chore(deps): bump the npm_and_yarn group across 2 directories with 13 updates by dependabot[bot] · Pull Request #2 · Heretek-AI/heretek-openclaw-plugins

dependabot · 2026-06-01T15:33:03Z

Bumps the npm_and_yarn group with 1 update in the /plugins/collective-comms directory: vitest.
Bumps the npm_and_yarn group with 8 updates in the /plugins/openclaw-skill-extensions directory:

Package	From	To
@anthropic-ai/sdk	`0.81.0`	`0.100.1`
axios	`1.14.0`	`1.16.1`
basic-ftp	`5.2.0`	`5.3.1`
brace-expansion	`5.0.5`	`5.0.6`
fast-uri	`3.1.0`	`3.1.2`
fast-xml-builder	`1.1.4`	`1.2.0`
hono	`4.12.9`	`removed`
openclaw	`2026.4.1`	`2026.5.28`

Updates vitest from 1.6.1 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

browser:

Disable client cdp API when allowWrite/allowExec: false [backport to v4] - by @hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)

Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4] - by @toxik and @Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

runner: Limit concurrency per task branch in addition to per leaf callbacks (backport) - by @hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

browser: Provide project reference in ToMatchScreenshotResolvePath - by @macarie and @sheremet-va in vitest-dev/vitest#10138 (31882)

Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options - by @hi-ogawa, Codex and @sheremet-va in vitest-dev/vitest#10196 (2847d)

browser: Simplify orchestrator otel carrier - by @hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

Stringify diff objects only once - by @sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

coverage: Istanbul to support instrumenter option - by @BartWaardenburg and @AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

--project negation excludes browser instances - by @felamaslen in vitest-dev/vitest#10131 (9423d)

Project color label on html reporter - by @hi-ogawa in vitest-dev/vitest#10142 (596f7)

Fix vi.defineHelper called as object method - by @hi-ogawa in vitest-dev/vitest#10163 (122c2)

Alias agent reporter to minimal - by @sheremet-va in vitest-dev/vitest#10157 (663b9)

Respect diff config options in soft assertions - by @Copilot, sheremet-va and @sheremet-va in vitest-dev/vitest#8696 (9787d)

Respect diff config options in soft assertions " - by @sheremet-va in vitest-dev/vitest#8696 (7dc6d)

ast-collect: Recognize _vi_import prefix in static test discovery - by @Yejneshwar in vitest-dev/vitest#10129 (32546)

coverage: Descriptive error message when reports directory is removed during test run - by @DaveT1991 and @AriPerkkio in vitest-dev/vitest#10117 (14133)

snapshot: Increase default snapshot max output length - by @hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)

ui: Fix jsx/tsx syntax highlight - by @hi-ogawa in vitest-dev/vitest#10152 (f1b1f)

web-worker: Support MessagePort objects referenced inside postMessage data - by @whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)

api: Make test-specification options writable - by @sheremet-va in vitest-dev/vitest#10154 (6abd5)

    View changes on GitHub

... (truncated)

Commits

e61f2dd chore: release v4.1.8
e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
a09d472 chore: release v4.1.7
a8fd24c chore: release v4.1.6
18af98c fix(browser): simplify orchestrator otel carrier (#10285)
3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
e399846 chore: release v4.1.5
7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
9787ded fix: respect diff config options in soft assertions (#8696)
325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

Updates @anthropic-ai/sdk from 0.81.0 to 0.100.1

Release notes

Sourced from @anthropic-ai/sdk's releases.

sdk: v0.100.1

0.100.1 (2026-05-29)

Full Changelog: sdk-v0.100.0...sdk-v0.100.1

Bug Fixes

streaming: carry encrypted_content on beta compaction blocks (#1025) (eccddf3)

Chores

client: update lockfiles to have proper dependencies on standardwebhooks (5e9b523)

sdk: v0.100.0

0.100.0 (2026-05-28)

Full Changelog: sdk-v0.99.0...sdk-v0.100.0

Features

api: Add support for claude-opus-4-8, mid-conversation system blocks, and usage.output_tokens_details (bb0bf27)

Documentation

replace literal newlines (66ba142)

sdk: v0.99.0

0.99.0 (2026-05-27)

Full Changelog: sdk-v0.98.1...sdk-v0.99.0

Features

support custom file size caps (#1029) (814cd4c)

Bug Fixes

streaming: carry stop_details through message_delta accumulation (#1027) (198bc27)

sdk: v0.98.1

0.98.1 (2026-05-26)

Full Changelog: sdk-v0.98.0...sdk-v0.98.1

Bug Fixes

client: preserve directory prefix in skills.versions.create uploads (#1024) (abbcd6a)

... (truncated)

Changelog

Sourced from @anthropic-ai/sdk's changelog.

0.100.1 (2026-05-29)

Full Changelog: sdk-v0.100.0...sdk-v0.100.1

Bug Fixes

streaming: carry encrypted_content on beta compaction blocks (#1025) (eccddf3)

Chores

client: update lockfiles to have proper dependencies on standardwebhooks (5e9b523)

0.100.0 (2026-05-28)

Full Changelog: sdk-v0.99.0...sdk-v0.100.0

Features

api: Add support for claude-opus-4-8, mid-conversation system blocks, and usage.output_tokens_details (bb0bf27)

Documentation

replace literal newlines (66ba142)

0.99.0 (2026-05-27)

Full Changelog: sdk-v0.98.1...sdk-v0.99.0

Features

support custom file size caps (#1029) (814cd4c)

Bug Fixes

streaming: carry stop_details through message_delta accumulation (#1027) (198bc27)

0.98.1 (2026-05-26)

Full Changelog: sdk-v0.98.0...sdk-v0.98.1

Bug Fixes

client: preserve directory prefix in skills.versions.create uploads (#1024) (abbcd6a)

Chores

... (truncated)

Commits

512605f chore: release main
d0148df codegen metadata
4d836b4 codegen metadata
323e350 codegen metadata
ea36df7 chore(client): update lockfiles to have proper dependencies on standardwebhooks
0ea1922 codegen metadata
991d88f fix(streaming): carry encrypted_content on beta compaction blocks (#1025)
6f97c4d chore: release main
1fd7ec7 feat(api): Add support for claude-opus-4-8, mid-conversation system blocks, a...
f5bfc10 docs: replace literal newlines
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @anthropic-ai/sdk since your current version.

Updates axios from 1.14.0 to 1.16.1

Release notes

Sourced from axios's releases.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)

Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)

CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)

Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)

XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)

Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)

Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)

URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)

composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)

AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)

Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)

Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)

Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

@hpinmetaverse (#10836)

@tommyhgunz14 (#7413)

@abhu85 (#10829)

@divyanshuraj1095 (#10853)

@sagodi97 (#10856)

@rkdfx (#10868)

@Liuwei1125 (#10866)

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Changelog

Sourced from axios's changelog.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)

Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)

CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)

Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)

XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)

Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)

Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)

URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)

composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)

AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)

Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)

Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)

Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

@hpinmetaverse (#10836)

@tommyhgunz14 (#7413)

@abhu85 (#10829)

@divyanshuraj1095 (#10853)

@sagodi97 (#10856)

@rkdfx (#10868)

@Liuwei1125 (#10866)

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Commits

1337d6b chore(release): prepare release 1.16.1 (#10877)
858a790 fix: remove all caches (#10882)
34adfd9 revert: "fix: support URL object as config.url input (#10866)" (#10874)
847d89b fix: support URL object as config.url input (#10866)
4094886 fix(progress): guard malformed XHR upload events (#10868)
44f0c5b chore: change sponsorship link and add Twicsy advertisement (#10869)
64e1095 chore: update PR and issue template to use h2 (#10865)
3e6b4e1 fix: error unexpected token in fetch JS compatibility issue with Webpack 4 (#...
c4453ba fix: add the ability to add additional sponsors to the process sponsors scrip...
caa00a9 fix: https data in cleartext to proxy (#10858)
Additional commits viewable in compare view

Updates basic-ftp from 5.2.0 to 5.3.1

Release notes

Sourced from basic-ftp's releases.

5.3.1

Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.

Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

Changelog

Sourced from basic-ftp's changelog.

5.3.1

Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.

Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

Commits

980371b Guard against unbounded control response
50827c7 Adjust changelog to match release notes
c9378a8 Fix test
22abe43 Update Github Actions
0feaaec Fix test
6629d7d Improve error message
9c3bf4f Set higher default value for max size of directory listing
acd3942 Bump version
1304429 Offer maxListingBytes as an option
5cb5367 Add bounded StringWriter
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates brace-expansion from 5.0.5 to 5.0.6

Commits

46317b5 5.0.6
c0b095b Merge commit from fork
ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
See full diff in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

Fix for GHSA-v39h-62p7-jpjc

What's Changed

Handle malformed fragment decoding as a parse error by @mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

Fix for GHSA-q3j6-qgpj-74h6

What's Changed

build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in fastify/fast-uri#148

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in fastify/fast-uri#149

chore(.npmrc): ignore scripts by @Fdawgs in fastify/fast-uri#150

build(deps-dev): remove @fastify/pre-commit by @Fdawgs in fastify/fast-uri#151

build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in fastify/fast-uri#152

ci(ci): add concurrency config by @Fdawgs in fastify/fast-uri#153

build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in fastify/fast-uri#154

build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fast-uri#156

chore(license): standardise license notice by @Fdawgs in fastify/fast-uri#159

style: remove trailing whitespace by @Fdawgs in fastify/fast-uri#161

ci: remove unused github files by @Tony133 in fastify/fast-uri#162

chore: update readme by @Tony133 in fastify/fast-uri#164

build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#165

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#166

build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in fastify/fast-uri#167

ci: add lock-threads workflow by @Fdawgs in fastify/fast-uri#169

New Contributors

@Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

919dd8e Bumped v3.1.2
c65ba57 fixup: linting
6c86c17 Merge commit from fork
a95158a Handle malformed fragment decoding without throwing (#171)
cea547c Bumped v3.1.1
876ce79 Merge commit from fork
dcdf690 ci: add lock-threads workflow (#169)
c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
Additional commits viewable in compare view

Updates fast-xml-builder from 1.1.4 to 1.2.0

Changelog

Sourced from fast-xml-builder's changelog.

1.2.0 (2026-05-08)

Add support for sanitizeName option

Support xml-naming for validating and sanitizing tag and attribute names

1.1.9 (2026-05-06)

fix: format output for preserve order when indent by is set to empty string

1.1.8 (2026-05-05)

fix: skip text property for PI tags

improve typings

1.1.7 (2026--05-04)

fix security issues when attribute value contains quotes

1.1.6 (2026--05-04)

fix security issues related to comment

skip comment with null value

1.1.5 (2026-04-17)

fix security issues related to comment and cdata

1.1.4 (2026-03-16)

support maxNestedTags option

1.1.3 (2026-03-13)

declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

1.1.2 (2026-03-11)

fix typings

1.1.1 (2026-03-11)

upgrade path-expression-matcher to 1.1.3

1.1.0 (2026-03-10)

Integrate path-expression-matcher

Commits

a9a905b for release
42680e8 support name sanitization
8b00185 release info
8a08f17 allow indentation to be empty string
7fc5dec update docs
c241b6a improve documentation
15d5668 update for release
9877485 fix: skip text property for PI tags
311a221 fix #5 typing import issues
e8fc5b1 update for releast
Additional commits viewable in compare view

Removes hono

Updates openclaw from 2026.4.1 to 2026.5.28

Release notes

Sourced from openclaw's releases.

openclaw 2026.5.28

Highlights

Agent and Codex runtime recovery is steadier: subagents keep cwd/workspace separation, hook context stays prompt-local, session locks release on timeout abort while live OpenClaw locks survive cleanup, stale restart continuations are avoided, and Codex app-server/helper failures no longer tear down shared runtime state. (#87218, #86875, #87409, #87399, #87375, #88129)

Channel delivery and session identity got safer across outbound plugin hooks, Matrix room ids, iMessage reactions/approvals, Slack final replies, Discord recovered tool warnings, runtime-config message actions, WhatsApp profile auth roots, Telegram polling, and Microsoft Teams service URL trust checks. (#73706, #75670, #87366, #87451, #87334, #84535, #82492, #83304, #87160)

Mobile and chat surfaces got a broader refresh: the iOS Pro UI, hosted push relay default, realtime Talk tab playback, Gateway chat transport, onboarding, Talk permissions, WebChat reconnect delivery, and session picker behavior now preserve more state across reconnects and empty searches. (#87367, #87531, #87682, #88096, #88105) Thanks @ngutman and @BunsDev.

Browser, channel, and automation inputs are stricter: Browser tool timeouts, viewport/tab indices, Gateway ports, cron retry handling, Discord component ids, schema array refs, Telegram callback pages, and channel progress callbacks now reject malformed values earlier and preserve the intended delivery context. (#82887)

Provider, media, and document coverage expands with Claude Opus 4.8, Fal Krea image schemas, NVIDIA featured models, MiniMax streaming music responses, encrypted PDF extraction, voice model catalogs, GitHub Copilot agent runtime support, and a Codex Supervisor plugin path for delegated Codex workflows. (#87845, #87890, #80775, #84764, #87751, #87794)

CLI, auth, doctor, and provider paths fail faster and recover more clearly: malformed numeric/version options are rejected, workspace dotenv provider credentials are ignored, heartbeat defaults, OAuth/token lifetimes, and local service startup requests are bounded, agent auth health labels are clearer, legacy api_key auth profiles migrate to canonical form, and restart guidance is actionable. (#87398, #86281, #87361, #88133, #83655, #87559, #88088, #85924) Thanks @vincentkoc and @giodl73-repo.

Plugin and Gateway hot paths do less repeated work while preserving cache correctness for install records, config JSON parsing, tool search catalogs, session stores, manifest model rows, auto-enabled plugin config, browser tokens, viewer assets, and release-split external plugin packages. (#86699)

Release, QA, and E2E validation now bound more log, artifact, harness, and cross-OS waits so failing lanes produce proof instead of hanging or false-greening.

Changes

Status: show active subagent details in status output.

Diffs: split the default language pack and expand default Diffs language coverage while keeping the host floor aligned. (#87370, #87372) Thanks @RomneyDa.

ClawHub: add plugin display names plus skill verification and trust surfaces. (#87354, #86699) Thanks @thewilloftheshadow and @Patrick-Erichsen.

iOS: refresh the dev app with Pro Command, Chat, Agents, Settings, hosted push relay defaults, and realtime Talk playback wired to gateway sessions, diagnostics, chat, and realtime Talk. (#87367, #88096, #88105) Thanks @Solvely-Colin and @ngutman.

Docs: clarify Codex computer-use setup, paste-token stdin auth setup, macOS gateway sleep troubleshooting, native Codex hook relay recovery, container model auth, install deployment cards, device-token admin gating, CLI setup flow compatibility, Notte cloud browser CDP setup, and backport targets. (#87313, #63050, #87685) Thanks @bdjben, @liaoandi, and @thewilloftheshadow.

PDF/tools: use ClawPDF for PDF extraction, support encrypted PDF extraction, and surface MCP structured content in agent tool results. (#87670, #87751)

Providers: add Claude Opus 4.8 support, Fal Krea image model schemas, NVIDIA featured model catalogs, MiniMax streaming music responses, and provider-backed voice model catalogs. (#87845,

… updates Bumps the npm_and_yarn group with 1 update in the /plugins/collective-comms directory: [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). Bumps the npm_and_yarn group with 8 updates in the /plugins/openclaw-skill-extensions directory: | Package | From | To | | --- | --- | --- | | [@anthropic-ai/sdk](https://github.com/anthropics/anthropic-sdk-typescript) | `0.81.0` | `0.100.1` | | [axios](https://github.com/axios/axios) | `1.14.0` | `1.16.1` | | [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | `5.2.0` | `5.3.1` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `5.0.5` | `5.0.6` | | [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` | | [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) | `1.1.4` | `1.2.0` | | [hono](https://github.com/honojs/hono) | `4.12.9` | `removed` | | [openclaw](https://github.com/openclaw/openclaw) | `2026.4.1` | `2026.5.28` | Updates `vitest` from 1.6.1 to 4.1.8 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.8/packages/vitest) Updates `@anthropic-ai/sdk` from 0.81.0 to 0.100.1 - [Release notes](https://github.com/anthropics/anthropic-sdk-typescript/releases) - [Changelog](https://github.com/anthropics/anthropic-sdk-typescript/blob/main/CHANGELOG.md) - [Commits](anthropics/anthropic-sdk-typescript@sdk-v0.81.0...sdk-v0.100.1) Updates `axios` from 1.14.0 to 1.16.1 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.14.0...v1.16.1) Updates `basic-ftp` from 5.2.0 to 5.3.1 - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.2.0...v5.3.1) Updates `brace-expansion` from 5.0.5 to 5.0.6 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v5.0.5...v5.0.6) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `fast-xml-builder` from 1.1.4 to 1.2.0 - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-builder@v1.1.4...v1.2.0) Removes `hono` Updates `openclaw` from 2026.4.1 to 2026.5.28 - [Release notes](https://github.com/openclaw/openclaw/releases) - [Commits](openclaw/openclaw@v2026.4.1...v2026.5.28) Updates `ip-address` from 10.1.0 to 10.2.0 - [Commits](beaugunderson/ip-address@v10.1.0...v10.2.0) Updates `openclaw` from 2026.4.1 to 2026.5.28 - [Release notes](https://github.com/openclaw/openclaw/releases) - [Commits](openclaw/openclaw@v2026.4.1...v2026.5.28) Updates `protobufjs` from 7.5.4 to 8.4.0 - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v8.4.0) Updates `qs` from 6.15.0 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.15.0...v6.15.2) Updates `ws` from 8.20.0 to 8.21.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.20.0...8.21.0) --- updated-dependencies: - dependency-name: vitest dependency-version: 4.1.8 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@anthropic-ai/sdk" dependency-version: 0.100.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: axios dependency-version: 1.16.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: basic-ftp dependency-version: 5.3.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: openclaw dependency-version: 2026.5.28 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ip-address dependency-version: 10.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: openclaw dependency-version: 2026.5.28 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: protobufjs dependency-version: 8.4.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.21.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2026-06-01T15:34:05Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality
vitest@4.1.8
@sinclair/typebox@0.27.10 ⏵ 0.32.35	⁺¹	⁺¹
typescript@5.9.3
ioredis@5.10.1

View full report

dependabot · 2026-06-04T20:01:57Z

Superseded by #3.

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 1, 2026

dependabot Bot mentioned this pull request Jun 1, 2026

chore(deps): bump the npm_and_yarn group across 1 directory with 12 updates #1

Closed

dependabot Bot closed this Jun 4, 2026

dependabot Bot deleted the dependabot/npm_and_yarn/plugins/collective-comms/npm_and_yarn-77b50ca226 branch June 4, 2026 20:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 2 directories with 13 updates#2

chore(deps): bump the npm_and_yarn group across 2 directories with 13 updates#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/plugins/collective-comms/npm_and_yarn-77b50ca226

dependabot Bot commented on behalf of github Jun 1, 2026

Uh oh!

socket-security Bot commented Jun 1, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 1, 2026

v4.1.8

🐞 Bug Fixes

View changes on GitHub

v4.1.7

🐞 Bug Fixes

View changes on GitHub

v4.1.6

🐞 Bug Fixes

🏎 Performance

View changes on GitHub

v4.1.5

🚀 Experimental Features

🐞 Bug Fixes

View changes on GitHub

sdk: v0.100.1

0.100.1 (2026-05-29)

Bug Fixes

Chores

sdk: v0.100.0

0.100.0 (2026-05-28)

Features

Documentation

sdk: v0.99.0

0.99.0 (2026-05-27)

Features

Bug Fixes

sdk: v0.98.1

0.98.1 (2026-05-26)

Bug Fixes

0.100.1 (2026-05-29)

Bug Fixes

Chores

0.100.0 (2026-05-28)

Features

Documentation

0.99.0 (2026-05-27)

Features

Bug Fixes

0.98.1 (2026-05-26)

Bug Fixes

Chores

v1.16.1 — May 13, 2026

🔒 Security Fixes

🐛 Bug Fixes

🔧 Maintenance & Chores

🌟 New Contributors

v1.16.0 — May 2, 2026

⚠️ Notable Changes

v1.16.1 — May 13, 2026

🔒 Security Fixes

🐛 Bug Fixes

🔧 Maintenance & Chores

🌟 New Contributors

v1.16.0 — May 2, 2026

⚠️ Notable Changes

5.3.1

5.3.0

5.2.2

5.2.1

5.3.1

5.3.0

5.2.2

5.2.1

v3.1.2

⚠️ Security Release

What's Changed

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

openclaw 2026.5.28

Highlights

Changes

Uh oh!

socket-security Bot commented Jun 1, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 4, 2026

Uh oh!