






















@@ -56,9 +56,10 @@ Start with the smallest access that still works, then widen it as you gain confi
5656### Published package dependency lock
57575858OpenClaw source checkouts use `pnpm-lock.yaml`. The published `openclaw` npm
59-package also includes `npm-shrinkwrap.json`, npm's publishable dependency
60-lockfile, so package installs use the reviewed transitive dependency graph
61-from the release instead of resolving a fresh graph at install time.
59+package and OpenClaw-owned npm plugin packages include `npm-shrinkwrap.json`,
60+npm's publishable dependency lockfile, so package installs use the reviewed
61+transitive dependency graph from the release instead of resolving a fresh graph
62+at install time.
62636364This is a supply-chain hardening measure:
6465@@ -74,17 +75,23 @@ does not replace `openclaw security audit`, host isolation, npm provenance,
7475signature/audit checks, or `--ignore-scripts` install smoke tests when those are
7576appropriate. Treat it as a release reproducibility and review-control boundary.
767777-Maintainers should update and verify the shrinkwrap whenever the root package's
78-published dependency graph changes:
78+Maintainers should update and verify shrinkwrap whenever the root package or an
79+OpenClaw-owned published plugin package changes its published dependency graph:
79808081```bash
8182pnpm deps:shrinkwrap:generate
8283pnpm deps:shrinkwrap:check
8384```
848586+Use `pnpm deps:shrinkwrap:root:generate` and
87+`pnpm deps:shrinkwrap:root:check` only when you intentionally want to refresh
88+the root `openclaw` package without touching plugin packages.
89+8590Review `pnpm-lock.yaml`, `npm-shrinkwrap.json`, and any `package-lock.json`
8691diff as security-sensitive. The package validators require shrinkwrap in new
87-tarballs and reject `package-lock.json`.
92+root package tarballs and the plugin npm publish path checks plugin-local
93+shrinkwrap before packing or publishing. Package validators reject
94+`package-lock.json`.
88958996To inspect a published package:
9097@@ -93,6 +100,14 @@ npm pack openclaw@<version> --json --pack-destination /tmp/openclaw-pack
93100tar -tf /tmp/openclaw-pack/openclaw-<version>.tgz | grep '^package/npm-shrinkwrap.json$'
94101```
95102103+To inspect an OpenClaw-owned plugin package, replace the package spec and check
104+the same tar entry:
105+106+```bash
107+npm pack @openclaw/discord@<version> --json --pack-destination /tmp/openclaw-plugin-pack
108+tar -tf /tmp/openclaw-plugin-pack/openclaw-discord-<version>.tgz | grep '^package/npm-shrinkwrap.json$'
109+```
110+96111Background: [npm-shrinkwrap.json](https://docs.npmjs.com/cli/v11/configuring-npm/npm-shrinkwrap-json).
9711298113### Deployment and host trust
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。