Split diffs Shiki language pack

[RomneyDa]

Summary

• Split the diffs viewer Shiki runtime into a curated default bundle plus an optional diffs-language-pack plugin for extended languages.
• Keep common languages highlighted out of the box and degrade other language hints to plain text unless the language pack plugin and generated runtime asset are available.
• Add language-pack plugin source/package metadata, official install-catalog coverage, asset build scripts, docs, generated plugin inventory/reference docs, and targeted tests for language selection and asset serving.
• Warn without blocking when diffs-language-pack is installed but its required diffs plugin is not discoverable.
• Expand the default highlighted language set to cover Ruby, Swift, Kotlin, R, Dart, Lua, PowerShell, XML, and TOML while preserving a 55.45% gzip reduction for the default viewer runtime.

Default languages

The default diffs viewer highlights: javascript, typescript, tsx, jsx, json, markdown, yaml, css, html, sh, python, go, rust, java, c, cpp, csharp, php, sql, docker, ruby, swift, kotlin, r, dart, lua, powershell, xml, and toml.

Common aliases such as js, ts, bash, md, yml, c++, dockerfile, rb, kt, and ps1 normalize to those default languages. Other languages use diffs-language-pack when installed; otherwise they stay readable as plain text.

Bundle size metrics

Measured with node using raw byte length, zlib.gzipSync(..., { level: 9 }), and zlib.brotliCompressSync(..., { BROTLI_PARAM_QUALITY: 11 }) after rebuilding both viewer runtimes. The full language-pack runtime is generated ad hoc by extensions/diffs-language-pack/scripts/build-viewer.mjs; it is intentionally not committed.

Overall default viewer runtime

This compares the default shipped diffs viewer runtime on origin/main against the new default shipped runtime in this PR.

Runtime	Raw bytes	gzip bytes	brotli bytes
Before: original default extensions/diffs/assets/viewer-runtime.js	9,899,054	1,726,255	1,131,149
After: current extensions/diffs/assets/viewer-runtime.js	4,705,100	769,052	493,011
Reduction	5,193,954	957,203	638,138
Reduction percent	52.47%	55.45%	56.42%

Shiki language runtime split

This compares the generated full language-pack runtime against the curated default runtime that remains bundled with the diffs plugin.

Runtime	Raw bytes	gzip bytes	brotli bytes
Full language-pack runtime generated by extensions/diffs-language-pack/scripts/build-viewer.mjs	9,958,851	1,728,053	1,135,069
Curated default diffs runtime (extensions/diffs/assets/viewer-runtime.js)	4,705,100	769,052	493,011
Reduction	5,253,751	959,001	642,058
Reduction percent	52.75%	55.50%	56.57%

Verification

• pnpm --dir extensions/diffs build:viewer
• pnpm --dir extensions/diffs-language-pack build:viewer
• node scripts/run-vitest.mjs src/plugins/official-external-plugin-catalog.test.ts src/cli/plugin-install-plan.test.ts src/cli/plugins-cli.install.test.ts extensions/diffs/src/language-hints.test.ts extensions/diffs/src/render.test.ts extensions/diffs/src/config.test.ts extensions/diffs/src/store.test.ts extensions/diffs/src/browser.test.ts test/scripts/oxlint-config.test.ts (199 tests passed)
• node scripts/run-vitest.mjs test/scripts/bundled-plugin-assets.test.ts test/plugin-npm-release.test.ts test/plugin-npm-package-manifest.test.ts test/scripts/runtime-postbuild.test.ts (61 tests passed)
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.extensions.json extensions/diffs/api.ts extensions/diffs/index.ts extensions/diffs/runtime-api.ts extensions/diffs/src extensions/diffs/scripts extensions/diffs-language-pack/api.ts extensions/diffs-language-pack/index.ts extensions/diffs-language-pack/src extensions/diffs-language-pack/scripts src/plugins/official-external-plugin-catalog.test.ts test/scripts/runtime-postbuild.test.ts
• node scripts/generate-plugin-inventory-doc.mjs --check
• git diff --check
• CI follow-up: node scripts/build-all.mjs ciArtifacts
• CI follow-up: node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental false
• CI follow-up: node scripts/run-tsgo.mjs -p tsconfig.extensions.json --incremental false
• CI follow-up: node scripts/run-vitest.mjs run --config test/vitest/vitest.contracts-plugin.config.ts src/plugins/contracts/extension-runtime-dependencies.contract.test.ts (374 tests passed)
• CI follow-up: node scripts/run-vitest.mjs run --config test/vitest/vitest.runtime-config.config.ts src/config/config.plugin-validation.test.ts src/config/io.best-effort.test.ts src/config/io.compat.test.ts (50 tests passed)
• CI follow-up: node scripts/run-vitest.mjs run --config test/vitest/vitest.wizard.config.ts src/wizard/setup.official-plugins.test.ts (6 tests passed)
• CI follow-up: node scripts/generate-npm-shrinkwrap.mjs --package-dir extensions/diffs --check and node scripts/generate-npm-shrinkwrap.mjs --package-dir extensions/diffs-language-pack --check
• CI follow-up: pnpm install --lockfile-only --frozen-lockfile
• CI follow-up: pnpm dlx knip --config config/knip.config.ts --production --no-progress --reporter compact --files --dependencies (no unused dependency findings remain; existing unrelated unused-file findings still reported)
• Required-plugin warning follow-up: node scripts/run-vitest.mjs run src/plugins/discovery.test.ts (70 tests passed)
• Required-plugin warning follow-up: node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental false
• Required-plugin warning follow-up: pnpm format:docs:check docs/plugins/manifest.md
• Required-plugin warning follow-up: git diff --check
• Default-language split follow-up: node scripts/build-diffs-viewer-runtime.mjs curated
• Default-language split follow-up: node scripts/build-diffs-viewer-runtime.mjs full (generated full runtime measured, not committed)
• Default-language split follow-up: node scripts/run-vitest.mjs run extensions/diffs/src/language-hints.test.ts extensions/diffs/src/render.test.ts extensions/diffs/src/config.test.ts (55 tests passed)
• Default-language split follow-up: node scripts/run-tsgo.mjs -p tsconfig.extensions.json --incremental false
• Default-language split follow-up: pnpm format:docs:check docs/tools/diffs.md docs/plugins/manifest.md
• Default-language split follow-up: git diff --check

ClawSweeper follow-up

• Added diffs-language-pack to scripts/lib/official-external-plugin-catalog.json so openclaw plugins install diffs-language-pack resolves to @openclaw/diffs-language-pack for released installs.
• Added catalog coverage in src/plugins/official-external-plugin-catalog.test.ts.
• Moved viewer asset builds to a Node-based root build helper so CI no longer requires Bun and the optional language-pack package does not carry generated runtime or build-tool dependencies.
• Updated runtime postbuild static-asset expectations for the optional language-pack runtime metadata.

Real behavior proof

Behavior addressed: default diffs viewer no longer ships the full Shiki language runtime; languages outside the default list use the optional diffs-language-pack runtime when that plugin and generated runtime asset are available.

Real environment tested: local Codex worktree on macOS with Node repo wrappers; CI follow-up fixes are pending a fresh GitHub run after the next push.

Exact steps or command run after this patch: see Verification.

Evidence after fix: targeted diffs language/render/asset tests, official catalog install-resolution tests, and plugin package/static asset contract tests passed; both viewer runtimes rebuilt and measured.

Observed result after fix: common source, config, and documentation languages stay in the default runtime, other language hints fall back to text without the generated language-pack runtime, the language-pack viewer asset is selected only when available, and the documented bare install command has official catalog coverage.

What was not tested: full release/package publishing was not run locally. test/tsconfig/tsconfig.extensions.test.json still has an unrelated existing type failure in extensions/memory-core/src/dreaming.test.ts.

[github-actions]

Dependency Changes Detected

This PR changes dependency-related files. Maintainers should confirm these changes are intentional.

Changed files:

• extensions/diffs-language-pack/npm-shrinkwrap.json
• extensions/diffs-language-pack/package.json
• extensions/diffs/npm-shrinkwrap.json
• extensions/diffs/package.json
• package.json
• pnpm-lock.yaml

Maintainer follow-up:

• Review whether the dependency changes are intentional.
• Inspect resolved package deltas when lockfile, shrinkwrap, or workspace dependency policy changes are present.
• Treat package-lock.json and npm-shrinkwrap.json diffs as security-review surfaces.
• Run pnpm deps:changes:report -- --base-ref origin/main --markdown /tmp/dependency-changes.md --json /tmp/dependency-changes.json locally for detailed release-style evidence.

[clawsweeper]

Codex review: needs changes before merge. Reviewed May 27, 2026, 1:08 PM ET / 17:08 UTC.

Summary
Splits the diffs viewer Shiki runtime into a curated bundled runtime plus an optional diffs-language-pack plugin, with manifest, catalog, docs, build, dependency, asset, and test updates.

PR surface: Source +577, Tests +227, Docs +42, Config +58, Other +156. Total +1060 across 44 files.

Reproducibility: not applicable. this is a feature and packaging split rather than a bug report. The relevant check is upgrade/package compatibility, not reproducing a current-main failure.

Review metrics: 2 noteworthy metrics.

• Plugin contract surfaces: 1 manifest field added, 1 official plugin catalog entry added. The new requiresPlugins metadata and install catalog entry define released-host behavior for plugin authors and users.
• Dependency/build surfaces: 6 dependency-related files changed. Root dependencies, plugin shrinkwrap, and lockfile changes are security and release-package review surfaces before merge.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Align language-pack version, build, install, and compat metadata with the host release that ships this support.
• Resolve or explain the reported Blacksmith gateway-watch-regression failure on the current head.
• Complete maintainer dependency review for the lockfile and shrinkwrap changes.

Mantis proof suggestion
A visible browser proof would materially help confirm common-language diffs use the curated runtime and uncommon-language diffs use the optional language-pack runtime when installed. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

visual task: verify diffs viewer uses the curated runtime for a common language and the language-pack runtime for an uncommon language when the plugin is installed.

Risk before merge

• The language-pack package advertises compatibility with older hosts even though the manifest warning and diffs runtime selection support are added in this PR.
• Without the optional plugin, non-default languages intentionally degrade to plain text; maintainers should explicitly accept that user-visible compatibility tradeoff for existing diffs users.
• The latest included Blacksmith report still shows a gateway watch regression failure, so automation proof is not clean yet.
• The PR changes lockfile/shrinkwrap and build dependency surfaces, which need maintainer supply-chain review before merge.

Maintainer options:

1. Fix release metadata and rerun gates (recommended)
   Align the language-pack install, compat, build, and shrinkwrap version floors with the host release that ships this support, then refresh the failing CI lane.
2. Accept an older-host no-op window
   Maintainers may intentionally keep the lower floor only if they are comfortable publishing a plugin that can install on older hosts without providing the documented language-pack behavior.
3. Pause for packaging proof
   Pause the PR until package install/update proof demonstrates the external plugin resolves and serves its generated runtime across fresh install and upgrade paths.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Align `extensions/diffs-language-pack/package.json`, `extensions/diffs-language-pack/npm-shrinkwrap.json`, and the official catalog test data so `diffs-language-pack` cannot advertise support for hosts older than the release that contains this PR's manifest and diffs runtime support; do not change runtime behavior or unrelated dependency versions.

Next step before merge
A narrow automated repair can align the language-pack release metadata; maintainer review is still needed afterward for the compatibility, dependency, and CI tradeoffs.

Security
Needs attention: No malicious code is evident from the inspected diff, but the PR changes lockfile/shrinkwrap and new build-dependency surfaces that need maintainer supply-chain review.

Review findings

• [P2] Align the language-pack host floor — extensions/diffs-language-pack/package.json:25-28

Review details

Best possible solution:

Land only after the language-pack release metadata matches the first host release containing the manifest/runtime support, CI and dependency review are clean, and maintainers accept the intentional plain-text fallback for non-default languages.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a feature and packaging split rather than a bug report. The relevant check is upgrade/package compatibility, not reproducing a current-main failure.

Is this the best way to solve the issue?

No, not as-is: the runtime split is a reasonable direction, but the package release floor currently advertises compatibility before the host-side support exists. The narrower fix is to align the external plugin metadata and prove fresh-install plus upgrade behavior before merge.

Full review comments:

• [P2] Align the language-pack host floor — extensions/diffs-language-pack/package.json:25-28
  The new language-pack package still advertises minHostVersion >=2026.4.30 and pluginApi >=2026.5.26, but this PR relies on host changes that are introduced alongside it: requiresPlugins parsing/diagnostics and diffs runtime selection for the optional pack. Publishing this metadata can let older hosts install a plugin that does not provide the documented behavior, so please raise the install/compat/build metadata and shrinkwrap to the first host release that ships this support.
  Confidence: 0.89

Overall correctness: patch is incorrect
Overall confidence: 0.84

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 11dfef201f81.

Label changes

Label justifications:

• P2: This is a normal-priority feature/packaging improvement with a bounded compatibility blocker rather than an urgent production regression.
• merge-risk: 🚨 compatibility: The optional plugin can be installed on older advertised hosts even though the host-side behavior it needs is introduced by this PR.
• merge-risk: 🚨 automation: The PR changes generated viewer-runtime build flows and the latest included CI report still shows a gateway watch regression failure.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🌊 off-meta tidepool and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is member/maintainer-handled PR work, so the external contributor proof gate does not apply; the body provides local build/test evidence but not full package-publishing proof.

Evidence reviewed

PR surface:

Source +577, Tests +227, Docs +42, Config +58, Other +156. Total +1060 across 44 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	20	681	104	+577
Tests	8	229	2	+227
Docs	6	43	1	+42
Config	4	59	1	+58
Generated	0	0	0	0
Other	6	156	0	+156
Total	44	1168	108	+1060

Security concerns:

• [low] Review changed package-resolution inputs — package.json:1852
  The PR adds root Shiki/esbuild build dependencies and changes dependency-related lock/shrinkwrap files; repo policy treats lockfiles and shrinkwrap as security surfaces, so maintainers should inspect the dependency delta before merge.
  Confidence: 0.78

Acceptance criteria:

• node scripts/run-vitest.mjs src/plugins/official-external-plugin-catalog.test.ts test/plugin-npm-package-manifest.test.ts test/plugin-npm-release.test.ts test/scripts/runtime-postbuild.test.ts
• node scripts/generate-npm-shrinkwrap.mjs --package-dir extensions/diffs-language-pack --check
• git diff --check

What I checked:

• Repository policy read: Read the full root AGENTS.md and scoped guides for docs, extensions, scripts, and plugin discovery; the compatibility and dependency-review rules apply to this PR. (AGENTS.md:19, 11dfef201f81)
• New package metadata advertises an older host floor: The new language-pack package sets version/build metadata to 2026.5.26 and install minHostVersion to >=2026.4.30 even though the host support is introduced by this PR. (extensions/diffs-language-pack/package.json:25, ca00152ddf32)
• Current host version differs from the new package floor: Current main is already version 2026.5.27, which is the host line this PR builds against. (package.json:3, 11dfef201f81)
• Host-side manifest contract is new in this PR: The branch adds requiresPlugins to the parsed plugin manifest contract, so released-host compatibility must match the first host release that understands this metadata. (src/plugins/manifest.ts:291, ca00152ddf32)
• Runtime selection depends on same-PR diffs changes: The diffs plugin only marks the language pack available after checking sibling plugin files and generated runtime assets, which current releases do not contain as a coordinated split. (extensions/diffs/src/plugin.ts:79, ca00152ddf32)
• CI status in discussion: The latest included Blacksmith comment reports a gateway-watch-regression failure, so the automation-sensitive build/runtime split still needs a fresh green run or an unrelated-failure determination. (ca00152ddf32)

Likely related people:

• mbelinky: Current-main blame for the diffs plugin and plugin manifest files in this checkout points to Mariano's recent merged baseline commit, making them a useful routing candidate for diffs/plugin behavior context. (role: recent area contributor; confidence: medium; commits: f3fe48e8b791, c9d4f7e35c49; files: extensions/diffs/src/tool.ts, extensions/diffs/src/render.ts, src/plugins/manifest.ts)
• steipete: Peter has recent current-main release/package commits and also appears in this PR's branch history for preparing the language-pack package for external publishing. (role: release/package adjacent owner; confidence: high; commits: 7aaca4a8a6f7, 97a8c09b0ae9, 2ae30bffc1c0; files: package.json, extensions/diffs-language-pack/package.json, scripts/lib/official-external-plugin-catalog.json)
• vincentkoc: Path-limited history shows many recent commits by Vincent on scripts, package, and CI-adjacent surfaces that overlap the build and dependency risk in this PR. (role: automation and packaging adjacent contributor; confidence: medium; commits: 5c20ff93e07d, c285766d6232, 98a9a523e69a; files: scripts/, package.json, pnpm-lock.yaml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[RomneyDa]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26492433504
• Updated: 2026-05-27T05:29:11.667Z

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​matrix-js-sdk@​41.6.0-rc.0
	npm/​silk-wasm@​3.7.1
	npm/​playwright-core@​1.60.0
	npm/​mpg123-decoder@​1.0.3
	npm/​fake-indexeddb@​6.2.5
	npm/​markdown-it@​14.1.1
	npm/​music-metadata@​11.12.3

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: extensions/matrix/npm-shrinkwrap.json → npm/markdown-it@14.1.1 → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm markdown-it is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: extensions/matrix/npm-shrinkwrap.json → npm/markdown-it@14.1.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-it@14.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm fast-wrap-ansi Location: Package overview From: extensions/acpx/npm-shrinkwrap.json → npm/acpx@0.10.0 → npm/fast-wrap-ansi@0.2.2 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-wrap-ansi@0.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm silk-wasm Location: Package overview From: extensions/qqbot/npm-shrinkwrap.json → npm/silk-wasm@3.7.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/silk-wasm@3.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[steipete]

Landed in d638611. Thanks @RomneyDa.

Verification before merge:

• node scripts/run-vitest.mjs extensions/diffs/src/language-hints.test.ts src/plugins/official-external-plugin-catalog.test.ts test/plugin-clawhub-release.test.ts test/plugin-npm-release.test.ts test/plugin-npm-package-manifest.test.ts
• pnpm plugins:inventory:check
• git diff --check
• pnpm build:ci-artifacts
• node scripts/check-gateway-watch-regression.mjs --skip-build --ready-timeout-ms 5000

CI on ca00152:

• CI: https://github.com/openclaw/openclaw/actions/runs/26526154205
• CodeQL: https://github.com/openclaw/openclaw/actions/runs/26526155432
• CodeQL Critical Quality: https://github.com/openclaw/openclaw/actions/runs/26526153887
• OpenGrep PR Diff: https://github.com/openclaw/openclaw/actions/runs/26526153995
• TUI PTY: https://github.com/openclaw/openclaw/actions/runs/26526155550