diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 940854229..1e055c8dc 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "a4a4cac8e96debf153d0971a337ea2c1d9f439dc", - "syncedAt": "2026-05-03T13:12:18.736Z" + "sha": "41bbc4c048f2872ebc7c0a84e3ad7af1f0c9509f", + "syncedAt": "2026-05-03T13:29:12.297Z" } diff --git a/docs/tools/plugin.md b/docs/tools/plugin.md index adfca3a2c..6cb1f0cb4 100644 --- a/docs/tools/plugin.md +++ b/docs/tools/plugin.md @@ -128,6 +128,13 @@ visible plugin without importing runtime code or repairing dependencies. See [Plugin dependency resolution](/plugins/dependency-resolution) for the install-time lifecycle. +For npm installs, mutable selectors such as `latest` or a dist-tag are resolved +before installation and then pinned to the exact verified version in OpenClaw's +managed npm root. After npm finishes, OpenClaw verifies the installed +`package-lock.json` entry still matches the resolved version and integrity. If +npm writes different package metadata, the install fails and the managed package +is rolled back instead of accepting a different plugin artifact. + Source checkouts are pnpm workspaces. If you clone OpenClaw to hack on bundled plugins, run `pnpm install`; OpenClaw then loads bundled plugins from `extensions/` so edits and package-local dependencies are used directly.