Skip to content

chore(deps): bump openclaw from 2026.3.11 to 2026.3.28#11

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/openclaw-2026.3.28
Open

chore(deps): bump openclaw from 2026.3.11 to 2026.3.28#11
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/openclaw-2026.3.28

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Mar 29, 2026

Bumps openclaw from 2026.3.11 to 2026.3.28.

Release notes

Sourced from openclaw's releases.

openclaw 2026.3.28

Breaking

  • Providers/Qwen: remove the deprecated qwen-portal-auth OAuth integration for portal.qwen.ai; migrate to Model Studio with openclaw onboard --auth-choice modelstudio-api-key. (#52709) Thanks @​pomelo-nwu.
  • Config/Doctor: drop automatic config migrations older than two months; very old legacy keys now fail validation instead of being rewritten on load or by openclaw doctor.

Changes

  • xAI/tools: move the bundled xAI provider to the Responses API, add first-class x_search, and auto-enable the xAI plugin from owned web-search and tool config so bundled Grok auth/configured search flows work without manual plugin toggles. (#56048) Thanks @​huntharo.
  • xAI/onboarding: let the bundled Grok web-search plugin offer optional x_search setup during openclaw onboard and openclaw configure --section web, including an x_search model picker with the shared xAI key.
  • MiniMax: add image generation provider for image-01 model, supporting generate and image-to-image editing with aspect ratio control. (#54487) Thanks @​liyuan97.
  • Plugins/hooks: add async requireApproval to before_tool_call hooks, letting plugins pause tool execution and prompt the user for approval via the exec approval overlay, Telegram buttons, Discord interactions, or the /approve command on any channel. The /approve command now handles both exec and plugin approvals with automatic fallback. (#55339) Thanks @​vaclavbelak and @​joshavant.
  • ACP/channels: add current-conversation ACP binds for Discord, BlueBubbles, and iMessage so /acp spawn codex --bind here can turn the current chat into a Codex-backed workspace without creating a child thread, and document the distinction between chat surface, ACP session, and runtime workspace.
  • OpenAI/apply_patch: enable apply_patch by default for OpenAI and OpenAI Codex models, and align its sandbox policy access with write permissions.
  • Plugins/CLI backends: move bundled Claude CLI, Codex CLI, and Gemini CLI inference defaults onto the plugin surface, add bundled Gemini CLI backend support, and replace gateway run --claude-cli-logs with generic --cli-backend-logs while keeping the old flag as a compatibility alias.
  • Plugins/startup: auto-load bundled provider and CLI-backend plugins from explicit config refs, so bundled Claude CLI, Codex CLI, and Gemini CLI message-provider setups no longer need manual plugins.allow entries.
  • Podman: simplify the container setup around the current rootless user, install the launch helper under ~/.local/bin, and document the host-CLI openclaw --container <name> ... workflow instead of a dedicated openclaw service user.
  • Slack/tool actions: add an explicit upload-file Slack action that routes file uploads through the existing Slack upload transport, with optional filename/title/comment overrides for channels and DMs.
  • Message actions/files: start unifying file-first sends on the canonical upload-file action by adding explicit support for Microsoft Teams and Google Chat, and by exposing BlueBubbles file sends through upload-file while keeping the legacy sendAttachment alias.
  • Plugins/Matrix TTS: send auto-TTS replies as native Matrix voice bubbles instead of generic audio attachments. (#37080) thanks @​Matthew19990919.
  • CLI: add openclaw config schema to print the generated JSON schema for openclaw.json. (#54523) Thanks @​kvokka.
  • Config/TTS: auto-migrate legacy speech config on normal reads and secret resolution, keep legacy diagnostics for Doctor, and remove regular-mode runtime fallback for old bundled tts.<provider> API-key shapes.
  • Memory/plugins: move the pre-compaction memory flush plan behind the active memory plugin contract so memory-core owns flush prompts and target-path policy instead of hardcoded core logic.
  • MiniMax: trim model catalog to M2.7 only, removing legacy M2, M2.1, M2.5, and VL-01 models. (#54487) Thanks @​liyuan97.
  • Plugins/runtime: expose runHeartbeatOnce in the plugin runtime system namespace so plugins can trigger a single heartbeat cycle with an explicit delivery target override (e.g. heartbeat: { target: "last" }). (#40299) Thanks @​loveyana.
  • Agents/compaction: preserve the post-compaction AGENTS refresh on stale-usage preflight compaction for both immediate replies and queued followups. (#49479) Thanks @​jared596.
  • Agents/compaction: surface safeguard-specific cancel reasons and relabel benign manual /compact no-op cases as skipped instead of failed. (#51072) Thanks @​afurm.
  • Docs: add pnpm docs:check-links:anchors for Mintlify anchor validation while keeping scripts/docs-link-audit.mjs as the stable link-audit entrypoint. (#55912) Thanks @​velvet-shark.
  • Tavily: mark outbound API requests with X-Client-Source: openclaw so Tavily can attribute OpenClaw-originated traffic. (#55335) Thanks @​lakshyaag-tavily.

Fixes

  • Agents/Anthropic: recover unhandled provider stop reasons (e.g. sensitive) as structured assistant errors instead of crashing the agent run. (#56639)
  • Google/models: resolve Gemini 3.1 pro, flash, and flash-lite for all Google provider aliases by passing the actual runtime provider ID and adding a template-provider fallback; fix flash-lite prefix ordering. (#56567)
  • OpenAI Codex/image tools: register Codex for media understanding and route image prompts through Codex instructions so image analysis no longer fails on missing provider registration or missing instructions. (#54829) Thanks @​neeravmakwana.
  • Agents/image tool: restore the generic image-runtime fallback when no provider-specific media-understanding provider is registered, so image analysis works again for providers like openrouter and minimax-portal. (#54858) Thanks @​MonkeyLeeT.
  • WhatsApp: fix infinite echo loop in self-chat DM mode where the bot's own outbound replies were re-processed as new inbound user messages. (#54570) Thanks @​joelnishanth
  • Telegram/splitting: replace proportional text estimate with verified HTML-length search so long messages split at word boundaries instead of mid-word; gracefully degrade when tag overhead exceeds the limit. (#56595)
  • Telegram/delivery: skip whitespace-only and hook-blanked text replies in bot delivery to prevent GrammyError 400 empty-text crashes. (#56620)
  • Telegram/send: validate replyToMessageId at all four API sinks with a shared normalizer that rejects non-numeric, NaN, and mixed-content strings. (#56587)
  • Mistral: normalize OpenAI-compatible request flags so official Mistral API runs no longer fail with remaining 422 status code (no body) chat errors.
  • Control UI/config: keep sensitive raw config hidden by default, replace the blank blocked editor with an explicit reveal-to-edit state, and restore raw JSON editing without auto-exposing secrets. Fixes #55322.
  • CLI/zsh: defer compdef registration until compinit is available so zsh completion loads cleanly with plugin managers and manual setups. (#56555)
  • BlueBubbles/debounce: guard debounce flush against null message text by sanitizing at the enqueue boundary and adding an independent combiner guard. (#56573)
  • Auto-reply: suppress JSON-wrapped {"action":"NO_REPLY"} control envelopes before channel delivery with a strict single-key detector; preserves media when text is only a silent envelope. (#56612)
  • ACP/ACPX agent registry: align OpenClaw's ACPX built-in agent mirror with the latest openclaw/acpx command defaults and built-in aliases, pin versioned npx built-ins to exact versions, and stop unknown ACP agent ids from falling through to raw --agent command execution on the MCP-proxy path. (#28321) Thanks @​m0nkmaster and @​vincentkoc.
  • Security/audit: extend web search key audit to recognize Gemini, Grok/xAI, Kimi, Moonshot, and OpenRouter credentials via a boundary-safe bundled-web-search registry shim. (#56540)
  • Docs/FAQ: remove broken Xfinity SSL troubleshooting cross-links from English and zh-CN FAQ entries — both sections already contain the full workaround inline. (#56500)
  • Telegram: deliver verbose tool summaries inside forum topic sessions again, so threaded topic chats now match DM verbose behavior. (#43236) Thanks @​frankbuild.

... (truncated)

Changelog

Sourced from openclaw's changelog.

2026.3.28

Breaking

  • Providers/Qwen: remove the deprecated qwen-portal-auth OAuth integration for portal.qwen.ai; migrate to Model Studio with openclaw onboard --auth-choice modelstudio-api-key. (#52709) Thanks @​pomelo-nwu.
  • Config/Doctor: drop automatic config migrations older than two months; very old legacy keys now fail validation instead of being rewritten on load or by openclaw doctor.

Changes

  • xAI/tools: move the bundled xAI provider to the Responses API, add first-class x_search, and auto-enable the xAI plugin from owned web-search and tool config so bundled Grok auth/configured search flows work without manual plugin toggles. (#56048) Thanks @​huntharo.
  • xAI/onboarding: let the bundled Grok web-search plugin offer optional x_search setup during openclaw onboard and openclaw configure --section web, including an x_search model picker with the shared xAI key.
  • MiniMax: add image generation provider for image-01 model, supporting generate and image-to-image editing with aspect ratio control. (#54487) Thanks @​liyuan97.
  • Plugins/hooks: add async requireApproval to before_tool_call hooks, letting plugins pause tool execution and prompt the user for approval via the exec approval overlay, Telegram buttons, Discord interactions, or the /approve command on any channel. The /approve command now handles both exec and plugin approvals with automatic fallback. (#55339) Thanks @​vaclavbelak and @​joshavant.
  • ACP/channels: add current-conversation ACP binds for Discord, BlueBubbles, and iMessage so /acp spawn codex --bind here can turn the current chat into a Codex-backed workspace without creating a child thread, and document the distinction between chat surface, ACP session, and runtime workspace.
  • OpenAI/apply_patch: enable apply_patch by default for OpenAI and OpenAI Codex models, and align its sandbox policy access with write permissions.
  • Plugins/CLI backends: move bundled Claude CLI, Codex CLI, and Gemini CLI inference defaults onto the plugin surface, add bundled Gemini CLI backend support, and replace gateway run --claude-cli-logs with generic --cli-backend-logs while keeping the old flag as a compatibility alias.
  • Plugins/startup: auto-load bundled provider and CLI-backend plugins from explicit config refs, so bundled Claude CLI, Codex CLI, and Gemini CLI message-provider setups no longer need manual plugins.allow entries.
  • Podman: simplify the container setup around the current rootless user, install the launch helper under ~/.local/bin, and document the host-CLI openclaw --container <name> ... workflow instead of a dedicated openclaw service user.
  • Slack/tool actions: add an explicit upload-file Slack action that routes file uploads through the existing Slack upload transport, with optional filename/title/comment overrides for channels and DMs.
  • Message actions/files: start unifying file-first sends on the canonical upload-file action by adding explicit support for Microsoft Teams and Google Chat, and by exposing BlueBubbles file sends through upload-file while keeping the legacy sendAttachment alias.
  • Plugins/Matrix TTS: send auto-TTS replies as native Matrix voice bubbles instead of generic audio attachments. (#37080) thanks @​Matthew19990919.
  • CLI: add openclaw config schema to print the generated JSON schema for openclaw.json. (#54523) Thanks @​kvokka.
  • Config/TTS: auto-migrate legacy speech config on normal reads and secret resolution, keep legacy diagnostics for Doctor, and remove regular-mode runtime fallback for old bundled tts.<provider> API-key shapes.
  • Memory/plugins: move the pre-compaction memory flush plan behind the active memory plugin contract so memory-core owns flush prompts and target-path policy instead of hardcoded core logic.
  • MiniMax: trim model catalog to M2.7 only, removing legacy M2, M2.1, M2.5, and VL-01 models. (#54487) Thanks @​liyuan97.
  • Plugins/runtime: expose runHeartbeatOnce in the plugin runtime system namespace so plugins can trigger a single heartbeat cycle with an explicit delivery target override (e.g. heartbeat: { target: "last" }). (#40299) Thanks @​loveyana.
  • Background tasks: keep durable lifecycle records for ACP/subagent spawned work and deliver ACP completion/failure updates through the real requester chat path instead of session-only stream events.
  • Agents/compaction: preserve the post-compaction AGENTS refresh on stale-usage preflight compaction for both immediate replies and queued followups. (#49479) Thanks @​jared596.
  • Agents/compaction: surface safeguard-specific cancel reasons and relabel benign manual /compact no-op cases as skipped instead of failed. (#51072) Thanks @​afurm.
  • Docs: add pnpm docs:check-links:anchors for Mintlify anchor validation while keeping scripts/docs-link-audit.mjs as the stable link-audit entrypoint. (#55912) Thanks @​velvet-shark.
  • Tavily: mark outbound API requests with X-Client-Source: openclaw so Tavily can attribute OpenClaw-originated traffic. (#55335) Thanks @​lakshyaag-tavily.
  • Matrix/streaming: add streaming: "partial" draft replies that stay on a single editable preview message, stop preview streaming once text no longer fits one Matrix event, and clear stale previews before media-only finals. (#56387) thanks @​jrusz.

Fixes

  • Agents/Anthropic: recover unhandled provider stop reasons (e.g. sensitive) as structured assistant errors instead of crashing the agent run. (#56639)
  • Google/models: resolve Gemini 3.1 pro, flash, and flash-lite for all Google provider aliases by passing the actual runtime provider ID and adding a template-provider fallback; fix flash-lite prefix ordering. (#56567)
  • OpenAI Codex/image tools: register Codex for media understanding and route image prompts through Codex instructions so image analysis no longer fails on missing provider registration or missing instructions. (#54829) Thanks @​neeravmakwana.
  • Agents/image tool: restore the generic image-runtime fallback when no provider-specific media-understanding provider is registered, so image analysis works again for providers like openrouter and minimax-portal. (#54858) Thanks @​MonkeyLeeT.
  • WhatsApp: fix infinite echo loop in self-chat DM mode where the bot's own outbound replies were re-processed as new inbound user messages. (#54570) Thanks @​joelnishanth
  • Telegram/splitting: replace proportional text estimate with verified HTML-length search so long messages split at word boundaries instead of mid-word; gracefully degrade when tag overhead exceeds the limit. (#56595)
  • Telegram/delivery: skip whitespace-only and hook-blanked text replies in bot delivery to prevent GrammyError 400 empty-text crashes. (#56620)
  • Telegram/send: validate replyToMessageId at all four API sinks with a shared normalizer that rejects non-numeric, NaN, and mixed-content strings. (#56587)
  • Mistral: normalize OpenAI-compatible request flags so official Mistral API runs no longer fail with remaining 422 status code (no body) chat errors.
  • Control UI/config: keep sensitive raw config hidden by default, replace the blank blocked editor with an explicit reveal-to-edit state, and restore raw JSON editing without auto-exposing secrets. Fixes #55322.
  • CLI/zsh: defer compdef registration until compinit is available so zsh completion loads cleanly with plugin managers and manual setups. (#56555)
  • BlueBubbles/debounce: guard debounce flush against null message text by sanitizing at the enqueue boundary and adding an independent combiner guard. (#56573)
  • Auto-reply: suppress JSON-wrapped {"action":"NO_REPLY"} control envelopes before channel delivery with a strict single-key detector; preserves media when text is only a silent envelope. (#56612)
  • ACP/ACPX agent registry: align OpenClaw's ACPX built-in agent mirror with the latest openclaw/acpx command defaults and built-in aliases, pin versioned npx built-ins to exact versions, and stop unknown ACP agent ids from falling through to raw --agent command execution on the MCP-proxy path. (#28321) Thanks @​m0nkmaster and @​vincentkoc.
  • Security/audit: extend web search key audit to recognize Gemini, Grok/xAI, Kimi, Moonshot, and OpenRouter credentials via a boundary-safe bundled-web-search registry shim. (#56540)

... (truncated)

Commits
  • f9b1079 build: cut 2026.3.28 stable
  • 584e627 docs: add changelog for CJK memory chunking (#40271)
  • f8547fc fix: guard fine-split against breaking UTF-16 surrogate pairs
  • 3b95aa8 fix: address second-round review — Latin backward compat and emoji consistency
  • a5147d4 fix: address bot review — surrogate-pair counting and CJK line splitting
  • 971ecab fix(memory): account for CJK characters in QMD memory chunking
  • 7f46b03 fix: keep memory flush daily files append-only (#53725) (thanks @​HPluseven)
  • 9d1498b Agents: add memory flush append regression
  • 60b7613 Agents: forward memory flush append guard
  • e2d0b7c chore(test): harden mattermost slash-http module mocks
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for openclaw since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump openclaw from 2026.3.11 to 2026.3.28
993da1b 
Bumps [openclaw](https://github.com/openclaw/openclaw) from 2026.3.11 to 2026.3.28.
- [Release notes](https://github.com/openclaw/openclaw/releases)
- [Changelog](https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md)
- [Commits](openclaw/openclaw@v2026.3.11...v2026.3.28)

---
updated-dependencies:
- dependency-name: openclaw
  dependency-version: 2026.3.28
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 29, 2026
@dependabot dependabot bot mentioned this pull request Mar 29, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants