Skip to content

chore(deps): bump the node-deps group with 5 updates#137

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/node-deps-72722c94dd
Open

chore(deps): bump the node-deps group with 5 updates#137
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/node-deps-72722c94dd

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 16, 2026

Bumps the node-deps group with 5 updates:

Package From To
@agnt-rcpt/sdk-ts 0.6.0 0.8.0
@types/node 25.6.2 25.8.0
@vitest/coverage-v8 4.1.5 4.1.6
openclaw 2026.5.7 2026.5.12
vitest 4.1.5 4.1.6

Updates @agnt-rcpt/sdk-ts from 0.6.0 to 0.8.0

Release notes

Sourced from @​agnt-rcpt/sdk-ts's releases.

daemon v0.8.0

Stable release of the Agent Receipts daemon and companion agent-receipts verify CLI.

Install

brew install agent-receipts/tap/agent-receipts-daemon

Or via go install:

go install github.com/agent-receipts/ar/daemon/cmd/agent-receipts-daemon@v0.8.0
go install github.com/agent-receipts/ar/daemon/cmd/agent-receipts@v0.8.0

What's included

  • Standalone signing daemon — sole owner of Ed25519 keys and SQLite chain database
  • Peer credential capture (macOS + Linux) for tamper-evident audit trails
  • RFC 8785 canonicalization, hash-chaining, Ed25519 signing
  • agent-receipts verify CLI — works with daemon stopped
  • XDG-compliant paths, --init for key generation, --version
  • Full integration test suite including concurrent session soak

Dependencies

sdk-go v0.8.0

Stable release of the Go SDK. Includes the thin fire-and-forget daemon emitter (ADR-0010), hash-chaining, Ed25519 signing, SQLite store, and taxonomy registry.

mcp-proxy v0.8.0

What's Changed

... (truncated)

Changelog

Sourced from @​agnt-rcpt/sdk-ts's changelog.

[0.8.0] - 2026-05-15

Changed

  • No SDK code changes. Version bump to maintain lockstep with the coordinated v0.8.0 release.

[0.8.0-alpha.2] - 2026-05-10

Changed

  • No SDK code changes; version bump to maintain lockstep across the coordinated release (daemon process separation cutover). Releases as part of the daemon refactor work (ADR-0010, #236).

[0.8.0-alpha.1] - 2026-05-09

Added

  • Fire-and-forget emitter for forwarding tool-call events to the agent-receipts-daemon Unix socket (ADR-0010, #236). No crypto, no canonicalisation — the daemon handles those operations.
Commits
  • dccdd09 Merge pull request #357 from agent-receipts/dependabot/npm_and_yarn/sdk/ts/np...
  • 8bb5974 docs(release): add v0.8.0-alpha.2 entries to all CHANGELOGs (#359)
  • 48fe36a chore(release): version bumps for 0.8.0-alpha.2 — sdk-py and sdk-ts (#358)
  • f013879 chore(deps): bump the npm_and_yarn group in /sdk/ts with 4 updates
  • fab9d14 chore(release): prep v0.8.0-alpha.1 — version bumps + PEP 440 support
  • f8b30d1 fix(sdk-ts/emitter): guard against long $TMPDIR on macOS exceeding AF_UNIX p...
  • 2ff8dd1 fix(sdk-ts/emitter): address open Copilot review threads
  • 0b7d219 fix(sdk-ts/emitter): remove unnecessary cast in hasNonFiniteNumber; add non-f...
  • 607a188 fix(sdk-ts/emitter): dial-timeout race, non-finite JSON, close-race error
  • 7dfe3c6 fix(sdk-ts/emitter): guard debugLog against throwing; use @​ts-expect-error in...
  • Additional commits viewable in compare view

Updates @types/node from 25.6.2 to 25.8.0

Commits

Updates @vitest/coverage-v8 from 4.1.5 to 4.1.6

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub
Commits

Updates openclaw from 2026.5.7 to 2026.5.12

Release notes

Sourced from openclaw's releases.

openclaw 2026.5.12

Highlights

  • Leaner installs: WhatsApp, Slack, Amazon Bedrock, Anthropic Vertex, and related provider/plugin dependency cones moved out of the core runtime so installs only pull what you use.
  • Telegram got much more resilient: isolated polling, durable local spooling, safer group-media handling, and preserved HTML/Markdown formatting in streamed and scheduled replies.
  • Codex/OpenAI paths are smoother: auth-profile-backed media tools, MCP server projection, context-engine thread rotation, and better app-server/runtime fallback behavior.
  • Plugin installs and updates are harder to wedge, with pnpm 11 support, peer-dependency preservation, safer runtime scans, and source/git install fixes.
  • Gateway, browser, Slack, node pairing, sandbox, and transcript paths picked up a broad security/provenance hardening pass.
  • UI and reply delivery improved across Control UI, WebChat, TUI, rich-only replies, session history, and streaming auto-scroll.

Changes

  • Amazon Bedrock: externalize the Bedrock and Bedrock Mantle provider packages so core installs no longer pull AWS SDK dependencies unless those providers are installed.
  • Plugins: externalize Slack, OpenShell sandbox, and Anthropic Vertex so their runtime dependency cones install only when those plugins are installed.
  • Control UI/WebChat: add a persisted auto-scroll mode selector so users can keep the current near-bottom behavior, always follow streaming output, or turn automatic streaming scroll off and use the New messages button manually. Fixes #7648 and #81287. Thanks @​BunsDev.
  • ACP: add acp.fallbacks so ACP turns can try configured backup runtime backends when the primary backend is unavailable before any output is emitted. (#69542) Thanks @​kaseonedge.

Fixes

  • Doctor/Codex: stop warning that the message tool is unavailable for source-reply paths where OpenClaw grants message at runtime, keeping update and doctor output aligned with the OpenAI happy path. Thanks @​pashpashpash.
  • Channels/Weixin: bump the external Weixin catalog entry to @tencent-weixin/openclaw-weixin@2.4.3 with the matching package integrity. (#81730) Thanks @​scotthuang.
  • Agents/subagents: apply agents.defaults.subagents.model before target agent primary models during sessions_spawn, so model-scoped runtimes such as claude-cli stay attached to default child runs. Fixes #81395. (#81783) Thanks @​joshavant.
  • Telegram: keep Bot API polling alive during main event-loop stalls by moving ingress to an isolated worker with a durable local spool. Fixes #81132. (#81746) Thanks @​joshavant.
  • Telegram: preserve rendered HTML formatting through lazy cron announce delivery so Markdown links stay clickable instead of falling back to literal anchor tags. Fixes #81742. (#81758)
  • Telegram: skip unmentioned group media before download when requireMention is active, avoiding failed media-download replies for messages that should be ignored. Fixes #81181. (#81785) Thanks @​joshavant.
  • CLI/plugins: keep bare plugin and parent-command help on the lightweight path, avoiding plugin registry discovery before rendering help.
  • Gateway/session history: carry monotonic transcript message sequence through live updates and refresh SSE history when stale sequence input would otherwise append bad incremental state. (#81474) Thanks @​samzong.
  • Security/sandbox: include Windows USERPROFILE in the sandbox blocked home roots so credential-bearing binds (such as .codex, .openclaw, or .ssh under the Windows user profile) are denied even when HOME points at a different shell home. (#63074) Thanks @​luoyanglang.
  • Models config/auth: stop inferring provider env-var markers from broad ^[A-Z_][A-Z0-9_]*$ strings, and resolve config-backed provider apiKey values only through structured env SecretRefs (secrets.providers[id] / secrets.defaults), so unrelated env vars cannot accidentally become provider credentials. Thanks @​sallyom.
  • Media fetch: skip allocating and buffering the response body for bodyless media responses (HEAD probes and 204-style empty bodies), avoiding wasted heap on streams that carry no payload. Thanks @​shakkernerd.
  • CLI/onboarding: forward provider-specific auth flags (e.g. --openai-api-key) through the onboarding wizard so they reach provider auth methods via ctx.opts, letting --openai-api-key "$OPENAI_API_KEY" skip the redundant "use existing env var?" prompt in non-interactive harnesses. (#81669) Thanks @​sjf.
  • CLI/migrate: drop trailing periods from Codex migrate item messages and REASON_CODE_MESSAGES strings so plan/result rows read as labels instead of sentence fragments. (#81705) Thanks @​sjf.
  • Slack: treat malformed private-file redirect Location headers as unfollowable redirects instead of failing Slack media downloads.
  • Plugins: discover provider plugins from setup.providers[].envVars credentials during provider discovery while keeping the deprecated providerAuthEnvVars fallback. (#81542) Thanks @​JARVIS-Glasses.
  • Docs/Codex harness: clarify that per-agent CODEX_HOME isolates ~/.codex while inherited HOME intentionally keeps .agents discovery and subprocess user-home state available.
  • Auth: reclaim dead-owner stale file locks before retrying locked writes, so crashed OAuth refreshes no longer wedge auth-profiles.json until manual cleanup.
  • CLI tables: preserve muted/color styling on wrapped continuation lines after multiline cells, keeping openclaw plugins list descriptions readable.
  • Process execution: collapse case-insensitive duplicate child environment keys on Windows so caller-provided overrides such as PATH cannot be shadowed by host Path.
  • Gateway/diagnostics: suppress cold-start liveness warnings during the startup grace window while still sampling liveness metrics. Fixes #79915. (#81699) Thanks @​joshavant.
  • Codex harness: keep oauthRef-backed Codex OAuth profiles usable and stop high-confidence app-server OAuth refresh invalidation from retry-spamming raw token-refresh errors without turning entitlement or usage-limit payloads into re-auth prompts.
  • Browser CLI: request the existing operator.admin gateway scope explicitly for browser control commands, avoiding unnecessary scope-upgrade approval loops. Fixes #81555. (#81716) Thanks @​joshavant.
  • Gateway/diagnostics: suppress cold-start liveness warnings during the startup grace window while still sampling liveness metrics. Fixes #79915. (#81699) Thanks @​joshavant.
  • Plugin SDK: restore the deprecated openclaw/plugin-sdk/memory-core package subpath as an alias of memory-host-core, so published memory companion plugins that still import it resolve on current hosts.
  • Control UI/i18n: use the installed workspace pi runtime for locale refreshes, update the fallback package pin, prefer the Anthropic CI provider when available, and skip invalid provider credentials instead of failing main.
  • Codex harness: classify native app-server token-refresh logout and relogin failures as authentication refresh errors, so users get re-authentication guidance instead of a raw runtime failure.
  • Codex startup: treat selectable configured OpenAI agent models as Codex runtime requirements during plugin auto-enable, startup planning, and doctor install repair, so Anthropic-primary configs can still switch to OpenAI/Codex cleanly.
  • Agents: preserve source-reply delivery metadata when merging tool-returned media into the final reply, keeping message-tool-only replies deliverable and mirrored. Thanks @​pashpashpash and @​vincentkoc.
  • Replies: treat rich presentation, interactive controls, and channel-native payload data as outbound content across follow-up, heartbeat, cron, ACP, and block-streaming delivery paths, preventing card/button-only replies from being dropped as empty.
  • WebChat/TUI: route Codex tools.message source replies to the active internal UI turn and mirror them to session history, so message-tool-only harness replies, including rich presentation and button-only replies, no longer disappear while WebChat and TUI remain non-targetable outbound channels. (#81586) Thanks @​pashpashpash.
  • Replies: deliver rich-only block replies even when block-streaming coalescing is enabled, keeping card and button payloads from being dropped by the text coalescer. Thanks @​pashpashpash.

... (truncated)

Commits
  • f066dd2 chore(release): prepare 2026.5.12
  • 2f27dcb fix(config): stabilize heartbeat target help
  • 7a0548e docs(changelog): mention Weixin catalog bump
  • 31f0c9b Fix/weixin catalog update 2.4.3 (#81730)
  • cfab222 fix(doctor): respect runtime message tool grants
  • c230b08 fix(telegram): avoid worker postMessage lint suppression
  • df70248 ci(release): retry ClawHub publish verification errors
  • 097daf9 chore(release): bump beta 8 versions
  • 9798e95 fix: reconcile managed plugin peers
  • 7d6ba4c fix: honor git no-update installs
  • Additional commits viewable in compare view

Updates vitest from 4.1.5 to 4.1.6

Release notes

Sourced from vitest's releases.

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub
Commits
  • a8fd24c chore: release v4.1.6
  • 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
  • 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the node-deps group with 5 updates
aa130a7 
Bumps the node-deps group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [@agnt-rcpt/sdk-ts](https://github.com/agent-receipts/ar/tree/HEAD/sdk/ts) | `0.6.0` | `0.8.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.6.2` | `25.8.0` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.5` | `4.1.6` |
| [openclaw](https://github.com/openclaw/openclaw) | `2026.5.7` | `2026.5.12` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.5` | `4.1.6` |


Updates `@agnt-rcpt/sdk-ts` from 0.6.0 to 0.8.0
- [Release notes](https://github.com/agent-receipts/ar/releases)
- [Changelog](https://github.com/agent-receipts/ar/blob/main/sdk/ts/CHANGELOG.md)
- [Commits](https://github.com/agent-receipts/ar/commits/daemon/v0.8.0/sdk/ts)

Updates `@types/node` from 25.6.2 to 25.8.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@vitest/coverage-v8` from 4.1.5 to 4.1.6
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.6/packages/coverage-v8)

Updates `openclaw` from 2026.5.7 to 2026.5.12
- [Release notes](https://github.com/openclaw/openclaw/releases)
- [Commits](openclaw/openclaw@v2026.5.7...v2026.5.12)

Updates `vitest` from 4.1.5 to 4.1.6
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.6/packages/vitest)

---
updated-dependencies:
- dependency-name: "@agnt-rcpt/sdk-ts"
  dependency-version: 0.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: node-deps
- dependency-name: "@types/node"
  dependency-version: 25.8.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: node-deps
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: node-deps
- dependency-name: openclaw
  dependency-version: 2026.5.12
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: node-deps
- dependency-name: vitest
  dependency-version: 4.1.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: node-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants