From 9383403d576b91d0c7f162e82daf1dde3952a67d Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Sun, 3 May 2026 13:31:18 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@41bbc4c048f2872ebc7c0a84e3ad7af1f0c9509f --- .openclaw-sync/source.json | 4 ++-- docs/tools/plugin.md | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 940854229..1e055c8dc 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "a4a4cac8e96debf153d0971a337ea2c1d9f439dc", - "syncedAt": "2026-05-03T13:12:18.736Z" + "sha": "41bbc4c048f2872ebc7c0a84e3ad7af1f0c9509f", + "syncedAt": "2026-05-03T13:29:12.297Z" } diff --git a/docs/tools/plugin.md b/docs/tools/plugin.md index adfca3a2c..6cb1f0cb4 100644 --- a/docs/tools/plugin.md +++ b/docs/tools/plugin.md @@ -128,6 +128,13 @@ visible plugin without importing runtime code or repairing dependencies. See [Plugin dependency resolution](/plugins/dependency-resolution) for the install-time lifecycle. +For npm installs, mutable selectors such as `latest` or a dist-tag are resolved +before installation and then pinned to the exact verified version in OpenClaw's +managed npm root. After npm finishes, OpenClaw verifies the installed +`package-lock.json` entry still matches the resolved version and integrity. If +npm writes different package metadata, the install fails and the managed package +is rolled back instead of accepting a different plugin artifact. + Source checkouts are pnpm workspaces. If you clone OpenClaw to hack on bundled plugins, run `pnpm install`; OpenClaw then loads bundled plugins from `extensions/` so edits and package-local dependencies are used directly.