This page captures the evidence behind the May 2026 OpenClaw performance,
package-size, dependency, and shrinkwrap cleanup. It is the technical companion
to the public blog post.Two audits are combined here:
Release performance sweep: GitHub Releases from v2026.5.28 back through
stable v2026.4.23, using the OpenClaw Performance workflow,
profile=smoke, mock-provider lane. Most tag rows are one sample; the
v2026.5.27 and v2026.5.28 rows use the latest repeat-3 release-branch
artifacts.
Earlier April context: published clawgrit-reports mock-provider
baselines from v2026.4.1 through v2026.5.2, used only to avoid treating
the broken late-April releases as the public performance baseline.
Install footprint sweep: fresh npm install --ignore-scripts installs
into temporary packages, with du -sk node_modules for size and a
node_modules walk for package-instance counts.
npm package size sweep:npm pack openclaw@<version> --dry-run --json
for published releases, recording compressed tarball size, unpacked size, and
file count.
The main performance sweep uses one smoke sample per tag, except the
v2026.5.27 and v2026.5.28 rows, which use the latest repeat-3
release-branch artifacts. Earlier April context uses published repeat-3
medians from clawgrit-reports. Treat the numbers as trend evidence and
regression-hunting signal, not as release-gate statistics.
Performance coverage: 77 requested releases, 74 artifact-backed points,
and 3 unavailable CI runs. Latest stable measured point: v2026.5.28.
Stable agent turn
5.1x faster cold turn
v2026.4.14: 9.8s
v2026.5.28: 1.9s
Published package
17.9MB tarballLatest stable package, down from the 43.3MB March package-size peak.
Latest stable install
361.7MiB fresh installCuts the nested OpenClaw dependency tree sharply from the 2026.5.22
shrinkwrap-introduction peak, though a smaller 259.7MiB nested tree still
remains in the local install audit.
Dependency graph
300 installed packagesMeasured as unique package name/version roots in a fresh install with
scripts disabled; 71 fewer roots than the prior stable release.
The cleanup between v2026.5.27 and v2026.5.28 reduced the default-install
graph instead of removing the capabilities themselves.
Root default graph
Unique package name/version roots fell from 371 to 300. Package
instances fell from 372 to 301.
Nested tree
Nested openclaw/node_modules fell from 656.1MiB to 259.7MiB in
the same local install audit.
Native optional cones
The all-platform @napi-rs/canvas native package cone stopped landing in
the default install.
Supply-chain surface
Fewer default packages means fewer tarballs, maintainers, native binaries,
install-time behaviors, and transitive update paths to trust by default.
Shrinkwrap was not the problem by itself. The bad package shape was.
v2026.5.28 still ships shrinkwrap, but the nested dependency tree is much
smaller and the all-platform canvas fanout is gone in the local audit.
Do not use the late-April broken rows as public performance baselines.
v2026.4.23 and v2026.4.29 are useful regression evidence, but the large
14x-style deltas mostly describe the recovery from a bad release line.For the blog narrative, use the earlier April published baseline as scale.
The baseline is v2026.4.14 from the published clawgrit-reports
mock-provider run (repeat 3; that run failed only because the diagnostic
timeline was not emitted, so the cold, warm, and RSS medians are still useful
as rough scale). Treat this as narrative context, not a release-gate
statistic.
Metric
Earlier April baseline
v2026.5.28
Delta
Cold agent turn
9,819ms
1,908ms
80.6% lower, 5.1x faster
Warm agent turn
7,458ms
1,870ms
74.9% lower, 4.0x faster
Agent peak RSS
686.2MB
581.0MB
15.3% lower
Within the May sweep, the latest release-branch row moved materially from
v2026.5.2:
2026.5.12 is the visible plugin-extraction milestone in the changelog:
Amazon Bedrock, Bedrock Mantle, Slack, OpenShell sandbox, Anthropic Vertex,
Matrix, and WhatsApp moved out of the core dependency path so their dependency
cones install with those plugins instead of every core install.
The April stable line contains two different stories. Earlier April was slow
but recognizable. Late April became a regression cliff. v2026.5.2 is where
the mock-provider lane first drops into the 3-5s range and starts passing
consistently in the supplied sweep.Earlier published context:
Source probes were skipped for 17 successful older refs because those source
trees did not yet have the required probe entry points. Agent-turn metrics still
exist for those refs.Representative source-probe points:
Release
Default readyz p50
50 plugins readyz p50
CLI health p50
Plugin max RSS
v2026.4.29
2,819ms
2,618ms
1,679ms
389.0MB
v2026.5.2
2,324ms
2,013ms
1,384ms
377.2MB
v2026.5.7
1,649ms
1,540ms
1,175ms
387.6MB
v2026.5.18
1,942ms
1,927ms
607ms
426.5MB
v2026.5.20
1,966ms
1,987ms
621ms
455.0MB
v2026.5.22
2,081ms
1,884ms
5,095ms
444.2MB
v2026.5.26
1,546ms
1,634ms
656ms
400.4MB
v2026.5.27-beta.1
1,462ms
1,548ms
548ms
394.0MB
v2026.5.27
1,491ms
1,571ms
553ms
401.5MB
v2026.5.28
1,457ms
1,474ms
623ms
386.1MB
The v2026.5.22 CLI health spike is visible in this table even though the
agent-turn lane still passed. Keep the source probes when investigating
targeted CLI or gateway regressions.
2026.5.20 shipped with no root shrinkwrap and no large nested OpenClaw
dependency tree. 2026.5.22 introduced root shrinkwrap and installed 911.8MB
under nested openclaw/node_modules. 2026.5.28 keeps shrinkwrap and still
installs 259.7MiB under nested openclaw/node_modules, but no longer installs
any @napi-rs/canvas packages in the local fresh-install audit.Published tarball inspection verifies the boundary:
Version
Published stable?
Root npm-shrinkwrap.json
Notes
2026.5.20
yes
no
last stable release before shrinkwrap
2026.5.21
no
n/a
no stable npm release
2026.5.22
yes
yes
shrinkwrap introduced
2026.5.23
no
n/a
no stable npm release
2026.5.24
no
n/a
no stable npm release
2026.5.25
no
n/a
no stable npm release
2026.5.26
yes
yes
nested dependency tree still present
2026.5.27
yes
yes
nested dependency tree still present
2026.5.28
yes
yes
nested dependency tree much smaller
The important distinction: shrinkwrap itself is not the problem.
v2026.5.28 still ships root shrinkwrap. The problem was the package shape
that made npm materialize a large nested OpenClaw dependency tree and all 12
@napi-rs/canvas platform packages. The nested tree is smaller in v2026.5.28,
and the canvas platform fanout no longer lands in the local audit.For a plain-English explanation of shrinkwrap and the maintainer-level package
checks, see npm shrinkwrap.
Dependency count is an operational security metric, not only an install-size
metric. Every package expands the set of maintainers, tarballs, transitive
updates, optional native binaries, and install-time behaviors that operators
must trust.The cleanup direction is:
keep heavy and optional capabilities outside the default core install
make plugin packages own their runtime dependency graph
avoid runtime package-manager repair during Gateway startup
preserve deterministic installs without causing all-platform native package
materialization
keep install scripts disabled in package acceptance and measurement paths
catch nested dependency trees and native optional dependency explosions before
publishing