Skip to content

chore(deps): bump openclaw from 2026.3.11 to 2026.3.23#6

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/openclaw-2026.3.23
Closed

chore(deps): bump openclaw from 2026.3.11 to 2026.3.23#6
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/openclaw-2026.3.23

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Mar 26, 2026

Bumps openclaw from 2026.3.11 to 2026.3.23.

Release notes

Sourced from openclaw's releases.

2026.3.23

Breaking

Changes

  • ModelStudio/Qwen: add standard (pay-as-you-go) DashScope endpoints for China and global Qwen API keys alongside the existing Coding Plan endpoints, and relabel the provider group to Qwen (Alibaba Cloud Model Studio). (#43878)
  • UI/clarity: consolidate button primitives (btn--icon, btn--ghost, btn--xs), refine the Knot theme to a black-and-red palette with WCAG 2.1 AA contrast, add config icons for Diagnostics/CLI/Secrets/ACP/MCP sections, replace the roundness slider with discrete stops, and improve accessibility with aria-labels across usage filters. (#53272) Thanks @​BunsDev.
  • CSP/Control UI: compute SHA-256 hashes for inline <script> blocks in the served index.html and include them in the script-src CSP directive, keeping inline scripts blocked by default while allowing explicitly hashed bootstrap code. (#53307) Thanks @​BunsDev.

Fixes

  • Plugins/bundled runtimes: ship bundled plugin runtime sidecars like WhatsApp light-runtime-api.js, Matrix runtime-api.js, and other plugin runtime entry files in the npm package again, so global installs stop failing on missing bundled plugin runtime surfaces.
  • CLI/channel auth: auto-select the single configured login-capable channel for channels login/logout, harden channel ids against prototype-chain and control-character abuse, and fall back cleanly to catalog-backed channel installs, so channel auth works again for single-channel setups and on-demand channel installs. (#53254) Thanks @​BunsDev.
  • Auth/OpenAI tokens: stop live gateway auth-profile writes from reverting freshly saved credentials back to stale in-memory values, and make models auth paste-token write to the resolved agent store, so Configure, Onboard, and token-paste flows stop snapping back to expired OpenAI tokens. Fixes #53207. Related to #45516.
  • Control UI/auth: preserve operator scopes through the device-auth bypass path, ignore cached under-scoped operator tokens, and show a clear operator.read fallback message when a connection really lacks read scope, so operator sessions stop failing or blanking on read-backed pages. (#53110) Thanks @​BunsDev.
  • Plugins/ClawHub: resolve plugin API compatibility against the active runtime version at install time, and add regression coverage for current >=2026.3.22 ClawHub package checks so installs no longer fail behind the stale 1.2.0 constant. (#53157) Thanks @​futhgar.
  • Plugins/uninstall: accept installed clawhub: specs and versionless ClawHub package names as uninstall targets, so openclaw plugins uninstall clawhub:<package> works again even when the recorded install was pinned to a version.
  • Browser/Chrome MCP: wait for existing-session browser tabs to become usable after attach instead of treating the initial Chrome MCP handshake as ready, which reduces user-profile timeouts and repeated consent churn on macOS Chrome attach flows. Fixes #52930. Thanks @​vincentkoc.
  • Browser/CDP: reuse an already-running loopback browser after a short initial reachability miss instead of immediately falling back to relaunch detection, which fixes second-run browser start/open regressions on slower headless Linux setups. Fixes #53004. Thanks @​vincentkoc.
  • Agents/web_search: use the active runtime web_search provider instead of stale/default selection, so agent turns keep hitting the provider you actually configured. Fixes #53020. Thanks @​jzakirov.
  • Mistral/models: lower bundled Mistral max-token defaults to safe output budgets and teach openclaw doctor --fix to repair old persisted Mistral provider configs that still carry context-sized output limits, avoiding deterministic Mistral 422 rejects on fresh and existing setups. Fixes #52599. Thanks @​vincentkoc.
  • ClawHub/macOS auth: honor macOS auth config and XDG auth paths for saved ClawHub credentials, so openclaw skills ... and gateway skill browsing keep using the signed-in auth state instead of silently falling back to unauthenticated mode. Fixes #53034.
  • ClawHub/macOS: read the local ClawHub login from the macOS Application Support path and still honor XDG config on macOS, so skill browsing uses the logged-in token on both default and XDG-style setups. Fixes #52949. Thanks @​scoootscooob.
  • ClawHub/skills: resolve the local ClawHub auth token for gateway skill browsing and switch browse-all requests to search so ClawControl stops falling into unauthenticated 429s and empty authenticated skill lists. Fixes #52949. Thanks @​vincentkoc.
  • Config/warnings: suppress the confusing “newer OpenClaw” warning when a config written by a same-base correction release like 2026.3.23-2 is read by 2026.3.23, while still warning for truly newer or incompatible versions.
  • CLI/cron: make openclaw cron add|edit --at ... --tz <iana> honor the requested local wall-clock time for offset-less one-shot datetimes, including DST boundaries, and keep --tz rejected for --every. (#53224) Thanks @​RolfHegr.
  • Commands/auth: stop slash-command authorization from crashing or dropping valid allowlists when channel allowFrom resolution hits unresolved SecretRef-backed accounts, and fail closed only for the affected provider inference path. (#52791) Thanks @​Lukavyi.
  • Agents/failover: classify generic api_error payloads as retryable only when they include transient failure signals, so MiniMax-style backend failures still trigger model fallback without misclassifying billing, auth, or format/context errors. (#49611) Thanks @​ayushozha.
  • LINE/runtime-api: pre-export overlapping runtime symbols before the line-runtime star export so jiti no longer throws TypeError: Cannot redefine property on startup. (#53221) Thanks @​Drickon.
  • Telegram/threading: populate currentThreadTs in the threading tool-context fallback for Telegram DM topics so thread-aware tools still receive the active topic context when the main thread metadata is missing. (#52217)
  • Diagnostics/cache trace: strip credential fields from cache-trace JSONL output while preserving non-sensitive diagnostic fields and image redaction metadata.
  • Docs/Feishu: replace botName with name in the channel config examples so the docs match the strict account schema for per-account display names. (#52753) Thanks @​haroldfabla2-hue.
  • Doctor/plugins: make openclaw doctor --fix remove stale plugins.allow and plugins.entries refs left behind after plugin removal. Thanks @​sallyom
  • Agents/replay: canonicalize malformed assistant transcript content before session-history sanitization so legacy or corrupted assistant turns stop crashing Pi replay and subagent recovery paths.
  • ClawHub/skills: keep updating already-tracked legacy Unicode slugs after the ASCII-only slug hardening, so older installs do not get stuck behind Invalid skill slug errors during openclaw skills update. (#53206) Thanks @​drobison00.
  • Infra/exec trust: preserve shell-multiplexer wrapper binaries for policy checks without breaking approved-command reconstruction, so BusyBox/ToyBox allowlist and audit flows bind to the real wrapper while execution plans stay coherent. (#53134) Thanks @​vincentkoc.
  • Plugins/message tool: make Discord components and Slack blocks optional again, and route Feishu message(..., media=...) sends through the outbound media path, so pin/unpin/react flows stop failing schema validation and Feishu file/image attachments actually send. Fixes #52970 and #52962. Thanks @​vincentkoc.
  • Gateway/model pricing: stop openrouter/auto pricing refresh from recursing indefinitely during bootstrap, so OpenRouter auto routes can populate cached pricing and usage.cost again. Fixes #53035. Thanks @​vincentkoc.
  • Models/OpenAI Codex OAuth: bootstrap the env-configured HTTP/HTTPS proxy dispatcher on the stored-credential refresh path before token renewal runs, so expired Codex OAuth profiles can refresh successfully in proxy-required environments instead of locking users out after the first token expiry.
  • Models/OpenAI Codex OAuth and Plugins/MiniMax OAuth: ensure env-configured HTTP/HTTPS proxy dispatchers are initialized before OAuth preflight and token exchange requests so proxy-required environments can complete MiniMax and OpenAI Codex sign-in flows again. (#52228; fixes #51619, #51569) Thanks @​openperf.
  • Plugins/memory-lancedb: bootstrap LanceDB into plugin runtime state on first use when the bundled npm install does not already have it, so plugins.slots.memory="memory-lancedb" works again after global npm installs without moving LanceDB into OpenClaw core dependencies. Fixes #26100.
  • Config/plugins: treat stale unknown plugins.allow ids as warnings instead of fatal config errors, so recovery commands like plugins install, doctor --fix, and status still run when a plugin is missing locally. Fixes #52992. Thanks @​vincentkoc.
  • Doctor/WhatsApp: stop auto-enable from appending built-in channel ids like whatsapp to plugins.allow, so openclaw doctor --fix no longer writes schema-invalid plugin allowlist entries when repairing built-in channels. Fixes #52931. Thanks @​vincentkoc.
  • Telegram/auto-reply: preserve same-chat inbound debounce order without stranding stale busy-session followups, and keep same-key overflow turns ordered when tracked debounce keys are saturated. (#52998) Thanks @​osolmaz.
  • Telegram/message tool: add asDocument as a user-facing alias for forceDocument on image and GIF sends, while preserving explicit forceDocument precedence when both flags are present. (#52461) Thanks @​bakhtiersizhaev.
  • Discord/commands: return an explicit unauthorized reply for privileged native slash commands instead of falling through to Discord's misleading generic completion when auth gates reject the sender. Fixes #53041. Thanks @​scoootscooob.
  • Channels/catalog: let external channel catalogs override shipped fallback metadata and honor overridden npm specs during channel setup, so custom channel catalogs no longer fall back to bundled packages when a channel id matches. (#52988)
  • Voice-call/Plivo: stabilize Plivo v2 replay keys so webhook retries and replay protection stop colliding on valid follow-up deliveries.
  • Agents/skills: prefer the active resolved runtime snapshot for embedded skill config and env injection, so skills.entries.<skill>.apiKey SecretRefs resolve correctly during embedded startup instead of failing on raw source config. Fixes #53098. Thanks @​vincentkoc.
  • Agents/subagents: recheck timed-out worker waits against the latest runtime snapshot before sending completion events, so fast-finishing workers stop being reported as timed out when they actually succeeded. Fixes #53106. Thanks @​vincentkoc.

... (truncated)

Changelog

Sourced from openclaw's changelog.

2026.3.23

Breaking

Changes

  • ModelStudio/Qwen: add standard (pay-as-you-go) DashScope endpoints for China and global Qwen API keys alongside the existing Coding Plan endpoints, and relabel the provider group to Qwen (Alibaba Cloud Model Studio). (#43878)
  • UI/clarity: consolidate button primitives (btn--icon, btn--ghost, btn--xs), refine the Knot theme to a black-and-red palette with WCAG 2.1 AA contrast, add config icons for Diagnostics/CLI/Secrets/ACP/MCP sections, replace the roundness slider with discrete stops, and improve accessibility with aria-labels across usage filters. (#53272) Thanks @​BunsDev.
  • CSP/Control UI: compute SHA-256 hashes for inline <script> blocks in the served index.html and include them in the script-src CSP directive, keeping inline scripts blocked by default while allowing explicitly hashed bootstrap code. (#53307) Thanks @​BunsDev.

Fixes

  • Plugins/bundled runtimes: ship bundled plugin runtime sidecars like WhatsApp light-runtime-api.js, Matrix runtime-api.js, and other plugin runtime entry files in the npm package again, so global installs stop failing on missing bundled plugin runtime surfaces.
  • CLI/channel auth: auto-select the single configured login-capable channel for channels login/logout, harden channel ids against prototype-chain and control-character abuse, and fall back cleanly to catalog-backed channel installs, so channel auth works again for single-channel setups and on-demand channel installs. (#53254) Thanks @​BunsDev.
  • Auth/OpenAI tokens: stop live gateway auth-profile writes from reverting freshly saved credentials back to stale in-memory values, and make models auth paste-token write to the resolved agent store, so Configure, Onboard, and token-paste flows stop snapping back to expired OpenAI tokens. Fixes #53207. Related to #45516.
  • Control UI/auth: preserve operator scopes through the device-auth bypass path, ignore cached under-scoped operator tokens, and show a clear operator.read fallback message when a connection really lacks read scope, so operator sessions stop failing or blanking on read-backed pages. (#53110) Thanks @​BunsDev.
  • Plugins/ClawHub: resolve plugin API compatibility against the active runtime version at install time, and add regression coverage for current >=2026.3.22 ClawHub package checks so installs no longer fail behind the stale 1.2.0 constant. (#53157) Thanks @​futhgar.
  • Plugins/uninstall: accept installed clawhub: specs and versionless ClawHub package names as uninstall targets, so openclaw plugins uninstall clawhub:<package> works again even when the recorded install was pinned to a version.
  • Browser/Chrome MCP: wait for existing-session browser tabs to become usable after attach instead of treating the initial Chrome MCP handshake as ready, which reduces user-profile timeouts and repeated consent churn on macOS Chrome attach flows. Fixes #52930. Thanks @​vincentkoc.
  • Browser/CDP: reuse an already-running loopback browser after a short initial reachability miss instead of immediately falling back to relaunch detection, which fixes second-run browser start/open regressions on slower headless Linux setups. Fixes #53004. Thanks @​vincentkoc.
  • Agents/web_search: use the active runtime web_search provider instead of stale/default selection, so agent turns keep hitting the provider you actually configured. Fixes #53020. Thanks @​jzakirov.
  • Mistral/models: lower bundled Mistral max-token defaults to safe output budgets and teach openclaw doctor --fix to repair old persisted Mistral provider configs that still carry context-sized output limits, avoiding deterministic Mistral 422 rejects on fresh and existing setups. Fixes #52599. Thanks @​vincentkoc.
  • ClawHub/macOS auth: honor macOS auth config and XDG auth paths for saved ClawHub credentials, so openclaw skills ... and gateway skill browsing keep using the signed-in auth state instead of silently falling back to unauthenticated mode. Fixes #53034.
  • ClawHub/macOS: read the local ClawHub login from the macOS Application Support path and still honor XDG config on macOS, so skill browsing uses the logged-in token on both default and XDG-style setups. Fixes #52949. Thanks @​scoootscooob.
  • ClawHub/skills: resolve the local ClawHub auth token for gateway skill browsing and switch browse-all requests to search so ClawControl stops falling into unauthenticated 429s and empty authenticated skill lists. Fixes #52949. Thanks @​vincentkoc.
  • Config/warnings: suppress the confusing “newer OpenClaw” warning when a config written by a same-base correction release like 2026.3.23-2 is read by 2026.3.23, while still warning for truly newer or incompatible versions.
  • CLI/cron: make openclaw cron add|edit --at ... --tz <iana> honor the requested local wall-clock time for offset-less one-shot datetimes, including DST boundaries, and keep --tz rejected for --every. (#53224) Thanks @​RolfHegr.
  • Commands/auth: stop slash-command authorization from crashing or dropping valid allowlists when channel allowFrom resolution hits unresolved SecretRef-backed accounts, and fail closed only for the affected provider inference path. (#52791) Thanks @​Lukavyi.
  • Agents/failover: classify generic api_error payloads as retryable only when they include transient failure signals, so MiniMax-style backend failures still trigger model fallback without misclassifying billing, auth, or format/context errors. (#49611) Thanks @​ayushozha.
  • LINE/runtime-api: pre-export overlapping runtime symbols before the line-runtime star export so jiti no longer throws TypeError: Cannot redefine property on startup. (#53221) Thanks @​Drickon.
  • Telegram/threading: populate currentThreadTs in the threading tool-context fallback for Telegram DM topics so thread-aware tools still receive the active topic context when the main thread metadata is missing. (#52217)
  • Diagnostics/cache trace: strip credential fields from cache-trace JSONL output while preserving non-sensitive diagnostic fields and image redaction metadata.
  • Docs/Feishu: replace botName with name in the channel config examples so the docs match the strict account schema for per-account display names. (#52753) Thanks @​haroldfabla2-hue.
  • Doctor/plugins: make openclaw doctor --fix remove stale plugins.allow and plugins.entries refs left behind after plugin removal. Thanks @​sallyom
  • Agents/replay: canonicalize malformed assistant transcript content before session-history sanitization so legacy or corrupted assistant turns stop crashing Pi replay and subagent recovery paths.
  • ClawHub/skills: keep updating already-tracked legacy Unicode slugs after the ASCII-only slug hardening, so older installs do not get stuck behind Invalid skill slug errors during openclaw skills update. (#53206) Thanks @​drobison00.
  • Infra/exec trust: preserve shell-multiplexer wrapper binaries for policy checks without breaking approved-command reconstruction, so BusyBox/ToyBox allowlist and audit flows bind to the real wrapper while execution plans stay coherent. (#53134) Thanks @​vincentkoc.
  • Plugins/message tool: make Discord components and Slack blocks optional again, and route Feishu message(..., media=...) sends through the outbound media path, so pin/unpin/react flows stop failing schema validation and Feishu file/image attachments actually send. Fixes #52970 and #52962. Thanks @​vincentkoc.
  • Gateway/model pricing: stop openrouter/auto pricing refresh from recursing indefinitely during bootstrap, so OpenRouter auto routes can populate cached pricing and usage.cost again. Fixes #53035. Thanks @​vincentkoc.
  • Models/OpenAI Codex OAuth: bootstrap the env-configured HTTP/HTTPS proxy dispatcher on the stored-credential refresh path before token renewal runs, so expired Codex OAuth profiles can refresh successfully in proxy-required environments instead of locking users out after the first token expiry.
  • Models/OpenAI Codex OAuth and Plugins/MiniMax OAuth: ensure env-configured HTTP/HTTPS proxy dispatchers are initialized before OAuth preflight and token exchange requests so proxy-required environments can complete MiniMax and OpenAI Codex sign-in flows again. (#52228; fixes #51619, #51569) Thanks @​openperf.
  • Plugins/memory-lancedb: bootstrap LanceDB into plugin runtime state on first use when the bundled npm install does not already have it, so plugins.slots.memory="memory-lancedb" works again after global npm installs without moving LanceDB into OpenClaw core dependencies. Fixes #26100.
  • Config/plugins: treat stale unknown plugins.allow ids as warnings instead of fatal config errors, so recovery commands like plugins install, doctor --fix, and status still run when a plugin is missing locally. Fixes #52992. Thanks @​vincentkoc.
  • Doctor/WhatsApp: stop auto-enable from appending built-in channel ids like whatsapp to plugins.allow, so openclaw doctor --fix no longer writes schema-invalid plugin allowlist entries when repairing built-in channels. Fixes #52931. Thanks @​vincentkoc.
  • Telegram/auto-reply: preserve same-chat inbound debounce order without stranding stale busy-session followups, and keep same-key overflow turns ordered when tracked debounce keys are saturated. (#52998) Thanks @​osolmaz.
  • Telegram/message tool: add asDocument as a user-facing alias for forceDocument on image and GIF sends, while preserving explicit forceDocument precedence when both flags are present. (#52461) Thanks @​bakhtiersizhaev.
  • Discord/commands: return an explicit unauthorized reply for privileged native slash commands instead of falling through to Discord's misleading generic completion when auth gates reject the sender. Fixes #53041. Thanks @​scoootscooob.
  • Channels/catalog: let external channel catalogs override shipped fallback metadata and honor overridden npm specs during channel setup, so custom channel catalogs no longer fall back to bundled packages when a channel id matches. (#52988)
  • Voice-call/Plivo: stabilize Plivo v2 replay keys so webhook retries and replay protection stop colliding on valid follow-up deliveries.
  • Agents/skills: prefer the active resolved runtime snapshot for embedded skill config and env injection, so skills.entries.<skill>.apiKey SecretRefs resolve correctly during embedded startup instead of failing on raw source config. Fixes #53098. Thanks @​vincentkoc.

... (truncated)

Commits
  • ccfeecb test: harden parallels macos dashboard smoke
  • a921b5b test: fix update-cli default path assertion
  • 725a2cc test: expand gemini live transcript stripping
  • 67dbb1a test: update command coverage
  • d67efbf test: stabilize test isolation
  • ae336d1 Doctor: prune stale plugin allowlist and entry refs (#53187)
  • 03231c0 fix(auth): prevent stale auth store reverts (#53211)
  • 47bdc36 test: make update-cli checkout path assertion platform-safe
  • 1929599 fix(ci): stabilize whatsapp extension checks
  • 6f5df14 test(whatsapp): preserve harness session exports
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump openclaw from 2026.3.11 to 2026.3.23
9e17c4e 
Bumps [openclaw](https://github.com/openclaw/openclaw) from 2026.3.11 to 2026.3.23.
- [Release notes](https://github.com/openclaw/openclaw/releases)
- [Changelog](https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md)
- [Commits](openclaw/openclaw@v2026.3.11...v2026.3.23)

---
updated-dependencies:
- dependency-name: openclaw
  dependency-version: 2026.3.23
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 26, 2026
@dependabot dependabot bot mentioned this pull request Mar 26, 2026
Closed
@dependabot @github
Copy link
Copy Markdown
Author

dependabot bot commented on behalf of github Mar 28, 2026

Superseded by #9.

@dependabot dependabot bot closed this Mar 28, 2026
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/openclaw-2026.3.23 branch March 28, 2026 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants