Skip to content

chore(deps): bump openclaw from 2026.3.11 to 2026.3.24#9

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/openclaw-2026.3.24
Closed

chore(deps): bump openclaw from 2026.3.11 to 2026.3.24#9
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/openclaw-2026.3.24

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Mar 28, 2026

Bumps openclaw from 2026.3.11 to 2026.3.24.

Release notes

Sourced from openclaw's releases.

openclaw 2026.3.24

Breaking

Changes

  • Gateway/OpenAI compatibility: add /v1/models and /v1/embeddings, and forward explicit model overrides through /v1/chat/completions and /v1/responses for broader client and RAG compatibility. Thanks @​vincentkoc.
  • Agents/tools: make /tools show the tools the current agent can actually use right now, add a compact default view with an optional detailed mode, and add a live "Available Right Now" section in the Control UI so it is easier to see what will work before you ask.
  • Microsoft Teams: migrate to the official Teams SDK and add AI-agent UX best practices including streaming 1:1 replies, welcome cards with prompt starters, feedback/reflection, informative status updates, typing indicators, and native AI labeling. (#51808)
  • Microsoft Teams: add message edit and delete support for sent messages, including in-thread fallbacks when no explicit target is provided. (#49925)
  • Skills/install metadata: add one-click install recipes to bundled skills (coding-agent, gh-issues, openai-whisper-api, session-logs, tmux, trello, weather) so the CLI and Control UI can offer dependency installation when requirements are missing. (#53411) Thanks @​BunsDev.
  • Control UI/skills: add status-filter tabs (All / Ready / Needs Setup / Disabled) with counts, replace inline skill cards with a click-to-detail dialog showing requirements, toggle switch, install action, API key entry, source metadata, and homepage link. (#53411) Thanks @​BunsDev.
  • Slack/interactive replies: restore rich reply parity for direct deliveries, auto-render simple trailing Options: lines as buttons/selects, improve Slack interactive setup defaults, and isolate reply controls from plugin interactive handlers. (#53389) Thanks @​vincentkoc.
  • CLI/containers: add --container and OPENCLAW_CONTAINER to run openclaw commands inside a running Docker or Podman OpenClaw container. (#52651) Thanks @​sallyom.
  • Discord/auto threads: add optional autoThreadName: "generated" naming so new auto-created threads can be renamed asynchronously with concise LLM-generated titles while keeping the existing message-based naming as the default. (#43366) Thanks @​davidguttman.
  • Plugins/hooks: add before_dispatch with canonical inbound metadata and route handled replies through the normal final-delivery path, preserving TTS and routed delivery semantics. (#50444) Thanks @​gfzhx.
  • Control UI/agents: convert agent workspace file rows to expandable <details> with lazy-loaded inline markdown preview, and add comprehensive .sidebar-markdown styles for headings, lists, code blocks, tables, blockquotes, and details/summary elements. (#53411) Thanks @​BunsDev.
  • Control UI/markdown preview: restyle the agent workspace file preview dialog with a frosted backdrop, sized panel, and styled header, and integrate @create-markdown/preview v2 system theme for rich markdown rendering (headings, tables, code blocks, callouts, blockquotes) that auto-adapts to the app's light/dark design tokens. (#53411) Thanks @​BunsDev.
  • macOS app/config: replace horizontal pill-based subsection navigation with a collapsible tree sidebar using disclosure chevrons and indented subsection rows. (#53411) Thanks @​BunsDev.
  • CLI/skills: soften missing-requirements label from "missing" to "needs setup" and surface API key setup guidance (where to get a key, CLI save command, storage path) in openclaw skills info output. (#53411) Thanks @​BunsDev.
  • macOS app/skills: add "Get your key" homepage link and storage-path hint to the API key editor dialog, and show the config path in save confirmation messages. (#53411) Thanks @​BunsDev.
  • Control UI/agents: add a "Not set" placeholder to the default agent model selector dropdown. (#53411) Thanks @​BunsDev.
  • Runtime/install: lower the supported Node 22 floor to 22.14+ while continuing to recommend Node 24, so npm installs and self-updates do not strand Node 22.14 users on older releases.
  • CLI/update: preflight the target npm package engines.node before openclaw update runs a global package install, so outdated Node runtimes fail with a clear upgrade message instead of attempting an unsupported latest release.

Fixes

  • Outbound media/local files: align outbound media access with the configured fs policy so host-local files and inbound-media paths keep sending when workspaceOnly is off, while strict workspace-only agents remain sandboxed.
  • Security/sandbox media dispatch: close the mediaUrl/fileUrl alias bypass so outbound tool and message actions cannot escape media-root restrictions. (#54034)
  • Gateway/restart sentinel: wake the interrupted agent session via heartbeat after restart instead of only sending a best-effort restart note, retry outbound delivery once on transient failure, and preserve explicit thread/topic routing through the wake path so replies land in the correct Telegram topic or Slack thread. (#53940) Thanks @​VACInc.
  • Docker/setup: avoid the pre-start openclaw-cli shared-network namespace loop by routing setup-time onboard/config writes through openclaw-gateway, so fresh Docker installs stop failing before the gateway comes up. (#53385) Thanks @​amsminn.
  • Gateway/channels: keep channel startup sequential while isolating per-channel boot failures, so one broken channel no longer blocks later channels from starting. (#54215) Thanks @​JonathanJing.
  • Embedded runs/secrets: stop unresolved SecretRef config from crashing embedded agent runs by falling back to the resolved runtime snapshot when needed. Fixes #45838.
  • WhatsApp/groups: track recent gateway-sent message IDs and suppress only matching group echoes, preserving owner /status, /new, and /activation commands from linked-account fromMe traffic. (#53624) Thanks @​w-sss.
  • WhatsApp/reply-to-bot detection: restore implicit group reply detection by unwrapping botInvokeMessage payloads and reading selfLid from creds.json, so reply-based mentions reach the bot again in linked-account group chats.
  • Telegram/forum topics: recover #General topic 1 routing when Telegram omits forum metadata, including native commands, interactive callbacks, inbound message context, and fallback error replies. (#53699) thanks @​huntharo
  • Discord/gateway supervision: centralize gateway error handling behind a lifetime-owned supervisor so early, active, and late-teardown Carbon gateway errors stay classified consistently and stop surfacing as process-killing teardown crashes.
  • Discord/timeouts: send a visible timeout reply when the inbound Discord worker times out before a final reply starts, including created auto-thread targets and queued-run ordering. (#53823) Thanks @​Kimbo7870.
  • ACP/direct chats: always deliver a terminal ACP result when final TTS does not yield audio, even if block text already streamed earlier, and skip redundant empty-text final synthesis. (#53692) Thanks @​w-sss.
  • Telegram/outbound errors: preserve actionable 403 membership/block/kick details and treat bot not a member as a permanent delivery failure so Telegram sends stop retrying doomed chats. (#53635) Thanks @​w-sss.
  • Telegram/photos: preflight Telegram photo dimension and aspect-ratio rules, and fall back to document sends when image metadata is invalid or unavailable so photo uploads stop failing with PHOTO_INVALID_DIMENSIONS. (#52545) Thanks @​hnshah.
  • Slack/runtime defaults: trim Slack DM reply overhead, restore Codex auto transport, and tighten Slack/web-search runtime defaults around DM preview threading, cache scoping, warning dedupe, and explicit web-search opt-in. (#53957) Thanks @​vincentkoc.

openclaw 2026.3.24-beta.2

Fixes

  • Outbound media/local files: align outbound media access with the configured fs policy so host-local files and inbound-media paths keep sending when workspaceOnly is off, while strict workspace-only agents remain sandboxed.
  • Runtime/install: lower the supported Node 22 floor to 22.14+ while continuing to recommend Node 24, so npm installs and self-updates do not strand Node 22.14 users on older releases.
  • CLI/update: preflight the target npm package engines.node before openclaw update runs a global package install, so outdated Node runtimes fail with a clear upgrade message instead of attempting an unsupported latest release.
  • Tests/security audit: isolate audit-test home and personal skill resolution so local ~/.agents/skills installs no longer make maintainer prep runs fail nondeterministically. (#54473) thanks @​huntharo

... (truncated)

Changelog

Sourced from openclaw's changelog.

2026.3.24

Breaking

Changes

  • Gateway/OpenAI compatibility: add /v1/models and /v1/embeddings, and forward explicit model overrides through /v1/chat/completions and /v1/responses for broader client and RAG compatibility. Thanks @​vincentkoc.
  • Agents/tools: make /tools show the tools the current agent can actually use right now, add a compact default view with an optional detailed mode, and add a live "Available Right Now" section in the Control UI so it is easier to see what will work before you ask.
  • Microsoft Teams: migrate to the official Teams SDK and add AI-agent UX best practices including streaming 1:1 replies, welcome cards with prompt starters, feedback/reflection, informative status updates, typing indicators, and native AI labeling. (#51808)
  • Microsoft Teams: add message edit and delete support for sent messages, including in-thread fallbacks when no explicit target is provided. (#49925)
  • Skills/install metadata: add one-click install recipes to bundled skills (coding-agent, gh-issues, openai-whisper-api, session-logs, tmux, trello, weather) so the CLI and Control UI can offer dependency installation when requirements are missing. (#53411) Thanks @​BunsDev.
  • Control UI/skills: add status-filter tabs (All / Ready / Needs Setup / Disabled) with counts, replace inline skill cards with a click-to-detail dialog showing requirements, toggle switch, install action, API key entry, source metadata, and homepage link. (#53411) Thanks @​BunsDev.
  • Slack/interactive replies: restore rich reply parity for direct deliveries, auto-render simple trailing Options: lines as buttons/selects, improve Slack interactive setup defaults, and isolate reply controls from plugin interactive handlers. (#53389) Thanks @​vincentkoc.
  • CLI/containers: add --container and OPENCLAW_CONTAINER to run openclaw commands inside a running Docker or Podman OpenClaw container. (#52651) Thanks @​sallyom.
  • Discord/auto threads: add optional autoThreadName: "generated" naming so new auto-created threads can be renamed asynchronously with concise LLM-generated titles while keeping the existing message-based naming as the default. (#43366) Thanks @​davidguttman.
  • Plugins/hooks: add before_dispatch with canonical inbound metadata and route handled replies through the normal final-delivery path, preserving TTS and routed delivery semantics. (#50444) Thanks @​gfzhx.
  • Control UI/agents: convert agent workspace file rows to expandable <details> with lazy-loaded inline markdown preview, and add comprehensive .sidebar-markdown styles for headings, lists, code blocks, tables, blockquotes, and details/summary elements. (#53411) Thanks @​BunsDev.
  • Control UI/markdown preview: restyle the agent workspace file preview dialog with a frosted backdrop, sized panel, and styled header, and integrate @create-markdown/preview v2 system theme for rich markdown rendering (headings, tables, code blocks, callouts, blockquotes) that auto-adapts to the app's light/dark design tokens. (#53411) Thanks @​BunsDev.
  • macOS app/config: replace horizontal pill-based subsection navigation with a collapsible tree sidebar using disclosure chevrons and indented subsection rows. (#53411) Thanks @​BunsDev.
  • CLI/skills: soften missing-requirements label from "missing" to "needs setup" and surface API key setup guidance (where to get a key, CLI save command, storage path) in openclaw skills info output. (#53411) Thanks @​BunsDev.
  • macOS app/skills: add "Get your key" homepage link and storage-path hint to the API key editor dialog, and show the config path in save confirmation messages. (#53411) Thanks @​BunsDev.
  • Control UI/agents: add a "Not set" placeholder to the default agent model selector dropdown. (#53411) Thanks @​BunsDev.
  • Runtime/install: lower the supported Node 22 floor to 22.14+ while continuing to recommend Node 24, so npm installs and self-updates do not strand Node 22.14 users on older releases.
  • CLI/update: preflight the target npm package engines.node before openclaw update runs a global package install, so outdated Node runtimes fail with a clear upgrade message instead of attempting an unsupported latest release.

Fixes

  • Outbound media/local files: align outbound media access with the configured fs policy so host-local files and inbound-media paths keep sending when workspaceOnly is off, while strict workspace-only agents remain sandboxed.
  • Security/sandbox media dispatch: close the mediaUrl/fileUrl alias bypass so outbound tool and message actions cannot escape media-root restrictions. (#54034)
  • Gateway/restart sentinel: wake the interrupted agent session via heartbeat after restart instead of only sending a best-effort restart note, retry outbound delivery once on transient failure, and preserve explicit thread/topic routing through the wake path so replies land in the correct Telegram topic or Slack thread. (#53940) Thanks @​VACInc.
  • Docker/setup: avoid the pre-start openclaw-cli shared-network namespace loop by routing setup-time onboard/config writes through openclaw-gateway, so fresh Docker installs stop failing before the gateway comes up. (#53385) Thanks @​amsminn.
  • Gateway/channels: keep channel startup sequential while isolating per-channel boot failures, so one broken channel no longer blocks later channels from starting. (#54215) Thanks @​JonathanJing.
  • Embedded runs/secrets: stop unresolved SecretRef config from crashing embedded agent runs by falling back to the resolved runtime snapshot when needed. Fixes #45838.
  • WhatsApp/groups: track recent gateway-sent message IDs and suppress only matching group echoes, preserving owner /status, /new, and /activation commands from linked-account fromMe traffic. (#53624) Thanks @​w-sss.
  • WhatsApp/reply-to-bot detection: restore implicit group reply detection by unwrapping botInvokeMessage payloads and reading selfLid from creds.json, so reply-based mentions reach the bot again in linked-account group chats.
  • Telegram/forum topics: recover #General topic 1 routing when Telegram omits forum metadata, including native commands, interactive callbacks, inbound message context, and fallback error replies. (#53699) thanks @​huntharo
  • Discord/gateway supervision: centralize gateway error handling behind a lifetime-owned supervisor so early, active, and late-teardown Carbon gateway errors stay classified consistently and stop surfacing as process-killing teardown crashes.
  • Discord/timeouts: send a visible timeout reply when the inbound Discord worker times out before a final reply starts, including created auto-thread targets and queued-run ordering. (#53823) Thanks @​Kimbo7870.
  • ACP/direct chats: always deliver a terminal ACP result when final TTS does not yield audio, even if block text already streamed earlier, and skip redundant empty-text final synthesis. (#53692) Thanks @​w-sss.
  • Telegram/outbound errors: preserve actionable 403 membership/block/kick details and treat bot not a member as a permanent delivery failure so Telegram sends stop retrying doomed chats. (#53635) Thanks @​w-sss.
  • Telegram/photos: preflight Telegram photo dimension and aspect-ratio rules, and fall back to document sends when image metadata is invalid or unavailable so photo uploads stop failing with PHOTO_INVALID_DIMENSIONS. (#52545) Thanks @​hnshah.
  • Slack/runtime defaults: trim Slack DM reply overhead, restore Codex auto transport, and tighten Slack/web-search runtime defaults around DM preview threading, cache scoping, warning dedupe, and explicit web-search opt-in. (#53957) Thanks @​vincentkoc.
  • Security/gateway config: block agent config.apply and config.patch writes to tools.exec.ask and tools.exec.security so gateway config tools cannot silently disable exec approvals or broaden exec security.
  • Security/chat provenance: require operator.admin for system provenance injection so chat.send callers cannot spoof ACP-only provenance through client identity metadata.
  • Security/exec approvals: treat /usr/bin/script as a transparent wrapper during trust-plan resolution and allow-always persistence so wrapper registration cannot broaden exec approvals.
  • Security/Feishu uploads: route local doc and image upload inputs through media local-roots enforcement so Feishu uploads cannot read arbitrary host files outside the allowed sandbox and file policy.
  • Security/dotenv: filter untrusted CWD and workspace-config .env entries before startup and config loading so dotenv-based host-env takeover paths can no longer rewrite runtime state or package registries.
  • Security/media parsing: reject traversal and home-directory patterns in the shared media parse layer so parsed media paths cannot escape into arbitrary file reads.
  • Security/path resolution: prefer non-user-writable absolute helper binaries for OpenClaw CLI, ffmpeg, and OpenSSL resolution so PATH hijacks cannot replace trusted helpers with attacker-controlled executables.
  • Security/gateway command scopes: require operator.admin before Telegram target writeback and Talk Voice /voice set config writes persist through gateway message flows.

... (truncated)

Commits
  • cff6dc9 docs: format changelog for release
  • 97a7e93 build: prepare 2026.3.24 release
  • e2e9f97 feat(minimax): add image generation provider and trim model catalog to M2.7 (...
  • 7cc86e9 fix(release): add plugin-sdk:check-exports to release:check (#54283)
  • c2a2edb Fix local copied package installs honoring staged project .npmrc (#54543)
  • a0b9dc0 fix(feishu): use message create_time for inbound timestamps (#52809)
  • bd4237c fix(feishu): close WebSocket connections on monitor stop (#52844)
  • edb5123 fix(sandbox): honor sandbox alsoAllow and explicit re-allows (#54492)
  • e9ac286 docs: prepare 2026.3.24-beta.2 release
  • da60aff Tests: isolate security audit home skill resolution (#54473)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for openclaw since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump openclaw from 2026.3.11 to 2026.3.24
4ac3f36 
Bumps [openclaw](https://github.com/openclaw/openclaw) from 2026.3.11 to 2026.3.24.
- [Release notes](https://github.com/openclaw/openclaw/releases)
- [Changelog](https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md)
- [Commits](openclaw/openclaw@v2026.3.11...v2026.3.24)

---
updated-dependencies:
- dependency-name: openclaw
  dependency-version: 2026.3.24
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 28, 2026
@dependabot dependabot bot mentioned this pull request Mar 28, 2026
Closed
@dependabot @github
Copy link
Copy Markdown
Author

dependabot bot commented on behalf of github Mar 29, 2026

Superseded by #11.

@dependabot dependabot bot closed this Mar 29, 2026
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/openclaw-2026.3.24 branch March 29, 2026 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants