chore(deps): bump openclaw from 2026.2.17 to 2026.2.19 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: openclaw.

Updates openclaw from 2026.2.17 to 2026.2.19

Release notes

Sourced from openclaw's releases.

openclaw 2026.2.19

Changes

• iOS/Watch: add an Apple Watch companion MVP with watch inbox UI, watch notification relay handling, and gateway command surfaces for watch status/send flows. (#20054) Thanks @​mbelinky.
• iOS/Gateway: wake disconnected iOS nodes via APNs before nodes.invoke and auto-reconnect gateway sessions on silent push wake to reduce invoke failures while the app is backgrounded. (#20332) Thanks @​mbelinky.
• Gateway/CLI: add paired-device hygiene flows with device.pair.remove, plus openclaw devices remove and guarded openclaw devices clear --yes [--pending] commands for removing paired entries and optionally rejecting pending requests. (#20057) Thanks @​mbelinky.
• iOS/APNs: add push registration and notification-signing configuration for node delivery. (#20308) Thanks @​mbelinky.
• Gateway/APNs: add a push-test pipeline for APNs delivery validation in gateway flows. (#20307) Thanks @​mbelinky.
• Security/Audit: add gateway.http.no_auth findings when gateway.auth.mode="none" leaves Gateway HTTP APIs reachable, with loopback warning and remote-exposure critical severity, plus regression coverage and docs updates.
• Skills: harden coding-agent skill guidance by removing shell-command examples that interpolate untrusted issue text directly into command strings.
• Dev tooling: align oxfmt local/CI formatting behavior. (#12579) Thanks @​vincentkoc.

Fixes

• Agents/Streaming: keep assistant partial streaming active during reasoning streams, handle native thinking_* stream events consistently, dedupe mixed reasoning-end signals, and clear stale mutating tool errors after same-target retry success. (#20635) Thanks @​obviyus.
• iOS/Screen: move WKWebView lifecycle ownership into ScreenWebView coordinator and explicit attach/detach flow to reduce gesture/lifecycle crash risk (__NSArrayM insertObject:atIndex: paths) during screen tab updates. (#20366) Thanks @​ngutman.
• iOS/Onboarding: prevent pairing-status flicker during auto-resume by keeping resumed state transitions stable. (#20310) Thanks @​mbelinky.
• iOS/Onboarding: stabilize pairing and reconnect behavior by resetting stale pairing request state on manual retry, disconnecting both operator and node gateways on operator failure, and avoiding duplicate pairing loops from operator transport identity attachment. (#20056) Thanks @​mbelinky.
• iOS/Signing: restore local auto-selected signing-team overrides during iOS project generation by wiring .local-signing.xcconfig into the active signing config and emitting OPENCLAW_DEVELOPMENT_TEAM in local signing setup. (#19993) Thanks @​ngutman.
• Telegram: unify message-like inbound handling so message and channel_post share the same dedupe/access/media pipeline and remain behaviorally consistent. (#20591) Thanks @​obviyus.
• Telegram/Agents: gate exec/bash tool-failure warnings behind verbose mode so default Telegram replies stay clean while verbose sessions still surface diagnostics. (#20560) Thanks @​obviyus.
• Telegram/Cron/Heartbeat: honor explicit Telegram topic targets in cron and heartbeat delivery (<chatId>:topic:<threadId>) so scheduled sends land in the configured topic instead of the last active thread. (#19367) Thanks @​Lukavyi.
• Gateway/Daemon: forward TMPDIR into installed service environments so macOS LaunchAgent gateway runs can open SQLite temp/journal files reliably instead of failing with SQLITE_CANTOPEN. (#20512) Thanks @​Clawborn.
• Agents/Billing: include the active model that produced a billing error in user-facing billing messages (for example, OpenAI (gpt-5.3)) across payload, failover, and lifecycle error paths, so users can identify exactly which key needs credits. (#20510) Thanks @​echoVic.
• Gateway/TUI: honor agents.defaults.blockStreamingDefault for chat.send by removing the hardcoded block-streaming disable override, so replies can use configured block-mode delivery. (#19693) Thanks @​neipor.
• UI/Sessions: accept the canonical main session-key alias in Chat UI flows so main-session routing stays consistent. (#20311) Thanks @​mbelinky.
• OpenClawKit/Protocol: preserve JSON boolean literals (true/false) when bridging through AnyCodable so Apple client RPC params no longer re-encode booleans as 1/0. Thanks @​mbelinky.
• Commands/Doctor: skip embedding-provider warnings when memory.backend is qmd, because QMD manages embeddings internally and does not require memorySearch providers. (#17263) Thanks @​miloudbelarebia.
• Canvas/A2UI: improve bundled-asset resolution and empty-state handling so UI fallbacks render reliably. (#20312) Thanks @​mbelinky.
• Commands/Doctor: avoid rewriting invalid configs with new gateway.auth.token defaults during repair and only write when real config changes are detected, preventing accidental token duplication and backup churn.
• Gateway/Auth: default unresolved gateway auth to token mode with startup auto-generation/persistence of gateway.auth.token, while allowing explicit gateway.auth.mode: "none" for intentional open loopback setups. (#20686) thanks @​gumadeiras.
• Channels/Matrix: fix mention detection for formatted_body Matrix-to links by handling matrix.to mention formats consistently. (#16941) Thanks @​zerone0x.
• Heartbeat/Cron: skip interval heartbeats when HEARTBEAT.md is missing or empty and no tagged cron events are queued, while preserving cron-event fallback for queued tagged reminders. (#20461) thanks @​vikpos.
• Browser/Relay: reuse an already-running extension relay when the relay port is occupied by another OpenClaw process, while still failing on non-relay port collisions to avoid masking unrelated listeners. (#20035) Thanks @​mbelinky.
• Scripts: update clawdock helper command support to include docker-compose.extra.yml where available. (#17094) Thanks @​zerone0x.
• Lobster/Config: remove Lobster executable-path overrides (lobsterPath), require PATH-based execution, and add focused Windows wrapper-resolution tests to keep shell-free behavior stable.
• Gateway/WebChat: block sessions.patch and sessions.delete for WebChat clients so session-store mutations stay restricted to non-WebChat operator flows. Thanks @​allsmog for reporting.
• Gateway: clarify launchctl GUI domain bootstrap failure on macOS. (#13795) Thanks @​vincentkoc.
• Lobster/CI: fix flaky test Windows cmd shim script resolution. (#20833) Thanks @​vincentkoc.
• Browser/Relay: require gateway-token auth on both /extension and /cdp, and align Chrome extension setup to use a single gateway.auth.token input for relay authentication. Thanks @​tdjackey for reporting.
• Gateway/Hooks: run BOOT.md startup checks per configured agent scope, including per-agent session-key resolution, startup-hook regression coverage, and non-success boot outcome logging for diagnosability. (#20569) thanks @​mcaxtr.
• Protocol/Apple: regenerate Swift gateway models for push.test so pnpm protocol:check stays green on main. Thanks @​mbelinky.
• Sandbox/Registry: serialize container and browser registry writes with shared file locks and atomic replacement to prevent lost updates and delete rollback races from desyncing sandbox list, prune, and recreate --all. Thanks @​kexinoh.
• OTEL/diagnostics-otel: complete OpenTelemetry v2 API migration. (#12897) Thanks @​vincentkoc.
• Cron/Webhooks: protect cron webhook POST delivery with SSRF-guarded outbound fetch (fetchWithSsrFGuard) to block private/metadata destinations before request dispatch. Thanks @​Adam55A-code.
• Security/Voice Call: harden voice-call telephony TTS override merging by blocking unsafe deep-merge keys (__proto__, prototype, constructor) and add regression coverage for top-level and nested prototype-pollution payloads.
• Security/Windows Daemon: harden Scheduled Task gateway.cmd generation by quoting cmd metacharacter arguments, escaping %/! expansions, and rejecting CR/LF in arguments, descriptions, and environment assignments (set "KEY=VALUE"), preventing command injection in Windows daemon startup scripts. This ships in the next npm release. Thanks @​tdjackey for reporting.
• Security/Gateway/Canvas: replace shared-IP fallback auth with node-scoped session capability URLs for /__openclaw__/canvas/* and /__openclaw__/a2ui/*, fail closed when trusted-proxy requests omit forwarded client headers, and add IPv6/proxy-header regression coverage. This ships in the next npm release. Thanks @​aether-ai-agent for reporting.
• Security/Net: enforce strict dotted-decimal IPv4 literals in SSRF checks and fail closed on unsupported legacy forms (octal/hex/short/packed, for example 0177.0.0.1, 127.1, 2130706433) before DNS lookup.
• Security/Discord: enforce trusted-sender guild permission checks for moderation actions (timeout, kick, ban) and ignore untrusted senderUserId params to prevent privilege escalation in tool-driven flows. Thanks @​aether-ai-agent for reporting.

... (truncated)

Changelog

Sourced from openclaw's changelog.

2026.2.19

Changes

• iOS/Watch: add an Apple Watch companion MVP with watch inbox UI, watch notification relay handling, and gateway command surfaces for watch status/send flows. (#20054) Thanks @​mbelinky.
• iOS/Gateway: wake disconnected iOS nodes via APNs before nodes.invoke and auto-reconnect gateway sessions on silent push wake to reduce invoke failures while the app is backgrounded. (#20332) Thanks @​mbelinky.
• Gateway/CLI: add paired-device hygiene flows with device.pair.remove, plus openclaw devices remove and guarded openclaw devices clear --yes [--pending] commands for removing paired entries and optionally rejecting pending requests. (#20057) Thanks @​mbelinky.
• iOS/APNs: add push registration and notification-signing configuration for node delivery. (#20308) Thanks @​mbelinky.
• Gateway/APNs: add a push-test pipeline for APNs delivery validation in gateway flows. (#20307) Thanks @​mbelinky.
• Security/Audit: add gateway.http.no_auth findings when gateway.auth.mode="none" leaves Gateway HTTP APIs reachable, with loopback warning and remote-exposure critical severity, plus regression coverage and docs updates.
• Skills: harden coding-agent skill guidance by removing shell-command examples that interpolate untrusted issue text directly into command strings.
• Dev tooling: align oxfmt local/CI formatting behavior. (#12579) Thanks @​vincentkoc.

Fixes

• Agents/Streaming: keep assistant partial streaming active during reasoning streams, handle native thinking_* stream events consistently, dedupe mixed reasoning-end signals, and clear stale mutating tool errors after same-target retry success. (#20635) Thanks @​obviyus.
• iOS/Chat: use a dedicated iOS chat session key for ChatSheet routing to avoid cross-client session collisions with main-session traffic. (#21139) thanks @​mbelinky.
• iOS/Chat: auto-resync chat history after reconnect sequence gaps, clear stale pending runs, and avoid dead-end manual refresh errors after transient disconnects. (#21135) thanks @​mbelinky.
• iOS/Screen: move WKWebView lifecycle ownership into ScreenWebView coordinator and explicit attach/detach flow to reduce gesture/lifecycle crash risk (__NSArrayM insertObject:atIndex: paths) during screen tab updates. (#20366) Thanks @​ngutman.
• iOS/Onboarding: prevent pairing-status flicker during auto-resume by keeping resumed state transitions stable. (#20310) Thanks @​mbelinky.
• iOS/Onboarding: stabilize pairing and reconnect behavior by resetting stale pairing request state on manual retry, disconnecting both operator and node gateways on operator failure, and avoiding duplicate pairing loops from operator transport identity attachment. (#20056) Thanks @​mbelinky.
• iOS/Signing: restore local auto-selected signing-team overrides during iOS project generation by wiring .local-signing.xcconfig into the active signing config and emitting OPENCLAW_DEVELOPMENT_TEAM in local signing setup. (#19993) Thanks @​ngutman.
• Telegram: unify message-like inbound handling so message and channel_post share the same dedupe/access/media pipeline and remain behaviorally consistent. (#20591) Thanks @​obviyus.
• Telegram/Agents: gate exec/bash tool-failure warnings behind verbose mode so default Telegram replies stay clean while verbose sessions still surface diagnostics. (#20560) Thanks @​obviyus.
• Telegram/Cron/Heartbeat: honor explicit Telegram topic targets in cron and heartbeat delivery (<chatId>:topic:<threadId>) so scheduled sends land in the configured topic instead of the last active thread. (#19367) Thanks @​Lukavyi.
• Gateway/Daemon: forward TMPDIR into installed service environments so macOS LaunchAgent gateway runs can open SQLite temp/journal files reliably instead of failing with SQLITE_CANTOPEN. (#20512) Thanks @​Clawborn.
• Agents/Billing: include the active model that produced a billing error in user-facing billing messages (for example, OpenAI (gpt-5.3)) across payload, failover, and lifecycle error paths, so users can identify exactly which key needs credits. (#20510) Thanks @​echoVic.
• Gateway/TUI: honor agents.defaults.blockStreamingDefault for chat.send by removing the hardcoded block-streaming disable override, so replies can use configured block-mode delivery. (#19693) Thanks @​neipor.
• UI/Sessions: accept the canonical main session-key alias in Chat UI flows so main-session routing stays consistent. (#20311) Thanks @​mbelinky.
• OpenClawKit/Protocol: preserve JSON boolean literals (true/false) when bridging through AnyCodable so Apple client RPC params no longer re-encode booleans as 1/0. Thanks @​mbelinky.
• Commands/Doctor: skip embedding-provider warnings when memory.backend is qmd, because QMD manages embeddings internally and does not require memorySearch providers. (#17263) Thanks @​miloudbelarebia.
• Canvas/A2UI: improve bundled-asset resolution and empty-state handling so UI fallbacks render reliably. (#20312) Thanks @​mbelinky.
• Commands/Doctor: avoid rewriting invalid configs with new gateway.auth.token defaults during repair and only write when real config changes are detected, preventing accidental token duplication and backup churn.
• Gateway/Auth: default unresolved gateway auth to token mode with startup auto-generation/persistence of gateway.auth.token, while allowing explicit gateway.auth.mode: "none" for intentional open loopback setups. (#20686) thanks @​gumadeiras.
• Channels/Matrix: fix mention detection for formatted_body Matrix-to links by handling matrix.to mention formats consistently. (#16941) Thanks @​zerone0x.
• Heartbeat/Cron: skip interval heartbeats when HEARTBEAT.md is missing or empty and no tagged cron events are queued, while preserving cron-event fallback for queued tagged reminders. (#20461) thanks @​vikpos.
• Browser/Relay: reuse an already-running extension relay when the relay port is occupied by another OpenClaw process, while still failing on non-relay port collisions to avoid masking unrelated listeners. (#20035) Thanks @​mbelinky.
• Scripts: update clawdock helper command support to include docker-compose.extra.yml where available. (#17094) Thanks @​zerone0x.
• Lobster/Config: remove Lobster executable-path overrides (lobsterPath), require PATH-based execution, and add focused Windows wrapper-resolution tests to keep shell-free behavior stable.
• Gateway/WebChat: block sessions.patch and sessions.delete for WebChat clients so session-store mutations stay restricted to non-WebChat operator flows. Thanks @​allsmog for reporting.
• Gateway: clarify launchctl GUI domain bootstrap failure on macOS. (#13795) Thanks @​vincentkoc.
• Lobster/CI: fix flaky test Windows cmd shim script resolution. (#20833) Thanks @​vincentkoc.
• Browser/Relay: require gateway-token auth on both /extension and /cdp, and align Chrome extension setup to use a single gateway.auth.token input for relay authentication. Thanks @​tdjackey for reporting.
• Gateway/Hooks: run BOOT.md startup checks per configured agent scope, including per-agent session-key resolution, startup-hook regression coverage, and non-success boot outcome logging for diagnosability. (#20569) thanks @​mcaxtr.
• Protocol/Apple: regenerate Swift gateway models for push.test so pnpm protocol:check stays green on main. Thanks @​mbelinky.
• Sandbox/Registry: serialize container and browser registry writes with shared file locks and atomic replacement to prevent lost updates and delete rollback races from desyncing sandbox list, prune, and recreate --all. Thanks @​kexinoh.
• OTEL/diagnostics-otel: complete OpenTelemetry v2 API migration. (#12897) Thanks @​vincentkoc.
• Cron/Webhooks: protect cron webhook POST delivery with SSRF-guarded outbound fetch (fetchWithSsrFGuard) to block private/metadata destinations before request dispatch. Thanks @​Adam55A-code.
• Security/Voice Call: harden voice-call telephony TTS override merging by blocking unsafe deep-merge keys (__proto__, prototype, constructor) and add regression coverage for top-level and nested prototype-pollution payloads.
• Security/Windows Daemon: harden Scheduled Task gateway.cmd generation by quoting cmd metacharacter arguments, escaping %/! expansions, and rejecting CR/LF in arguments, descriptions, and environment assignments (set "KEY=VALUE"), preventing command injection in Windows daemon startup scripts. This ships in the next npm release. Thanks @​tdjackey for reporting.

... (truncated)

Commits

• 2c05cbb fix(ci): use versioned actionlint checksum asset
• 2435499 ci: move blacksmith runners to 8 vcpu
• 9f5429e docs: trim refactor-only and duplicate changelog entries
• 869ebbc fix(ci): verify actionlint release checksum before install
• 3077c35 fix(ui): unblock docker onboarding build
• 30e36c3 fix(ci): tighten test typing for browser and cron cli
• 018370e fix(ci): normalize path assertions across platforms
• 035832b refactor(daemon): extract windows cmd argv helpers
• a1cb700 test: dedupe and optimize test suites
• b0e5528 chore: bump release metadata to 2026.2.19
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

🐕 GitSniff Summary

What this PR does

This pull request updates the openclaw dependency to its latest version, 2026.2.19, incorporating various bug fixes and new features from the upstream project. This ensures the SlimClaw plugin benefits from the most recent improvements in the OpenClaw framework, including critical security hardening and stability enhancements. The update also includes a minor version bump for @aws-sdk/client-bedrock, ensuring compatibility and access to the latest AWS SDK features.

Key Changes

• Updated openclaw dependency from 2026.2.17 to 2026.2.19 in package-lock.json.
• Updated @aws-sdk/client-bedrock from ^3.992.0 to ^3.993.0 as a sub-dependency of openclaw.
• Incorporated numerous fixes, including those related to agent streaming, iOS chat, and security hardening from the openclaw upstream.

Review Score: Excellent 🟢

Tip

No major issues found. Safe to merge.

_{🐕 Reviewed by GitSniff}

[gitsniff]

Score: Excellent ✅

This pull request updates the openclaw dependency from version 2026.2.17 to 2026.2.19. The change primarily affects the package-lock.json file, reflecting the version bump and an associated update in @aws-sdk/client-bedrock. A thorough review of the release notes for openclaw indicates numerous fixes and changes, including several security-related updates.

1 finding posted as inline comments below.

_{Review completed in 26s | Basic Plan | Gemini 2.5 Flash}

[gitsniff]

ℹ️ Info

The package-lock.json file shows a minor version bump for @aws-sdk/client-bedrock from ^3.992.0 to ^3.993.0 within the openclaw dependency. While this is a minor update, it's not explicitly mentioned in the PR description or the openclaw release notes. It is good practice to explicitly mention all direct and indirect dependency updates in the PR description for full transparency and to aid in debugging potential issues.

Fix: Update the PR description to explicitly mention the update of @aws-sdk/client-bedrock to ^3.993.0 as part of this dependency bump.

🤖 Prompt for AI Agents

In package-lock.json around line 8968:

Issue: The `package-lock.json` file shows a minor version bump for `@aws-sdk/client-bedrock` from `^3.992.0` to `^3.993.0` within the `openclaw` dependency. While this is a minor update, it's not explicitly mentioned in the PR description or the `openclaw` release notes. It is good practice to explicitly mention all direct and indirect dependency updates in the PR description for full transparency and to aid in debugging potential issues.

Update the PR description to explicitly mention the update of `@aws-sdk/client-bedrock` to `^3.993.0` as part of this dependency bump.