsonPath) will then resolve to the external target
• the relative check only verifies package.json is within the resolved extension directory, not that the extension directory is within dist/extensions

This allows reading and JSON.parse of files outside the installed package tree (information exposure) and can also cause denial of service (e.g., by pointing at special files or very large directories, though the manifest size check only applies after following the parent path).

Vulnerable code:

const extensionDirPath = join(extensionsDir, entry.name);
...
const realExtensionDirPath = realpathSync(extensionDirPath);
const realPackageJsonPath = realpathSync(packageJsonPath);

Recommendation

Harden the directory traversal logic by rejecting symlinked extension directories and ensuring the real path stays under the real dist/extensions root.

Suggested fix:

const realExtensionsDir = realpathSync(extensionsDir);

for (const entry of readdirSync(extensionsDir, { withFileTypes: true })) {
  const extensionDirPath = join(extensionsDir, entry.name);

  ​// Reject symlinks/junctions explicitly
  const extStat = lstatSync(extensionDirPath);
  if (!extStat.isDirectory() || extStat.isSymbolicLink()) continue;

  const realExtensionDirPath = realpathSync(extensionDirPath);
  if (!realExtensionDirPath.startsWith(realExtensionsDir + require("node:path").sep)) {
    errors.push(`bundled extension directory resolves outside extensions root: ${extensionDirPath}`);
    continue;
  }

  ​// then resolve/validate package.json as you already do
}

This prevents reading manifests from locations outside the package root even if symlinks/junctions are present.

---

Analyzed PR: #63065 at commit ac26799

_{Last updated on: 2026-04-08T11:04:17Z}

[scoootscooob]

Merged via squash.

• Prepared head SHA: ac26799a54088b811d3dae926f5c47b4dcf10f9a
• Merge commit: d52d5ad6ff9f6bc56cd1c88f347c78ed46e6e986

Thanks @scoootscooob!

[powerdot]

Thank you, @scoootscooob ✨

[tonydehnke]

Do we need to wait for a new version to be released to do a clean safe install?

[powerdot]

Do we need to wait for a new version to be released to do a clean safe install?

Yes, or you just can copy package.json content to your current version and run npm i