Skip to content

chore(deps): bump the node-deps group with 6 updates#79

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/node-deps-e74cb75414
Open

chore(deps): bump the node-deps group with 6 updates#79
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/node-deps-e74cb75414

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Apr 11, 2026
edited
Loading

Bumps the node-deps group with 6 updates:

Package From To
@agnt-rcpt/sdk-ts 0.2.1 0.2.2
@types/node 25.5.0 25.6.0
@vitest/coverage-v8 4.1.2 4.1.4
openclaw 2026.3.28 2026.4.10
typescript 5.9.3 6.0.2
vitest 3.2.4 4.1.4

Updates @agnt-rcpt/sdk-ts from 0.2.1 to 0.2.2

Release notes

Sourced from @​agnt-rcpt/sdk-ts's releases.

SDK TypeScript v0.2.2

Publish test from monorepo

Commits
  • f3ee223 Fix TS publish auth, bump versions for publish test (TS 0.2.2, Py 0.2.3) (#8)
  • See full diff in compare view

Updates @types/node from 25.5.0 to 25.6.0

Commits

Updates @vitest/coverage-v8 from 4.1.2 to 4.1.4

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.4

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.3

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub
Commits

Updates openclaw from 2026.3.28 to 2026.4.10

Release notes

Sourced from openclaw's releases.

openclaw 2026.4.10

2026.4.10

Changes

  • Models/Codex: add the bundled Codex provider and plugin-owned app-server harness so codex/gpt-* models use Codex-managed auth, native threads, model discovery, and compaction while openai/gpt-* stays on the normal OpenAI provider path. (#64298)
  • Memory/Active Memory: add a new optional Active Memory plugin that gives OpenClaw a dedicated memory sub-agent right before the main reply, so ongoing chats can automatically pull in relevant preferences, context, and past details without making users remember to manually say "remember this" or "search memory" first. Includes configurable message/recent/full context modes, live /verbose inspection, advanced prompt/thinking overrides for tuning, and opt-in transcript persistence for debugging. Docs: https://docs.openclaw.ai/concepts/active-memory. (#63286) Thanks @​Takhoffman.
  • macOS/Talk: add an experimental local MLX speech provider for Talk Mode, with explicit provider selection, local utterance playback, interruption handling, and system-voice fallback. (#63539) Thanks @​ImLukeF.
  • Tools/video generation: add Seedance 2.0 model refs to the bundled fal provider and submit the provider-specific duration, resolution, audio, and seed metadata fields needed for live Seedance 2.0 runs.
  • Microsoft Teams: add message actions for pin, unpin, read, react, and listing reactions. (#53432) Thanks @​sudie-codes.
  • QA/Matrix: add a live openclaw qa matrix lane backed by a disposable Matrix homeserver, shared live-transport seams, and Matrix-specific transport coverage for threading, reactions, restart, and allowlist behavior. (#64489) Thanks @​gumadeiras.
  • QA/Telegram: add a live openclaw qa telegram lane for private-group bot-to-bot checks, harden its artifact handling, and preserve native Telegram command reply threading for QA verification. (#64303) Thanks @​obviyus.
  • QA/testing: add a --runner multipass lane for openclaw qa suite so repo-backed QA scenarios can run inside a disposable Linux VM and write back the usual report, summary, and VM logs. (#63426) Thanks @​shakkernerd.
  • CLI/exec policy: add a local openclaw exec-policy command with show, preset, and set subcommands for synchronizing requested tools.exec.* config with the local exec approvals file, plus follow-up hardening for node-host rejection, rollback safety, and sync conflict detection. (#64050)
  • Gateway: add a commands.list RPC so remote gateway clients can discover runtime-native, text, skill, and plugin commands with surface-aware naming and serialized argument metadata. (#62656) Thanks @​samzong.
  • Models/providers: add per-provider models.providers.*.request.allowPrivateNetwork for trusted self-hosted OpenAI-compatible endpoints, keep the opt-in scoped to model request surfaces, and refresh cached WebSocket managers when request transport overrides change. (#63671) Thanks @​qas.
  • Feishu: standardize request user agents and register the bot as an AI agent so Feishu deployments identify OpenClaw consistently. (#63835) Thanks @​evandance.
  • Matrix/partial streaming: add MSC4357 live markers to draft preview sends and edits so supporting Matrix clients can render a live/typewriter animation and stop it when the final edit lands. (#63513) Thanks @​TigerInYourDream.
  • Control UI/dreaming: simplify the Scene and Diary surfaces, preserve unknown phase state for partial status payloads, and stabilize waiting-entry recency ordering so Dreaming status and review lists stay clear and deterministic. (#64035) Thanks @​davemorin.
  • Agents: add an opt-in strict-agentic embedded Pi execution contract for GPT-5-family runs so plan-only or filler turns keep acting until they hit a real blocker. (#64241) Thanks @​100yenadmin.
  • Agents/OpenAI: add provider-owned OpenAI/Codex tool schema compatibility and surface embedded-run replay/liveness state for long-running runs. (#64300) Thanks @​100yenadmin.
  • Docs i18n: chunk raw doc translation, reject truncated tagged outputs, avoid ambiguous body-only wrapper unwrapping, and recover from terminated Pi translation sessions without changing the default openai/gpt-5.4 path. (#62969, #63808) Thanks @​hxy91819.

Fixes

  • Browser/security: tighten browser and sandbox navigation defenses across strict SSRF defaults, hostname allowlists, interaction-driven redirects, subframes, CDP discovery, existing sessions, tab actions, noVNC, marker-span sanitization, and Docker CDP source-range enforcement. (#61404, #63332, #63882, #63885, #63889, #64367, #64370, #64371)
  • Security/tools: harden exec preflight reads, host env denylisting, node output boundaries, outbound host-media reads, profile-mutation authorization, plugin install dependency scanning, ACPX tool hooks, Gmail watcher token redaction, and oversized realtime WebSocket frame handling. (#62333, #62661, #62662, #63277, #63551, #63553, #63886, #63890, #63891, #64459)
  • OpenAI/Codex: add required Codex OAuth scopes, classify provider/runtime failures more clearly, stop suggesting /elevated full when auto-approved host exec is unavailable, add OpenAI/Codex tool-schema compatibility, and preserve embedded-run replay/liveness truth across compaction retries and mutating side effects. (#64300, #64439) Thanks @​100yenadmin.
  • CLI/WhatsApp media sends: route gateway-mode outbound sends with --media through the channel sendMedia path and preserve media access context, so WhatsApp document and attachment sends stop silently dropping the file while still delivering the caption. (#64478, #64492) Thanks @​ShionEria.
  • Microsoft Teams: restore media downloads for personal DMs, Bot Framework a: conversations, OneDrive/SharePoint shared files, and Graph-backed chat IDs; accept Bot Framework audience tokens; prevent feedback-learning filename collisions; keep long tool chains alive with typing indicators; add SSO sign-in callbacks; inject parent context for thread replies; and deliver cron announcements to Teams conversation IDs. (#54932, #55383, #55386, #58001, #58249, #58774, #59731, #60956, #62219, #62674, #63063, #63942, #63945, #63949, #63951, #63953, #64087, #64088, #64089)
  • Gateway/tailscale: start Tailscale exposure and the gateway update check before awaiting channel and plugin sidecar startup so remote operators are not locked out when startup sidecars stall.
  • Gateway/startup: keep WebSocket RPC available while channels and plugin sidecars start, hold chat.history unavailable until startup sidecars finish so synchronous history reads cannot stall startup (reported in #63450), refresh advertised gateway methods after deferred plugin reloads, and enforce the pre-auth WebSocket upgrade budget before the no-handler 503 path so upgrade floods cannot bypass connection limits during that window. (#63480) Thanks @​neeravmakwana.
  • WhatsApp: keep inbound replies, media, composing indicators, and queued outbound deliveries attached to the current socket across reconnect gaps, including fresh retry-eligible sends after the listener comes back. (#30806, #46299, #62892, #63916) Thanks @​mcaxtr.
  • Gateway/thread routing: preserve Slack, Telegram, Mattermost, Matrix, ACP, restart-sentinel, and agent announce delivery targets so subagent, cron, stream-relay, session fallback, and restart messages land back in the originating thread, topic, or room casing. (#54840, #57056, #63143, #63228, #63506, #64343, #64391)
  • Models/fallback: preserve /models selection across transient primary-model failures and config reloads, allow timeout cooldown probes, classify OpenRouter no-endpoints responses, detect llama.cpp context overflows, and keep provider/runtime context metadata stable through reloads. (#61472, #64196, #64471)
  • Agents/BTW: keep /btw side questions working after tool-use turns by stripping replayed tool blocks, hidden reasoning, and malformed image payloads, omitting empty tool arrays, allowing Bedrock auth: "aws-sdk", and routing Feishu /btw plus /stop through bounded out-of-band lanes. (#64218, #64219, #64225, #64324) Thanks @​ngutman.
  • Control UI/BTW: render /btw side results as dismissible ephemeral cards in the browser, send /btw immediately during active runs, and clear stale BTW cards on reset flows so webchat matches the intended detached side-question behavior. (#64290) Thanks @​ngutman.
  • Commands/targeting: use the selected agent or session for command output, send policy, usage/cost, context reports, model lists, bash sandbox hints, BTW/compact working directories, plugin commands, and session exports so multi-agent commands describe and mutate the intended target instead of the requester.
  • Conversation bindings: normalize focused/current conversation ids, preserve binding metadata on account and Discord rebinds, avoid stale Discord lifecycle windows, and keep generic activity touches persisted so reply routing survives rebinds and restarts.
  • iMessage/self-chat: distinguish normal DM outbound rows from true self-chat using destination_caller_id plus chat participants, preserve multi-handle self-chat aliases, drop ambiguous reflected echoes, and strip wrapped imsg RPC text fields. (#61619, #63868, #63980, #63989, #64000) Thanks @​neeravmakwana.
  • Matrix: keep multi-account room scoping consistent, keep packaged crypto migrations warning-only when appropriate, preserve ordered block streaming, add explicit Matrix block-streaming opt-in, and resolve verification/bootstrap from the packaged runtime entry. (#58449, #59249, #59266, #64373) Thanks @​gumadeiras.
  • Telegram/security: tighten Telegram allowFrom sender validation and keep /whoami allowlist reporting in sync with command auth checks.
  • Agents/timeouts: extend the default LLM idle window to 120s and keep silent no-token idle timeouts on recovery paths, so slow models can retry or fall back before users see an error.
  • Gateway/agents: preserve configured model selection and richer IDENTITY.md content across agent create/update flows and workspace moves, and fail safely instead of silently overwriting unreadable identity files. (#61577) Thanks @​samzong.
  • Skills/TaskFlow: restore valid frontmatter fences for the bundled taskflow and taskflow-inbox-triage skills and copy bundled SKILL.md files as hard dist-runtime copies so skills stay discoverable and loadable after updates. (#64166, #64469) Thanks @​extrasmall0.
  • Skills: respect overridden home directories when loading personal skills so service, test, and custom launch environments read the intended user skill directory instead of the process home.
  • Windows/exec: settle supervisor waits from child exit state after stdout and stderr drain even when close never arrives, so CLI commands stop hanging or dying with forced SIGKILL on Windows. (#64072) Thanks @​obviyus.
  • Browser/sandbox: prevent sandbox browser CDP startup hangs by recreating containers when the browser security hash changes and by waiting on the correct sandbox browser lifecycle. (#62873) Thanks @​Syysean.
  • QQBot/streaming: make block streaming configurable per QQ bot account via streaming.mode ("partial" | "off", default "partial") instead of hardcoding it off, so responses can be delivered incrementally. (#63746)
  • QQBot/config: allow extra fields in channels.qqbot and channels.qqbot.accounts.* so extended qqbot builds can add new config options without gateway startup failing on schema validation. (#64075) Thanks @​WideLee.

... (truncated)

Commits
  • 44e5b62 fix(macos): harden shell executor timeouts
  • 9a4a9a5 Heartbeat: spread interval runs across stable phases (#64560)
  • e11d902 fix(ci): stop telegram debounce media leak
  • df7e61b fix(ci): align compact count assertion
  • 5b2888e test(install): pin smoke docker platform
  • 421338f test(install): quiet smoke npm output
  • 05659cf test: harden macOS Parallels permission check
  • 896eb88 fix(ci): align target session alias fixture
  • 0552124 fix(ci): stabilize agentic compact tests
  • 1fb8a8c fix: prefer target entry for inline command dispatch
  • Additional commits viewable in compare view
Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.


Updates typescript from 5.9.3 to 6.0.2

Release notes

Sourced from typescript's releases.

TypeScript 6.0

For release notes, check out the release announcement blog post.

Downloads are available on:

TypeScript 6.0 Beta

For release notes, check out the release announcement.

Downloads are available on:

Commits

Updates vitest from 3.2.4 to 4.1.4

Release notes

Sourced from vitest's releases.

v4.1.4

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.3

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.2

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (vitest-dev/vitest#9975).

... (truncated)

Commits
  • ac04bac chore: release v4.1.4
  • 82c858d chore: Remove no-op function in plugin config logic (#8501)
  • d4fbb5c feat(experimental): support aria snapshot (#9668)
  • b77de96 feat(reporter): add filterMeta option to json reporter (#10078)
  • a120e3a feat(experimental): expose assertion as a public field (#10095)
  • 5375780 feat(coverage): default to text reporter skipFull if agent detected (#10018)
  • a1b5f0f fix: make expect(..., message) consistent as error message prefix (#10068)
  • 203f07a fix: use "black" foreground for labeled terminal message to ensure contrast (...
  • 2dc0d62 chore: release v4.1.3
  • 7827363 feat: add experimental.preParse flag (#10070)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vitest since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the node-deps group with 6 updates
46e7693 
Bumps the node-deps group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [@agnt-rcpt/sdk-ts](https://github.com/agent-receipts/ar/tree/HEAD/sdk/ts) | `0.2.1` | `0.2.2` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.5.0` | `25.6.0` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.2` | `4.1.4` |
| [openclaw](https://github.com/openclaw/openclaw) | `2026.3.28` | `2026.4.10` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.9.3` | `6.0.2` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `3.2.4` | `4.1.4` |


Updates `@agnt-rcpt/sdk-ts` from 0.2.1 to 0.2.2
- [Release notes](https://github.com/agent-receipts/ar/releases)
- [Commits](https://github.com/agent-receipts/ar/commits/sdk-ts-v0.2.2/sdk/ts)

Updates `@types/node` from 25.5.0 to 25.6.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@vitest/coverage-v8` from 4.1.2 to 4.1.4
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.4/packages/coverage-v8)

Updates `openclaw` from 2026.3.28 to 2026.4.10
- [Release notes](https://github.com/openclaw/openclaw/releases)
- [Commits](openclaw/openclaw@v2026.3.28...v2026.4.10)

Updates `typescript` from 5.9.3 to 6.0.2
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](microsoft/TypeScript@v5.9.3...v6.0.2)

Updates `vitest` from 3.2.4 to 4.1.4
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.4/packages/vitest)

---
updated-dependencies:
- dependency-name: "@agnt-rcpt/sdk-ts"
  dependency-version: 0.2.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: node-deps
- dependency-name: "@types/node"
  dependency-version: 25.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: node-deps
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: node-deps
- dependency-name: openclaw
  dependency-version: 2026.4.10
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: node-deps
- dependency-name: typescript
  dependency-version: 6.0.2
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: node-deps
- dependency-name: vitest
  dependency-version: 4.1.4
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: node-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants