Skip to content

Add version check to OpenClaw plugin#49

Open
kaghni wants to merge 5 commits intomainfrom
feat/openclaw-autoupdate
Open

Add version check to OpenClaw plugin#49
kaghni wants to merge 5 commits intomainfrom
feat/openclaw-autoupdate

Conversation

@kaghni
Copy link
Copy Markdown
Collaborator

@kaghni kaghni commented Apr 14, 2026

Summary

  • Adds non-blocking version check on plugin registration — compares installed version against GitHub
  • Logs update notice if a newer version is available: openclaw plugins update hivemind
  • No auto-update (child_process is stubbed for security scanner compliance), notify only
  • No cache cleanup needed — OpenClaw uses single directory install, not versioned cache

Test plan

  • Typecheck passes
  • Build succeeds
  • Bundle passes security scanner checks (no readFileSync, child_process, or process.env literals)
  • Install in OpenClaw and verify update notice appears when version is behind

@kaghni
Add version check to OpenClaw plugin
9c272c3 
Check GitHub for newer versions on plugin registration. Since
child_process is stubbed in the OpenClaw bundle, auto-update isn't
possible — log a notice with the update command instead.
@claude
Copy link
Copy Markdown

claude bot commented Apr 14, 2026
edited
Loading

Claude finished @kaghni's task in 1m 11s —— View job

Left 3 inline comments:

  • Line 41 — use https://registry.npmjs.org/hivemind/latest instead of the main branch raw URL; commits land on main before npm publish, causing false "update available" notices.
  • Line 59 — strip pre-release suffix before split(".") to avoid NaN comparisons (e.g. a user on 1.0.0-beta would never see the 1.0.0 upgrade prompt).
  • Line 72 — guard pkg.version with typeof … === "string" before passing to isNewer to avoid a runtime throw on a malformed response.

claude[bot]
claude bot reviewed Apr 14, 2026
View reviewed changes
openclaw/src/index.ts
}

const DEFAULT_API_URL = "https://api.deeplake.ai";
const GITHUB_RAW_PKG = "https://raw.githubusercontent.com/activeloopai/hivemind/main/openclaw/package.json";
Copy link
Copy Markdown

@claude claude bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pointing at the main branch means any un-released commit will trigger a false "update available" notice for users on the current published version. The npm registry is the authoritative source for what's actually published.

Suggested change
const GITHUB_RAW_PKG = "https://raw.githubusercontent.com/activeloopai/hivemind/main/openclaw/package.json";
const GITHUB_RAW_PKG = "https://registry.npmjs.org/hivemind/latest";

Then update checkForUpdate to use pkg.version directly (the latest dist-tag endpoint returns { version: "..." } at the top level, same as package.json).

claude[bot]
claude bot reviewed Apr 14, 2026
View reviewed changes
openclaw/src/index.ts Outdated
}

function isNewer(latest: string, current: string): boolean {
const parse = (v: string) => v.split(".").map(Number);
Copy link
Copy Markdown

@claude claude bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Number() on a pre-release segment like "0-beta" returns NaN; all comparisons with NaN are false, so a user on 1.0.0 would never be told to upgrade to 1.0.1-beta (benign) but also a user on 1.0.0-beta would never be told to upgrade to 1.0.0 (wrong). Strip the pre-release suffix before comparing.

Suggested change
const parse = (v: string) => v.split(".").map(Number);
const parse = (v: string) => v.replace(/-.*$/, "").split(".").map(Number);

claude[bot]
claude bot reviewed Apr 14, 2026
View reviewed changes
openclaw/src/index.ts Outdated
const res = await fetch(GITHUB_RAW_PKG, { signal: AbortSignal.timeout(3000) });
if (!res.ok) return;
const pkg = await res.json();
const latest = pkg.version;
Copy link
Copy Markdown

@claude claude bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

res.json() is untyped and pkg.version could be undefined, null, or a non-string, which would pass the truthiness check but cause isNewer to call undefined.split(…) or produce NaN — add a string guard.

Suggested change
const latest = pkg.version;
const latest = typeof pkg.version === "string" ? pkg.version : null;

kaghni added 4 commits April 14, 2026 15:46
@kaghni
Address review: npm registry, pre-release parse, version type guard
1d1a12f 
- Use npm registry instead of GitHub raw to avoid false update notices
  for unreleased versions on main
- Strip pre-release suffix before version comparison
- Add string type guard on pkg.version from registry response
@kaghni
Add unlinkSync to OpenClaw fs-wrap plugin
530ce32 
auth.ts imports unlinkSync from node:fs but the OpenClaw esbuild
fs-wrap didn't export it, breaking the build.
@kaghni
Revert to GitHub raw for version check
941500b 
npm registry has a different package named hivemind (0.1.2). The
OpenClaw plugin is published on ClawHub, not npm. GitHub raw is the
correct source for the latest version.
@kaghni
Add /hivemind_update command for manual update check
9453884 
Checks GitHub for newer version and tells the user what command to run.
Cannot auto-update since child_process is stubbed in the OpenClaw bundle.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kaghni