Skip to content

chore(deps): bump openclaw from 2026.3.11 to 2026.4.2#14

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/openclaw-2026.4.2
Closed

chore(deps): bump openclaw from 2026.3.11 to 2026.4.2#14
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/openclaw-2026.4.2

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Apr 4, 2026

Bumps openclaw from 2026.3.11 to 2026.4.2.

Release notes

Sourced from openclaw's releases.

openclaw 2026.4.2

Breaking

  • Plugins/xAI: move x_search settings from the legacy core tools.web.x_search.* path to the plugin-owned plugins.entries.xai.config.xSearch.* path, standardize x_search auth on plugins.entries.xai.config.webSearch.apiKey / XAI_API_KEY, and migrate legacy config with openclaw doctor --fix. (#59674) Thanks @​vincentkoc.
  • Plugins/web fetch: move Firecrawl web_fetch config from the legacy core tools.web.fetch.firecrawl.* path to the plugin-owned plugins.entries.firecrawl.config.webFetch.* path, route web_fetch fallback through the new fetch-provider boundary instead of a Firecrawl-only core branch, and migrate legacy config with openclaw doctor --fix. (#59465) Thanks @​vincentkoc.

Changes

  • Tasks/Task Flow: restore the core Task Flow substrate with managed-vs-mirrored sync modes, durable flow state/revision tracking, and openclaw flows inspection/recovery primitives so background orchestration can persist and be operated separately from plugin authoring layers. (#58930) Thanks @​mbelinky.
  • Tasks/Task Flow: add managed child task spawning plus sticky cancel intent, so external orchestrators can stop scheduling immediately and let parent Task Flows settle to cancelled once active child tasks finish. (#59610) Thanks @​mbelinky.
  • Plugins/Task Flow: add a bound api.runtime.taskFlow seam so plugins and trusted authoring layers can create and drive managed Task Flows from host-resolved OpenClaw context without passing owner identifiers on each call. (#59622) Thanks @​mbelinky.
  • Android/assistant: add assistant-role entrypoints plus Google Assistant App Actions metadata so Android can launch OpenClaw from the assistant trigger and hand prompts into the chat composer. (#59596) Thanks @​obviyus.
  • Exec defaults: make gateway/node host exec default to YOLO mode by requesting security=full with ask=off, and align host approval-file fallbacks plus docs/doctor reporting with that no-prompt default.
  • Providers/runtime: add provider-owned replay hook surfaces for transcript policy, replay cleanup, and reasoning-mode dispatch. (#59143) Thanks @​jalehman.
  • Plugins/hooks: add before_agent_reply so plugins can short-circuit the LLM with synthetic replies after inline actions. (#20067) Thanks @​JoshuaLelon.
  • Channels/session routing: move provider-specific session conversation grammar into plugin-owned session-key surfaces, preserving Telegram topic routing and Feishu scoped inheritance across bootstrap, model override, restart, and tool-policy paths.
  • Feishu/comments: add a dedicated Drive comment-event flow with comment-thread context resolution, in-thread replies, and feishu_drive comment actions for document collaboration workflows. (#58497) Thanks @​wittam-01.
  • Matrix/plugin: emit spec-compliant m.mentions metadata across text sends, media captions, edits, poll fallback text, and action-driven edits so Matrix mentions notify reliably in clients like Element. (#59323) Thanks @​gumadeiras.
  • Diffs: add plugin-owned viewerBaseUrl so viewer links can use a stable proxy/public origin without passing baseUrl on every tool call. (#59341) Related #59227. Thanks @​gumadeiras.
  • Agents/compaction: resolve agents.defaults.compaction.model consistently for manual /compact and other context-engine compaction paths, so engine-owned compaction uses the configured override model across runtime entrypoints. (#56710) Thanks @​oliviareid-svg.
  • Agents/compaction: add agents.defaults.compaction.notifyUser so the 🧹 Compacting context... start notice is opt-in instead of always being shown. (#54251) Thanks @​oguricap0327.
  • WhatsApp/reactions: add reactionLevel guidance for agent reactions. Thanks @​mcaxtr.
  • Exec approvals/channels: auto-enable DM-first native chat approvals when supported channels can infer approvers from existing owner config, while keeping channel fanout explicit and clarifying forwarding versus native approval client config.

Fixes

  • Providers/transport policy: centralize request auth, proxy, TLS, and header shaping across shared HTTP, stream, and websocket paths, block insecure TLS/runtime transport overrides, and keep proxy-hop TLS separate from target mTLS settings. (#59682) Thanks @​vincentkoc.
  • Providers/Copilot: classify native GitHub Copilot API hosts in the shared provider endpoint resolver and harden token-derived proxy endpoint parsing so Copilot base URL routing stays centralized and fails closed on malformed hints. (#59644) Thanks @​vincentkoc.
  • Providers/streaming headers: centralize default and attribution header merging across OpenAI websocket, embedded-runner, and proxy stream paths so provider-specific headers stay consistent and caller overrides only win where intended. (#59542) Thanks @​vincentkoc.
  • Providers/media HTTP: centralize base URL normalization, default auth/header injection, and explicit header override handling across shared OpenAI-compatible audio, Deepgram audio, Gemini media/image, and Moonshot video request paths. (#59469) Thanks @​vincentkoc.
  • Providers/OpenAI-compatible routing: centralize native-vs-proxy request policy so hidden attribution and related OpenAI-family defaults only apply on verified native endpoints across stream, websocket, and shared audio HTTP paths. (#59433) Thanks @​vincentkoc.
  • Providers/Anthropic routing: centralize native-vs-proxy endpoint classification for direct Anthropic service_tier handling so spoofed or proxied hosts do not inherit native Anthropic defaults. (#59608) Thanks @​vincentkoc.
  • Gateway/exec loopback: restore legacy-role fallback for empty paired-device token maps and allow silent local role upgrades so local exec and node clients stop failing with pairing-required errors after 2026.3.31. (#59092) Thanks @​openperf.
  • Agents/subagents: pin admin-only subagent gateway calls to operator.admin while keeping agent at least privilege, so sessions_spawn no longer dies on loopback scope-upgrade pairing with close(1008) "pairing required". (#59555) Thanks @​openperf.
  • Exec approvals/config: strip invalid security, ask, and askFallback values from ~/.openclaw/exec-approvals.json during normalization so malformed policy enums fall back cleanly to the documented defaults instead of corrupting runtime policy resolution. (#59112) Thanks @​openperf.
  • Exec approvals/doctor: report host policy sources from the real approvals file path and ignore malformed host override values when attributing effective policy conflicts. (#59367) Thanks @​gumadeiras.
  • Exec/runtime: treat tools.exec.host=auto as routing-only, keep implicit no-config exec on sandbox when available or gateway otherwise, and reject per-call host overrides that would bypass the configured sandbox or host target. (#58897) Thanks @​vincentkoc.
  • Slack/mrkdwn formatting: add built-in Slack mrkdwn guidance in inbound context so Slack replies stop falling back to generic Markdown patterns that render poorly in Slack. (#59100) Thanks @​jadewon.
  • WhatsApp/presence: send unavailable presence on connect in self-chat mode so personal-phone users stop losing all push notifications while the gateway is running. (#59410) Thanks @​mcaxtr.
  • WhatsApp/media: add HTML, XML, and CSS to the MIME map and fall back gracefully for unknown media types instead of dropping the attachment. (#51562) Thanks @​bobbyt74.
  • Matrix/onboarding: restore guided setup in openclaw channels add and openclaw configure --section channels, while keeping custom plugin wizards on the shared setupWizard seam. (#59462) Thanks @​gumadeiras.
  • Matrix/streaming: keep live partial previews for the current assistant block while preserving completed block updates as separate messages when channels.matrix.blockStreaming is enabled. (#59384) Thanks @​gumadeiras.
  • Feishu/comment threads: harden document comment-thread delivery so whole-document comments fall back to add_comment, delayed reply lookups retry more reliably, and user-visible replies avoid reasoning/planning spillover. (#59129) Thanks @​wittam-01.
  • MS Teams/streaming: strip already-streamed text from fallback block delivery when replies exceed the 4000-character streaming limit so long responses stop duplicating content. (#59297) Thanks @​bradgroux.
  • Slack/thread context: filter thread starter and history by the effective conversation allowlist without dropping valid open-room, DM, or group DM context. (#58380) Thanks @​jacobtomlinson.
  • Mattermost/probes: route status probes through the SSRF guard and honor allowPrivateNetwork so connectivity checks stay safe for self-hosted Mattermost deployments. (#58529) Thanks @​mappel-nv.
  • Zalo/webhook replay: scope replay dedupe key by chat and sender so reused message IDs across different chats or senders no longer collide, and harden metadata reads for partially missing payloads. (#58444)
  • QQBot/structured payloads: restrict local file paths to QQ Bot-owned media storage, block traversal outside that root, reduce path leakage in logs, and keep inline image data URLs working. (#58453) Thanks @​jacobtomlinson.
  • Image generation/providers: route OpenAI, MiniMax, and fal image requests through the shared provider HTTP transport path so custom base URLs, guarded private-network routing, and provider request defaults stay aligned with the rest of provider HTTP. Thanks @​vincentkoc.

... (truncated)

Changelog

Sourced from openclaw's changelog.

2026.4.2

Breaking

  • Plugins/xAI: move x_search settings from the legacy core tools.web.x_search.* path to the plugin-owned plugins.entries.xai.config.xSearch.* path, standardize x_search auth on plugins.entries.xai.config.webSearch.apiKey / XAI_API_KEY, and migrate legacy config with openclaw doctor --fix. (#59674) Thanks @​vincentkoc.
  • Plugins/web fetch: move Firecrawl web_fetch config from the legacy core tools.web.fetch.firecrawl.* path to the plugin-owned plugins.entries.firecrawl.config.webFetch.* path, route web_fetch fallback through the new fetch-provider boundary instead of a Firecrawl-only core branch, and migrate legacy config with openclaw doctor --fix. (#59465) Thanks @​vincentkoc.

Changes

  • Tasks/Task Flow: restore the core Task Flow substrate with managed-vs-mirrored sync modes, durable flow state/revision tracking, and openclaw tasks flow inspection/recovery primitives so background orchestration can persist and be operated separately from plugin authoring layers. (#58930) Thanks @​mbelinky.
  • Tasks/Task Flow: add managed child task spawning plus sticky cancel intent, so external orchestrators can stop scheduling immediately and let parent Task Flows settle to cancelled once active child tasks finish. (#59610) Thanks @​mbelinky.
  • Plugins/Task Flow: add a bound api.runtime.taskFlow seam so plugins and trusted authoring layers can create and drive managed Task Flows from host-resolved OpenClaw context without passing owner identifiers on each call. (#59622) Thanks @​mbelinky.
  • Android/assistant: add assistant-role entrypoints plus Google Assistant App Actions metadata so Android can launch OpenClaw from the assistant trigger and hand prompts into the chat composer. (#59596) Thanks @​obviyus.
  • Exec defaults: make gateway/node host exec default to YOLO mode by requesting security=full with ask=off, and align host approval-file fallbacks plus docs/doctor reporting with that no-prompt default.
  • Providers/runtime: add provider-owned replay hook surfaces for transcript policy, replay cleanup, and reasoning-mode dispatch. (#59143) Thanks @​jalehman.
  • Plugins/hooks: add before_agent_reply so plugins can short-circuit the LLM with synthetic replies after inline actions. (#20067) Thanks @​JoshuaLelon.
  • Channels/session routing: move provider-specific session conversation grammar into plugin-owned session-key surfaces, preserving Telegram topic routing and Feishu scoped inheritance across bootstrap, model override, restart, and tool-policy paths.
  • Feishu/comments: add a dedicated Drive comment-event flow with comment-thread context resolution, in-thread replies, and feishu_drive comment actions for document collaboration workflows. (#58497) Thanks @​wittam-01.
  • Matrix/plugin: emit spec-compliant m.mentions metadata across text sends, media captions, edits, poll fallback text, and action-driven edits so Matrix mentions notify reliably in clients like Element. (#59323) Thanks @​gumadeiras.
  • Diffs: add plugin-owned viewerBaseUrl so viewer links can use a stable proxy/public origin without passing baseUrl on every tool call. (#59341) Related #59227. Thanks @​gumadeiras.
  • Agents/compaction: resolve agents.defaults.compaction.model consistently for manual /compact and other context-engine compaction paths, so engine-owned compaction uses the configured override model across runtime entrypoints. (#56710) Thanks @​oliviareid-svg.
  • Agents/compaction: add agents.defaults.compaction.notifyUser so the 🧹 Compacting context... start notice is opt-in instead of always being shown. (#54251) Thanks @​oguricap0327.
  • WhatsApp/reactions: add reactionLevel guidance for agent reactions. Thanks @​mcaxtr.
  • Exec approvals/channels: auto-enable DM-first native chat approvals when supported channels can infer approvers from existing owner config, while keeping channel fanout explicit and clarifying forwarding versus native approval client config.
  • Android/assistant: auto-send Google Assistant App Actions prompts once chat is healthy and idle, while keeping bare assistant launches as open-only. (#59721) Thanks @​obviyus.

Fixes

  • Sandbox/security: block credential-path binds even when sandbox home paths resolve through canonical aliases, so agent containers cannot mount user secret stores through alternate home-directory paths. (#59157) Thanks @​eleqtrizit.
  • Gateway/Windows scheduled tasks: preserve Task Scheduler settings on reinstall, fail loud when Scheduled Task /Run does not start, and report fast failed restarts with the actual elapsed time instead of a fake 60s timeout. (#59335) Thanks @​tmimmanuel.

2026.4.1-beta.1

  • Providers/transport policy: centralize request auth, proxy, TLS, and header shaping across shared HTTP, stream, and websocket paths, block insecure TLS/runtime transport overrides, and keep proxy-hop TLS separate from target mTLS settings. (#59682) Thanks @​vincentkoc.
  • Providers/OpenRouter: gate documented OpenRouter attribution to native OpenRouter endpoints or the default route so custom proxy base URLs do not inherit OpenRouter request headers.
  • Providers/Copilot: classify native GitHub Copilot API hosts in the shared provider endpoint resolver and harden token-derived proxy endpoint parsing so Copilot base URL routing stays centralized and fails closed on malformed hints. (#59644) Thanks @​vincentkoc.
  • Providers/streaming headers: centralize default and attribution header merging across OpenAI websocket, embedded-runner, and proxy stream paths so provider-specific headers stay consistent and caller overrides only win where intended. (#59542) Thanks @​vincentkoc.
  • Providers/media HTTP: centralize base URL normalization, default auth/header injection, and explicit header override handling across shared OpenAI-compatible audio, Deepgram audio, Gemini media/image, and Moonshot video request paths. (#59469) Thanks @​vincentkoc.
  • Providers/OpenAI-compatible routing: centralize native-vs-proxy request policy so hidden attribution and related OpenAI-family defaults only apply on verified native endpoints across stream, websocket, and shared audio HTTP paths. (#59433) Thanks @​vincentkoc.
  • Providers/Anthropic routing: centralize native-vs-proxy endpoint classification for direct Anthropic service_tier handling so spoofed or proxied hosts do not inherit native Anthropic defaults. (#59608) Thanks @​vincentkoc.
  • Gateway/exec loopback: restore legacy-role fallback for empty paired-device token maps and allow silent local role upgrades so local exec and node clients stop failing with pairing-required errors after 2026.3.31. (#59092) Thanks @​openperf.
  • Agents/subagents: pin admin-only subagent gateway calls to operator.admin while keeping agent at least privilege, so sessions_spawn no longer dies on loopback scope-upgrade pairing with close(1008) "pairing required". (#59555) Thanks @​openperf.
  • Exec approvals/config: strip invalid security, ask, and askFallback values from ~/.openclaw/exec-approvals.json during normalization so malformed policy enums fall back cleanly to the documented defaults instead of corrupting runtime policy resolution. (#59112) Thanks @​openperf.
  • Exec approvals/doctor: report host policy sources from the real approvals file path and ignore malformed host override values when attributing effective policy conflicts. (#59367) Thanks @​gumadeiras.
  • Exec/runtime: treat tools.exec.host=auto as routing-only, keep implicit no-config exec on sandbox when available or gateway otherwise, and reject per-call host overrides that would bypass the configured sandbox or host target. (#58897) Thanks @​vincentkoc.
  • Slack/mrkdwn formatting: add built-in Slack mrkdwn guidance in inbound context so Slack replies stop falling back to generic Markdown patterns that render poorly in Slack. (#59100) Thanks @​jadewon.
  • WhatsApp/presence: send unavailable presence on connect in self-chat mode so personal-phone users stop losing all push notifications while the gateway is running. (#59410) Thanks @​mcaxtr.
  • WhatsApp/media: add HTML, XML, and CSS to the MIME map and fall back gracefully for unknown media types instead of dropping the attachment. (#51562) Thanks @​bobbyt74.
  • Matrix/onboarding: restore guided setup in openclaw channels add and openclaw configure --section channels, while keeping custom plugin wizards on the shared setupWizard seam. (#59462) Thanks @​gumadeiras.
  • Matrix/streaming: keep live partial previews for the current assistant block while preserving completed block updates as separate messages when channels.matrix.blockStreaming is enabled. (#59384) Thanks @​gumadeiras.

... (truncated)

Commits
  • d74a122 fix: mirror bedrock runtime dep in root package
  • f911bbc refactor(plugins): separate activation from enablement (#59844)
  • 4aeb025 docs: rename TaskFlow to Task Flow in prose
  • d9c662d docs: restructure automation section as Automation & Tasks
  • 3bd2bbe docs: clarify npm release workflow inputs
  • 0ebb69b build: set release version to 2026.4.2
  • 38bd525 test: align strict inline-eval awk denial expectation
  • 209535b build: make npm release tag configurable
  • bcd61e5 docs: fix TaskFlow CLI command path and CLI task notify policy
  • 9f3a26c fix(discord): quiet Carbon reconcile log
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for openclaw since your current version.

Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump openclaw from 2026.3.11 to 2026.4.2
0958bbf 
Bumps [openclaw](https://github.com/openclaw/openclaw) from 2026.3.11 to 2026.4.2.
- [Release notes](https://github.com/openclaw/openclaw/releases)
- [Changelog](https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md)
- [Commits](openclaw/openclaw@v2026.3.11...v2026.4.2)

---
updated-dependencies:
- dependency-name: openclaw
  dependency-version: 2026.4.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 4, 2026
@dependabot dependabot bot mentioned this pull request Apr 4, 2026
Closed
@dependabot @github
Copy link
Copy Markdown
Author

dependabot bot commented on behalf of github Apr 8, 2026

Superseded by #16.

@dependabot dependabot bot closed this Apr 8, 2026
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/openclaw-2026.4.2 branch April 8, 2026 04:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants