Skip to content

Bump @hono/node-server and openclaw#19

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-4b8bebe461
Open

Bump @hono/node-server and openclaw#19
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-4b8bebe461

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 8, 2026

Bumps @hono/node-server to 1.19.13 and updates ancestor dependency openclaw. These dependencies need to be updated together.

Updates @hono/node-server from 1.19.9 to 1.19.13

Release notes

Sourced from @​hono/node-server's releases.

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

Updates openclaw from 2026.3.1 to 2026.4.5

Release notes

Sourced from openclaw's releases.

openclaw 2026.4.5

Breaking

  • Config: remove legacy public config aliases such as talk.voiceId / talk.apiKey, agents.*.sandbox.perSession, browser.ssrfPolicy.allowPrivateNetwork, hooks.internal.handlers, and channel/group/room allow toggles in favor of the canonical public paths and enabled, while keeping load-time compatibility and openclaw doctor --fix migration support for existing configs. (#60726) Thanks @​vincentkoc.

Changes

  • Agents/video generation: add the built-in video_generate tool so agents can create videos through configured providers and return the generated media directly in the reply.
  • Agents/music generation: ignore unsupported optional hints such as durationSeconds with a warning instead of hard-failing requests on providers like Google Lyria.
  • Providers/ComfyUI: add a bundled comfy workflow media plugin for local ComfyUI and Comfy Cloud workflows, including shared image_generate, video_generate, and workflow-backed music_generate support, with prompt injection, optional reference-image upload, live tests, and output download.
  • Tools/music generation: add the built-in music_generate tool with bundled Google (Lyria) and MiniMax providers plus workflow-backed Comfy support, including async task tracking and follow-up delivery of finished audio.
  • Providers: add bundled Qwen, Fireworks AI, and StepFun providers, plus MiniMax TTS, Ollama Web Search, and MiniMax Search integrations for chat, speech, and search workflows. (#60032, #55921, #59318, #54648)
  • Providers/Amazon Bedrock: add bundled Mantle support plus inference-profile discovery and automatic request-region injection so Bedrock-hosted Claude, GPT-OSS, Qwen, Kimi, GLM, and similar routes work with less manual setup. (#61296, #61299) Thanks @​wirjo.
  • Control UI/multilingual: add localized control UI support for Simplified Chinese, Traditional Chinese, Brazilian Portuguese, German, Spanish, Japanese, Korean, French, Turkish, Indonesian, Polish, and Ukrainian. Thanks @​vincentkoc.
  • Plugins: add plugin-config TUI prompts to guided onboarding/setup flows, and add openclaw plugins install --force so existing plugin and hook-pack targets can be replaced without using the dangerous-code override flag. (#60590, #60544)
  • Control UI/skills: add ClawHub search, detail, and install flows directly in the Skills panel. (#60134) Thanks @​samzong.
  • iOS/exec approvals: add generic APNs approval notifications that open an in-app exec approval modal, fetch command details only after authenticated operator reconnect, and clear stale notification state when the approval resolves. (#60239) Thanks @​ngutman.
  • Matrix/exec approvals: add Matrix-native exec approval prompts with account-scoped approvers, channel-or-DM delivery, and room-thread aware resolution handling. (#58635) Thanks @​gumadeiras.
  • Channels/context visibility: add configurable contextVisibility per channel (all, allowlist, allowlist_quote) so supplemental quote, thread, and fetched history context can be filtered by sender allowlists instead of always passing through as received.
  • Providers/request overrides: add shared model and media request transport overrides across OpenAI-, Anthropic-, Google-, and compatible provider paths, including headers, auth, proxy, and TLS controls. (#60200)
  • Providers/OpenAI: add forward-compat openai-codex/gpt-5.4-mini, an opt-in GPT personality, and provider-owned GPT-5 prompt contributions so Codex/GPT runs stay cache-stable and compatible with bundled catalog lag.
  • Agents/Claude CLI: expose OpenClaw tools to background Claude CLI runs through a loopback MCP bridge and switch bundled runs to stdin + stream-json partial-message streaming so prompts stop riding argv, long replies show live progress, and final session/usage metadata still land cleanly. (#35676) Thanks @​mylukin.
  • ACPX/runtime: embed the ACP runtime directly in the bundled acpx plugin, remove the extra external ACP CLI hop, harden live ACP session binding and reuse, and add a generic reply_dispatch hook so bundled plugins like ACPX can own reply interception without hardcoded ACP paths in core auto-reply routing. (#61319)
  • Agents/progress: add experimental structured plan updates and structured execution item events so compatible UIs can show clearer step-by-step progress during long-running runs.
  • Providers/Anthropic: remove the Claude CLI backend and setup-token from new onboarding, keep existing configured legacy profiles runnable, and have openclaw doctor repair or remove stale anthropic:claude-cli state during migration.
  • Tools/video generation: add bundled xAI (grok-imagine-video), Alibaba Model Studio Wan, and Runway video providers, plus live-test/default model wiring for all three.
  • Memory/search: add Amazon Bedrock embeddings for Titan, Cohere, Nova, and TwelveLabs models, with AWS credential-chain auto-detection for provider: "auto" and provider-specific dimension controls. Thanks @​wirjo.
  • Providers/Amazon Bedrock Mantle: generate bearer tokens from the AWS credential chain so Mantle auto-discovery can use IAM auth without manually exporting AWS_BEARER_TOKEN_BEDROCK. Thanks @​wirjo.
  • Memory/dreaming (experimental): add weighted short-term recall promotion, a /dreaming command, Dreams UI, multilingual conceptual tagging, and doctor/status repair support, while refactoring dreaming from competing modes into three cooperative phases (light, deep, REM) with independent schedules and recovery behavior so durable memory promotion can run in the background with less manual setup. (#60569, #60697) Thanks @​vignesh07.
  • Memory/dreaming: add configurable aging controls (recencyHalfLifeDays, maxAgeDays) plus optional verbose logging so operators can tune recall decay and inspect promotion decisions more easily.
  • Memory/dreaming: add REM preview tooling (openclaw memory rem-harness, promote-explain), surface possible lasting truths during REM staging, and make deep promotion replay-safe so reruns reconcile instead of duplicating MEMORY.md entries.
  • Memory/dreaming: write dreaming trail content to top-level dreams.md instead of daily memory notes, update /dreaming help text to point there, and keep dreams.md available for explicit reads without pulling it into default recall. Thanks @​davemorin.
  • Memory/dreaming: add the Dream Diary surface in Dreams, simplify user-facing dreaming config to enabled plus optional frequency, treat phases as implementation detail in docs/UI, and keep the lobster animation visible above diary content. Thanks @​vignesh07.
  • Prompt caching: keep prompt prefixes more reusable across transport fallback, deterministic MCP tool ordering, compaction, embedded image history, normalized system-prompt fingerprints, openclaw status --verbose cache diagnostics, and the removal of duplicate in-band tool inventories from agent system prompts so follow-up turns hit cache more reliably. (#58036, #58037, #58038, #59054, #60603, #60691) Thanks @​bcherny and @​vincentkoc.
  • Agents/cache: diagnostics: add prompt-cache break diagnostics, trace live cache scenarios through embedded runner paths, and show cache reuse explicitly in openclaw status --verbose. Thanks @​vincentkoc.
  • Agents/cache: stabilize cache-relevant system prompt fingerprints by normalizing equivalent structured prompt whitespace, line endings, hook-added system context, and runtime capability ordering so semantically unchanged prompts reuse KV/cache more reliably. Thanks @​vincentkoc.
  • Agents/tool prompts: remove the duplicate in-band tool inventory from agent system prompts so tool-calling models rely on the structured tool definitions as the single source of truth, improving prompt stability and reducing stale tool guidance.
  • Config/schema: enrich the exported openclaw config schema JSON Schema with field titles and descriptions so editors, agents, and other schema consumers receive the same config help metadata. (#60067) Thanks @​solavrc.
  • Providers/CLI: remove bundled CLI text-provider backends and the agents.defaults.cliBackends surface, while keeping ACP harness sessions and Gemini media understanding on the native bundled providers.
  • Matrix/exec approvals: clarify unavailable-approval replies so Matrix no longer claims chat approvals are unsupported when native exec approvals are merely unconfigured. (#61424) Thanks @​gumadeiras.
  • Docs/IRC: replace public IRC hostname examples with irc.example.com and recommend private servers for bot coordination while listing common public networks for intentional use.
  • Memory/dreaming: group nearby daily-note lines into short coherent chunks before staging them for dreaming, so one-off context from recent notes reaches REM/deep with better evidence and less line-level noise.
  • Memory/dreaming: drop generic date/day headings from daily-note chunk prefixes while keeping meaningful section labels, so staged snippets stay cleaner and more reusable. (#61597) Thanks @​mbelinky.
  • Plugins/Lobster: run bundled Lobster workflows in process instead of spawning the external CLI, reducing transport overhead and unblocking native runtime integration. (#61523) Thanks @​mbelinky.
  • Plugins/Lobster: harden managed resume validation so invalid TaskFlow resume calls fail earlier, and memoize embedded runtime loading per runner while keeping failed loads retryable. (#61566) Thanks @​mbelinky.

Fixes

  • Security: preserve restrictive plugin-only tool allowlists, require owner access for /allowlist add and /allowlist remove, fail closed when before_tool_call hooks crash, block browser SSRF redirect bypasses earlier, and keep non-interactive auth-choice inference scoped to bundled and already-trusted plugins. (#58476, #59836, #59822, #58771, #59120) Thanks @​eleqtrizit and @​pgondhi987.
  • Providers/OpenAI: make GPT-5 and Codex runs act sooner with lower-verbosity defaults, visible progress during tool work, and a one-shot retry when a turn only narrates the plan instead of taking action.

... (truncated)

Changelog

Sourced from openclaw's changelog.

2026.4.5

Breaking

  • Config: remove legacy public config aliases such as talk.voiceId / talk.apiKey, agents.*.sandbox.perSession, browser.ssrfPolicy.allowPrivateNetwork, hooks.internal.handlers, and channel/group/room allow toggles in favor of the canonical public paths and enabled, while keeping load-time compatibility and openclaw doctor --fix migration support for existing configs. (#60726) Thanks @​vincentkoc.

Changes

  • Agents/video generation: add the built-in video_generate tool so agents can create videos through configured providers and return the generated media directly in the reply.
  • Agents/music generation: ignore unsupported optional hints such as durationSeconds with a warning instead of hard-failing requests on providers like Google Lyria.
  • Providers/ComfyUI: add a bundled comfy workflow media plugin for local ComfyUI and Comfy Cloud workflows, including shared image_generate, video_generate, and workflow-backed music_generate support, with prompt injection, optional reference-image upload, live tests, and output download.
  • Tools/music generation: add the built-in music_generate tool with bundled Google (Lyria) and MiniMax providers plus workflow-backed Comfy support, including async task tracking and follow-up delivery of finished audio.
  • Providers: add bundled Qwen, Fireworks AI, and StepFun providers, plus MiniMax TTS, Ollama Web Search, and MiniMax Search integrations for chat, speech, and search workflows. (#60032, #55921, #59318, #54648)
  • Providers/Amazon Bedrock: add bundled Mantle support plus inference-profile discovery and automatic request-region injection so Bedrock-hosted Claude, GPT-OSS, Qwen, Kimi, GLM, and similar routes work with less manual setup. (#61296, #61299) Thanks @​wirjo.
  • Control UI/multilingual: add localized control UI support for Simplified Chinese, Traditional Chinese, Brazilian Portuguese, German, Spanish, Japanese, Korean, French, Turkish, Indonesian, Polish, and Ukrainian. Thanks @​vincentkoc.
  • Plugins: add plugin-config TUI prompts to guided onboarding/setup flows, and add openclaw plugins install --force so existing plugin and hook-pack targets can be replaced without using the dangerous-code override flag. (#60590, #60544)
  • Control UI/skills: add ClawHub search, detail, and install flows directly in the Skills panel. (#60134) Thanks @​samzong.
  • iOS/exec approvals: add generic APNs approval notifications that open an in-app exec approval modal, fetch command details only after authenticated operator reconnect, and clear stale notification state when the approval resolves. (#60239) Thanks @​ngutman.
  • Matrix/exec approvals: add Matrix-native exec approval prompts with account-scoped approvers, channel-or-DM delivery, and room-thread aware resolution handling. (#58635) Thanks @​gumadeiras.
  • Channels/context visibility: add configurable contextVisibility per channel (all, allowlist, allowlist_quote) so supplemental quote, thread, and fetched history context can be filtered by sender allowlists instead of always passing through as received.
  • Providers/request overrides: add shared model and media request transport overrides across OpenAI-, Anthropic-, Google-, and compatible provider paths, including headers, auth, proxy, and TLS controls. (#60200)
  • Providers/OpenAI: add forward-compat openai-codex/gpt-5.4-mini, an opt-in GPT personality, and provider-owned GPT-5 prompt contributions so Codex/GPT runs stay cache-stable and compatible with bundled catalog lag.
  • Agents/Claude CLI: expose OpenClaw tools to background Claude CLI runs through a loopback MCP bridge and switch bundled runs to stdin + stream-json partial-message streaming so prompts stop riding argv, long replies show live progress, and final session/usage metadata still land cleanly. (#35676) Thanks @​mylukin.
  • ACPX/runtime: embed the ACP runtime directly in the bundled acpx plugin, remove the extra external ACP CLI hop, harden live ACP session binding and reuse, and add a generic reply_dispatch hook so bundled plugins like ACPX can own reply interception without hardcoded ACP paths in core auto-reply routing. (#61319)
  • Agents/progress: add experimental structured plan updates and structured execution item events so compatible UIs can show clearer step-by-step progress during long-running runs.
  • Providers/Anthropic: remove the Claude CLI backend and setup-token from new onboarding, keep existing configured legacy profiles runnable, and have openclaw doctor repair or remove stale anthropic:claude-cli state during migration.
  • Tools/video generation: add bundled xAI (grok-imagine-video), Alibaba Model Studio Wan, and Runway video providers, plus live-test/default model wiring for all three.
  • Memory/search: add Amazon Bedrock embeddings for Titan, Cohere, Nova, and TwelveLabs models, with AWS credential-chain auto-detection for provider: "auto" and provider-specific dimension controls. Thanks @​wirjo.
  • Providers/Amazon Bedrock Mantle: generate bearer tokens from the AWS credential chain so Mantle auto-discovery can use IAM auth without manually exporting AWS_BEARER_TOKEN_BEDROCK. Thanks @​wirjo.
  • Memory/dreaming (experimental): add weighted short-term recall promotion, a /dreaming command, Dreams UI, multilingual conceptual tagging, and doctor/status repair support, while refactoring dreaming from competing modes into three cooperative phases (light, deep, REM) with independent schedules and recovery behavior so durable memory promotion can run in the background with less manual setup. (#60569, #60697) Thanks @​vignesh07.
  • Memory/dreaming: add configurable aging controls (recencyHalfLifeDays, maxAgeDays) plus optional verbose logging so operators can tune recall decay and inspect promotion decisions more easily.
  • Memory/dreaming: add REM preview tooling (openclaw memory rem-harness, promote-explain), surface possible lasting truths during REM staging, and make deep promotion replay-safe so reruns reconcile instead of duplicating MEMORY.md entries.
  • Memory/dreaming: write dreaming trail content to top-level dreams.md instead of daily memory notes, update /dreaming help text to point there, and keep dreams.md available for explicit reads without pulling it into default recall. Thanks @​davemorin.
  • Memory/dreaming: add the Dream Diary surface in Dreams, simplify user-facing dreaming config to enabled plus optional frequency, treat phases as implementation detail in docs/UI, and keep the lobster animation visible above diary content. Thanks @​vignesh07.
  • Prompt caching: keep prompt prefixes more reusable across transport fallback, deterministic MCP tool ordering, compaction, embedded image history, normalized system-prompt fingerprints, openclaw status --verbose cache diagnostics, and the removal of duplicate in-band tool inventories from agent system prompts so follow-up turns hit cache more reliably. (#58036, #58037, #58038, #59054, #60603, #60691) Thanks @​bcherny and @​vincentkoc.
  • Agents/cache: diagnostics: add prompt-cache break diagnostics, trace live cache scenarios through embedded runner paths, and show cache reuse explicitly in openclaw status --verbose. Thanks @​vincentkoc.
  • Agents/cache: stabilize cache-relevant system prompt fingerprints by normalizing equivalent structured prompt whitespace, line endings, hook-added system context, and runtime capability ordering so semantically unchanged prompts reuse KV/cache more reliably. Thanks @​vincentkoc.
  • Agents/tool prompts: remove the duplicate in-band tool inventory from agent system prompts so tool-calling models rely on the structured tool definitions as the single source of truth, improving prompt stability and reducing stale tool guidance.
  • Config/schema: enrich the exported openclaw config schema JSON Schema with field titles and descriptions so editors, agents, and other schema consumers receive the same config help metadata. (#60067) Thanks @​solavrc.
  • Providers/CLI: remove bundled CLI text-provider backends and the agents.defaults.cliBackends surface, while keeping ACP harness sessions and Gemini media understanding on the native bundled providers.
  • Matrix/exec approvals: clarify unavailable-approval replies so Matrix no longer claims chat approvals are unsupported when native exec approvals are merely unconfigured. (#61424) Thanks @​gumadeiras.
  • Docs/IRC: replace public IRC hostname examples with irc.example.com and recommend private servers for bot coordination while listing common public networks for intentional use.
  • Memory/dreaming: group nearby daily-note lines into short coherent chunks before staging them for dreaming, so one-off context from recent notes reaches REM/deep with better evidence and less line-level noise.
  • Memory/dreaming: drop generic date/day headings from daily-note chunk prefixes while keeping meaningful section labels, so staged snippets stay cleaner and more reusable. (#61597) Thanks @​mbelinky.
  • Plugins/Lobster: run bundled Lobster workflows in process instead of spawning the external CLI, reducing transport overhead and unblocking native runtime integration. (#61523) Thanks @​mbelinky.
  • Plugins/Lobster: harden managed resume validation so invalid TaskFlow resume calls fail earlier, and memoize embedded runtime loading per runner while keeping failed loads retryable. (#61566) Thanks @​mbelinky.

Fixes

  • Security: preserve restrictive plugin-only tool allowlists, require owner access for /allowlist add and /allowlist remove, fail closed when before_tool_call hooks crash, block browser SSRF redirect bypasses earlier, and keep non-interactive auth-choice inference scoped to bundled and already-trusted plugins. (#58476, #59836, #59822, #58771, #59120) Thanks @​eleqtrizit and @​pgondhi987.

... (truncated)

Commits
  • 3e72c03 chore: release 2026.4.5
  • f2ea42e fix(ci): stabilize control ui locale checks
  • 05fe841 fix: restore plugin boundary and ui locale ci gates
  • 3e6160f chore(ui): refresh pl control ui locale
  • 53d1280 chore(ui): refresh id control ui locale
  • 5815d6e chore(ui): refresh uk control ui locale
  • 0dac81f chore(ui): refresh tr control ui locale
  • 62b61e0 test: capture windows npm debug tails in smoke logs
  • ffafc88 chore(ui): refresh fr control ui locale
  • daedfc9 chore(ui): refresh ko control ui locale
  • Additional commits viewable in compare view
Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump @hono/node-server and openclaw
1028ed1 
Bumps [@hono/node-server](https://github.com/honojs/node-server) to 1.19.13 and updates ancestor dependency [openclaw](https://github.com/openclaw/openclaw). These dependencies need to be updated together.


Updates `@hono/node-server` from 1.19.9 to 1.19.13
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v1.19.9...v1.19.13)

Updates `openclaw` from 2026.3.1 to 2026.4.5
- [Release notes](https://github.com/openclaw/openclaw/releases)
- [Changelog](https://github.com/openclaw/openclaw/blob/v2026.4.5/CHANGELOG.md)
- [Commits](openclaw/openclaw@v2026.3.1...v2026.4.5)

---
updated-dependencies:
- dependency-name: "@hono/node-server"
  dependency-version: 1.19.13
  dependency-type: indirect
- dependency-name: openclaw
  dependency-version: 2026.4.5
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 8, 2026
@dependabot dependabot Bot mentioned this pull request Apr 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants