Skip to content

chore(deps): bump the npm-minor-patch group with 5 updates#4

Merged
github-actions[bot] merged 1 commit into
masterfrom
dependabot/npm_and_yarn/npm-minor-patch-ac1f9f8023
May 29, 2026
Merged

chore(deps): bump the npm-minor-patch group with 5 updates#4
github-actions[bot] merged 1 commit into
masterfrom
dependabot/npm_and_yarn/npm-minor-patch-ac1f9f8023

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 29, 2026

Bumps the npm-minor-patch group with 5 updates:

Package From To
yaml 2.8.4 2.9.0
@types/node 22.19.18 22.19.19
@vitest/coverage-v8 4.0.18 4.1.7
openclaw 2026.5.9-beta.1 2026.5.22
vitest 4.0.18 4.1.7

Updates yaml from 2.8.4 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

  • fix: Avoid calling Array.prototype.push.apply() with large source array
  • fix(lexer): Avoid recursive calls that may exhaust the call stack
Commits
  • ddb21b0 2.9.0
  • 167365b docs: Clarify that not all errors can be avoided
  • 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
  • 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
  • See full diff in compare view

Updates @types/node from 22.19.18 to 22.19.19

Commits

Updates @vitest/coverage-v8 from 4.0.18 to 4.1.7

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.7

   🐞 Bug Fixes

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.4

   🚀 Experimental Features

... (truncated)

Commits

Updates openclaw from 2026.5.9-beta.1 to 2026.5.22

Release notes

Sourced from openclaw's releases.

openclaw 2026.5.22

2026.5.22

Changes

  • Gateway/perf: reuse process-stable channel catalog reads, avoid repeated bundled-channel boundary checks, and rotate gateway watch CPU profiles so benchmark runs do not accumulate unbounded artifacts.
  • Gateway/perf: reuse immutable plugin metadata snapshots across startup, config, model, channel, setup, and secret metadata readers so hot paths avoid repeated plugin file stats and manifest registry reloads.
  • Gateway/perf: lazy-load startup-idle plugin work, core gateway method handlers, and the embedded ACPX runtime so Gateway health and ready signals no longer wait on unused handler trees or ACPX probes.
  • Gateway/perf: cache plugin SDK public-surface alias maps and skip irrelevant macOS Linuxbrew PATH probes so Gateway startup avoids repeated filesystem walks and slow missing-directory stats.
  • Meeting Notes: add a source-only external meeting-notes plugin and SDK source-provider contract outside the core npm package, with auto-start capture config, manual transcript imports, read-only openclaw meeting-notes CLI access, and Discord voice as the first live source.
  • Docs/channels/config: add Signal configPath, Telegram wildcard topic defaults, local-time backup archive names, Termux home fallback, include-path validation, secret-scanner-safe placeholder guidance, Gemini CLI/Antigravity media guidance, and macOS VM auto-login guidance. Thanks @​NorseGaud, @​yudistiraashadi, @​huangqian8, @​VibhorGautam, @​maweibin, @​tianxingleo, @​IgnacioPro, and @​xzcxzcyy-claw.
  • Docs: clarify model-usage portability, Codex migration prerequisites, status bootstrap wording, thread-bound subagent limits, hook ownership, and config-preserving safety guidance. Thanks @​aniruddhaadak80, @​leno23, @​TomDjerry, @​matthewxmurphy, @​vincentkoc, and @​stablegenius49.
  • Docs: clarify README onboarding and Gateway startup paths, WhatsApp QR/408 recovery, cron output language prompts, skill advanced features, gateway upstream 403 troubleshooting, and plugin fallback override guidance. Thanks @​deepujain, @​Zacxxx, @​Jah-yee, @​neyric, @​usimic, @​Renu-Cybe, @​BigUncle, and @​SeashoreShi.
  • Docs: clarify context-pruning ratio bounds, local dashboard recovery, CLI env markers, remote onboarding token behavior, and Peekaboo Bridge permissions for subprocess agents. Thanks @​ayesha-aziz123, @​dishraters, @​hougangdev, and @​brandonlipman.
  • Docs: clarify browser CDP diagnostics, Plugin SDK allowlist imports, status-reaction timing defaults, queue steering behavior, limited-tool troubleshooting, cron HEARTBEAT handling, Telegram multi-agent groups, Bitwarden SecretRef setup, and EasyRunner deployments. Thanks @​Quratulain-bilal, @​mbelinky, @​Mickey-, @​vancece, @​xenouzik, @​posigit, @​surlymochan, @​janaka, and @​choiking.
  • Crabbox/Testbox: run clean sparse-checkout Testbox syncs from a temporary full checkout and route remote changed gates through Corepack pnpm.
  • Docs: clarify IPv4-only Gateway BYOH binding, trusted-proxy scope clearing, Android pairing approval, macOS Accessibility grants, Zalo profile env vars, password-store SecretRef setup, and Chinese memory navigation. Thanks @​itskai-dev, @​gwh7078, @​longstoryscott, @​MoeJaberr, and @​yuaiccc.
  • Docs: consolidate GLM under Z.AI, add the Upstash Box install guide and Gateway exposure runbook, clarify MEDIA directives, Copilot and Voyage setup, config path quoting, real behavior proof, and memory-file write guidance. Thanks @​BobDu, @​alitariksahin, @​Jefsky, @​musaabhasan, @​OmerZeyveli, @​leno23, @​WuKongAI-CMU, @​luoyanglang, and @​majin1102.
  • Docs: clarify media provider credentials, Codex/OpenClaw code-mode boundaries, Slack and Telegram ack reactions, Feishu dynamic agents, secrets plaintext boundaries, memory guidance, and Chinese glossary terms. Thanks @​nielskaspers, @​cosmopolitan033, @​drclaw-iq, @​alexgduarte, @​zccyman, @​chengoak, and @​cassthebandit.
  • Packaging: exclude documentation images and assets from the npm tarball, reducing published package size without affecting runtime docs search or CLI behavior. Thanks @​SebTardif.
  • Media understanding: stop auto-probing Gemini CLI and use Antigravity CLI only as a lower-priority image/video fallback after configured provider APIs.
  • Agents/subagents: limit default sub-agent bootstrap context to AGENTS.md and TOOLS.md, keeping persona, identity, user, memory, heartbeat, and setup files out of delegated workers by default. (#85283) Thanks @​100yenadmin.
  • Maintainer skills: exclude plugin SDK/API boundary work from openclaw-landable-bug-sweep so bugbash sweeps stay focused on small paper-cut fixes.
  • QA-Lab/diagnostics: extend the OpenTelemetry smoke harness to prove trace, metric, and log export, and add first-class Prometheus and observability smoke aliases.
  • Plugin SDK: add a generic channel-message poll sender so channel plugins can expose poll delivery without depending on channel-specific SDK facades.
  • Crabbox: keep the local wrapper's provider validation synced with the installed Crabbox binary while preserving supported aliases such as docker and blacksmith. (#85302) Thanks @​hxy91819.
  • Maintainer skills: add openclaw-landable-bug-sweep for producing five small, reviewed, CI-green OpenClaw bugfix PRs from issue/PR sweeps.
  • Control UI/chat: add search and Load More pagination to the chat session picker, keeping initial session loads bounded while making older conversations reachable. (#85237) Thanks @​amknight.
  • CLI/onboarding: start classic onboarding when bare openclaw runs before an authored config exists, while keeping configured installs on Crestodian. (#72343) Thanks @​fuller-stack-dev.
  • Discord: allow configuring a bounded agentComponents.ttlMs callback registry lifetime for long-running component workflows, with per-account overrides and a 24-hour cap. (#84189) Thanks @​100menotu001.
  • xAI/Grok: reuse xAI OAuth auth profiles for Grok web_search, thread active-agent auth through web search, add Grok model aliases, and let media providers declare default operation timeouts. (#85182) Thanks @​fuller-stack-dev.
  • Plugin SDK: add row-level session workflow helpers and deprecate loadSessionStore so plugins can read and patch sessions without depending on the legacy whole-store shape. (#84693) Thanks @​efpiva.
  • Gateway/plugins: reuse a compatible Gateway startup plugin registry during dispatch so safe plugin dispatches avoid redundant registry loading. (#84324) Thanks @​ai-hpc.
  • Plugins/SDK: add a general embeddingProviders capability contract and registration API so embeddings can become a reusable provider surface outside memory-specific adapters.
  • Dependencies: refresh provider, plugin, UI, and tooling packages, update protobufjs to 8.4.0 to clear the current npm advisory, and carry the Claude ACP completion patch forward to @agentclientprotocol/claude-agent-acp 0.36.1.
  • Agents/tools: remove the old sender-owner tool gating path so configured tools stay visible for trusted sessions while command and channel-action auth still carry real sender identity.
  • QA-Lab: add curated mock JSONL replay fixtures and first-drift reporting for runtime-parity audits. (#80323, refs #80176) Thanks @​100yenadmin.
  • QA-Lab: add a QA bus tool-trace visibility scenario for sanitized tool-call assertions.
  • QA-Lab: replace generic evidence framing in seeded scenario prompts with concrete observed QA behavior.
  • QA-Lab: list named scenario packs in the coverage report so personal-agent privacy coverage stays visible in audits.
  • QA-Lab: list live transport lane membership in the coverage report so real transport checks stay separate from seeded qa-channel scenarios.
  • Release/package: run package integrity checks before package acceptance lanes so public install/update validation fails before private QA assets can leak into the package.
  • QA-Lab: include the optional 100-turn runtime parity soak in release-soak artifacts so long-run Codex/Pi transcript drift stays visible outside the default gate. (#80395) Thanks @​100yenadmin.
  • QA-Lab: add a live-only long-context progress watchdog scenario for Codex app-server timeout and stalled-run sentinels. (#80323) Thanks @​100yenadmin.
  • QA-Lab: tag gateway restart recovery and streaming final-integrity scenarios as live-only runtime parity lanes. (#80323) Thanks @​100yenadmin.
  • QA-Lab: add a personal-agent failure recovery scenario that checks honest partial status, retry boundaries, and local recovery artifacts. (#83872) Thanks @​iFiras-Max1.
  • QA-Lab: include an opt-in update.run package self-upgrade sentinel for destructive latest-package recovery checks.
  • QA-Lab: add Codex plugin lifecycle and auth-profile fixture coverage for missing installs, pinned-version drift, first-turn install ordering, and doctor migration safety. (#80323, refs #80174) Thanks @​100yenadmin.
  • Models/perf: pre-warm the provider auth-state map at gateway startup so /models and every model-listing call short-circuits the per-provider plugin / external-CLI discovery on the hot path. Per-call cost drops from ~20 s to ~5 ms (~4,100×); the one-time startup warm resets and re-warms after hot reloads. (#84816) Thanks @​sjf.
  • Release/security: ship the root npm package and OpenClaw-owned npm plugins with generated shrinkwrap, support bundled plugin runtime dependencies for suitable plugin tarballs, and require review for lockfile/shrinkwrap changes so published installs use locked dependency graphs.

... (truncated)

Commits
  • a374c3a test(matrix): stabilize thread binding sweep persistence
  • 89c69c4 chore(release): sync plugin shrinkwraps for 2026.5.22
  • df3cadc chore(release): sync plugin versions for 2026.5.22
  • b0e7b0f chore(release): prepare 2026.5.22
  • 24c7911 chore(release): refresh plugin SDK baseline
  • 0b2f8df fix(release): keep session lock backport scoped
  • de0cf73 fix(agents): add openai-responses family to non-visible turn retry guard (#85...
  • 199bfe5 fix(agents): omit empty tools array for proxy-like openai-completions endpoints
  • 8a22b33 fix(cli): waitForever must keep the event loop alive (#85694)
  • 75b5c76 fix(docker): avoid printing gateway token
  • Additional commits viewable in compare view

Updates vitest from 4.0.18 to 4.1.7

Release notes

Sourced from vitest's releases.

v4.1.7

   🐞 Bug Fixes

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.4

   🚀 Experimental Features

... (truncated)

Commits
  • a09d472 chore: release v4.1.7
  • a8fd24c chore: release v4.1.6
  • 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
  • 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
  • e399846 chore: release v4.1.5
  • 7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
  • 9787ded fix: respect diff config options in soft assertions (#8696)
  • 325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
  • 0e0ff41 feat(coverage): istanbul to support instrumenter option (#10119)
  • 663b99f fix: alias agent reporter to minimal (#10157)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the npm-minor-patch group with 5 updates
d6f603b 
Bumps the npm-minor-patch group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [yaml](https://github.com/eemeli/yaml) | `2.8.4` | `2.9.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `22.19.18` | `22.19.19` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.7` |
| [openclaw](https://github.com/openclaw/openclaw) | `2026.5.9-beta.1` | `2026.5.22` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.7` |


Updates `yaml` from 2.8.4 to 2.9.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.4...v2.9.0)

Updates `@types/node` from 22.19.18 to 22.19.19
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.7
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.7/packages/coverage-v8)

Updates `openclaw` from 2026.5.9-beta.1 to 2026.5.22
- [Release notes](https://github.com/openclaw/openclaw/releases)
- [Commits](openclaw/openclaw@v2026.5.9-beta.1...v2026.5.22)

Updates `vitest` from 4.0.18 to 4.1.7
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.7/packages/vitest)

---
updated-dependencies:
- dependency-name: yaml
  dependency-version: 2.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-minor-patch
- dependency-name: "@types/node"
  dependency-version: 22.19.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.7
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor-patch
- dependency-name: openclaw
  dependency-version: 2026.5.22
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-patch
- dependency-name: vitest
  dependency-version: 4.1.7
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 29, 2026
@github-actions github-actions Bot enabled auto-merge (squash) May 29, 2026 18:05
@github-actions github-actions Bot merged commit 273e326 into master May 29, 2026
2 checks passed
@sentry
Copy link
Copy Markdown

sentry Bot commented May 29, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm-minor-patch-ac1f9f8023 branch May 29, 2026 18:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants