pnpm-lock.yaml. Published OpenClaw npm packages use npm-shrinkwrap.json, npm’s publishable dependency lockfile, so package installs use the dependency graph reviewed during release.
Why it matters
Shrinkwrap is a receipt for the dependency tree that ships with an npm package: it tells npm which exact transitive versions to install.| File | Where it matters | What it means |
|---|---|---|
pnpm-lock.yaml | OpenClaw source checkout | Maintainer dependency graph |
npm-shrinkwrap.json | Published npm package | npm install graph for users |
package-lock.json | Local npm apps | Not the OpenClaw publish contract |
- the published package does not ask npm to invent a fresh dependency graph at install time;
- dependency changes are reviewable because they land in a lockfile diff;
- release validation tests the same graph users will install;
- package-size or native-dependency surprises surface before publishing.
openclaw security audit, package provenance, or install smoke tests.
OpenClaw is a gateway, plugin host, model router, and agent runtime, so a default install affects startup time, disk use, native package downloads, and supply-chain exposure. Shrinkwrap gives release review a stable boundary: reviewers see transitive dependency movement, validators reject unexpected lockfile drift, and plugin packages carry their own locked dependency graph instead of relying on the root package.
Generating and checking
The rootopenclaw npm package, OpenClaw-owned npm plugin packages (for example @openclaw/discord), and publishable workspace packages such as @openclaw/ai include npm-shrinkwrap.json when they publish. Workspace dependencies are omitted from the root shrinkwrap because they publish beside the root package; each publishable workspace package pins its own transitive tree instead. Suitable plugin packages can also publish with explicit bundledDependencies, carrying their runtime dependency files in the plugin tarball instead of relying only on install-time resolution.
pnpm-lock.yaml. That keeps the pnpm dependency age, override, and patch-review boundary intact.
Review these as security-sensitive:
pnpm-lock.yamlnpm-shrinkwrap.json- bundled plugin dependency payloads
- any
package-lock.jsondiff
package-lock.json for published packages. The plugin npm publish path checks plugin-local shrinkwrap, installs package-local bundled dependencies, then packs or publishes.