


























1+---
2+summary: "Plain-English and technical explanation of npm shrinkwrap in OpenClaw releases"
3+read_when:
4+ - You want to know what npm shrinkwrap means in an OpenClaw release
5+ - You are reviewing package lockfiles, dependency changes, or supply-chain risk
6+ - You are validating root or plugin npm packages before publishing
7+title: "npm shrinkwrap"
8+---
9+10+OpenClaw source checkouts use `pnpm-lock.yaml`. Published OpenClaw npm
11+packages use `npm-shrinkwrap.json`, npm's publishable dependency lockfile, so
12+package installs use the dependency graph reviewed during release.
13+14+## The easy version
15+16+Shrinkwrap is a receipt for the dependency tree that ships with an npm package.
17+It tells npm which exact transitive package versions to install.
18+19+For OpenClaw releases, that means:
20+21+- the published package does not ask npm to invent a fresh dependency graph at
22+ install time;
23+- dependency changes become easier to review because they appear in a lockfile;
24+- release validation can test the same graph users will install;
25+- package-size or native-dependency surprises are easier to spot before
26+ publishing.
27+28+Shrinkwrap is not a sandbox. It does not make a dependency safe by itself, and
29+it does not replace host isolation, `openclaw security audit`, package
30+provenance, or install smoke tests.
31+32+The short mental model:
33+34+| File | Where it matters | What it means |
35+| --------------------- | ------------------------ | --------------------------------- |
36+| `pnpm-lock.yaml` | OpenClaw source checkout | Maintainer dependency graph |
37+| `npm-shrinkwrap.json` | Published npm package | npm install graph for users |
38+| `package-lock.json` | Local npm apps | Not the OpenClaw publish contract |
39+40+## Why OpenClaw uses it
41+42+OpenClaw is a gateway, plugin host, model router, and agent runtime. A default
43+install can affect startup time, disk use, native package downloads, and
44+supply-chain exposure.
45+46+Shrinkwrap gives release review a stable boundary:
47+48+- reviewers can see transitive dependency movement;
49+- package validators can reject unexpected lockfile drift;
50+- package acceptance can test installs with the graph that will ship;
51+- plugin packages can carry their own locked dependency graph instead of
52+ relying on the root package to own plugin-only dependencies.
53+54+The goal is not "more lockfiles." The goal is reproducible release installs
55+with clear ownership.
56+57+## Technical details
58+59+The root `openclaw` npm package and OpenClaw-owned npm plugin packages include
60+`npm-shrinkwrap.json` when they publish. Suitable OpenClaw-owned plugin
61+packages can also publish with explicit `bundledDependencies`, so their runtime
62+dependency files are carried in the plugin tarball instead of depending only on
63+install-time resolution.
64+65+Maintain the boundary like this:
66+67+```bash
68+pnpm deps:shrinkwrap:generate
69+pnpm deps:shrinkwrap:check
70+```
71+72+The generator resolves npm's publishable lock format but rejects generated
73+package versions that are not already present in `pnpm-lock.yaml`. That keeps
74+the pnpm dependency age, override, and patch-review boundary intact.
75+76+Use root-only commands only when intentionally refreshing the root package
77+without touching plugin packages:
78+79+```bash
80+pnpm deps:shrinkwrap:root:generate
81+pnpm deps:shrinkwrap:root:check
82+```
83+84+Review these files as security-sensitive:
85+86+- `pnpm-lock.yaml`
87+- `npm-shrinkwrap.json`
88+- bundled plugin dependency payloads
89+- any `package-lock.json` diff
90+91+OpenClaw package validators require shrinkwrap in new root package tarballs.
92+The plugin npm publish path checks plugin-local shrinkwrap, installs
93+package-local bundled dependencies, and then packs or publishes. Package
94+validators reject `package-lock.json` for published OpenClaw packages.
95+96+To inspect a published root package:
97+98+```bash
99+npm pack openclaw@<version> --json --pack-destination /tmp/openclaw-pack
100+tar -tf /tmp/openclaw-pack/openclaw-<version>.tgz | grep '^package/npm-shrinkwrap.json$'
101+```
102+103+To inspect an OpenClaw-owned plugin package:
104+105+```bash
106+npm pack @openclaw/discord@<version> --json --pack-destination /tmp/openclaw-plugin-pack
107+tar -tf /tmp/openclaw-plugin-pack/openclaw-discord-<version>.tgz | grep '^package/npm-shrinkwrap.json$'
108+tar -tf /tmp/openclaw-plugin-pack/openclaw-discord-<version>.tgz | grep '^package/node_modules/'
109+```
110+111+Background: [npm-shrinkwrap.json](https://docs.npmjs.com/cli/v11/configuring-npm/npm-shrinkwrap-json).
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。