chore(catalog): bump Weixin plugin to 2.4.6#96801
Conversation
|
Codex review: found issues before merge. Reviewed June 26, 2026, 8:07 PM ET / 00:07 UTC. Summary PR surface: Other 0. Total 0 across 1 file. Reproducibility: yes. source-level: current Review metrics: 1 noteworthy metric.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Risk before merge
Maintainer options:
Next step before merge
Security Review findings
Review detailsBest possible solution: Land the catalog bump only after maintainers accept 2.4.6 as the official target and the WeChat compatibility docs match the accepted host floor. Do we have a high-confidence way to reproduce the issue? Yes, source-level: current Is this the best way to solve the issue? Yes for the code boundary: the official external channel catalog is the narrow place to update the trusted package target, integrity, and host floor. It is not merge-complete until maintainers accept that target and the compatibility docs match the new floor. Full review comments:
Overall correctness: patch is incorrect AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against ff35f3bb2cd6. Label changesLabel justifications:
Evidence reviewedPR surface: Other 0. Total 0 across 1 file. View PR surface stats
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
@clawsweeper re-review |
68384db to
0616aad
Compare
0616aad to
4e6b5af
Compare
|
Merged via squash.
|
* chore(catalog): bump Weixin plugin to 2.4.6 * chore(catalog): align Weixin host floor * chore: retrigger PR checks --------- Co-authored-by: lin-hongkuan <lin-hongkuan@users.noreply.github.com>
* chore(catalog): bump Weixin plugin to 2.4.6 * chore(catalog): align Weixin host floor * chore: retrigger PR checks --------- Co-authored-by: lin-hongkuan <lin-hongkuan@users.noreply.github.com>
* chore(catalog): bump Weixin plugin to 2.4.6 * chore(catalog): align Weixin host floor * chore: retrigger PR checks --------- Co-authored-by: lin-hongkuan <lin-hongkuan@users.noreply.github.com>
* chore(catalog): bump Weixin plugin to 2.4.6 * chore(catalog): align Weixin host floor * chore: retrigger PR checks --------- Co-authored-by: lin-hongkuan <lin-hongkuan@users.noreply.github.com>
* chore(catalog): bump Weixin plugin to 2.4.6 * chore(catalog): align Weixin host floor * chore: retrigger PR checks --------- Co-authored-by: lin-hongkuan <lin-hongkuan@users.noreply.github.com>
* chore(catalog): bump Weixin plugin to 2.4.6 * chore(catalog): align Weixin host floor * chore: retrigger PR checks --------- Co-authored-by: lin-hongkuan <lin-hongkuan@users.noreply.github.com>
What Problem This Solves
Fixes #96791. The official external channel catalog still pinned
@tencent-weixin/openclaw-weixinto2.4.3, so installs and upgrade reconciliation would keep users on the older Weixin plugin even though the package has published2.4.6.Why This Change Was Made
The catalog entry is the source used by OpenClaw's official external channel install flow. Updating
npmSpec,expectedIntegrity, and the catalogminHostVersionkeeps the install metadata aligned with the published npm package so host compatibility checks do not accept a package version that declares a newer floor.User Impact
Users installing or reconciling the official Weixin channel plugin get
@tencent-weixin/openclaw-weixin@2.4.6with its matching integrity and host floor instead of being forced back to2.4.3or seeing catalog/package compatibility drift.Evidence
Head commit:
3f163c4666a0c13adefeebe85b9cfe371afc5b69.Verified npm metadata with
npm view @tencent-weixin/openclaw-weixin@2.4.6 version dist.integrity openclaw.install.minHostVersion peerDependencies.openclaw --json:{ "version": "2.4.6", "dist.integrity": "sha512-qw9k3PLTiMWGNjjsknHgcTManH1w4j+Ji1ArWIaYLKCq3aFRsVwcqnPi127bvOoVMJGW4dbyJ8NECEMgoO+iRw==", "openclaw.install.minHostVersion": ">=2026.5.12", "peerDependencies.openclaw": ">=2026.5.12" }Verified the repo's official catalog loader and install-plan trust path with
pnpm exec tsx -e '<listChannelPluginCatalogEntries + resolveOfficialExternalNpmPackageTrust proof>'. The proof confirmed:{ "proof": "official catalog install path resolves Weixin 2.4.6 with npm trust metadata", "npmSpec": "@tencent-weixin/openclaw-weixin@2.4.6", "minHostVersion": ">=2026.5.12", "expectedIntegrity": "sha512-qw9k3PLTiMWGNjjsknHgcTManH1w4j+Ji1ArWIaYLKCq3aFRsVwcqnPi127bvOoVMJGW4dbyJ8NECEMgoO+iRw==", "trustedSourceLinkedOfficialInstall": true, "warnings": [] }Verified the real isolated install path with
pnpm openclaw plugins install openclaw-weixinagainst a clean proof root. The installer selected and installed the exact package:The generated package lock in the isolated proof root confirmed the resolved tarball and integrity:
{ "version": "2.4.6", "resolved": "https://registry.npmjs.org/@tencent-weixin/openclaw-weixin/-/openclaw-weixin-2.4.6.tgz", "integrity": "sha512-qw9k3PLTiMWGNjjsknHgcTManH1w4j+Ji1ArWIaYLKCq3aFRsVwcqnPi127bvOoVMJGW4dbyJ8NECEMgoO+iRw==" }Validation:
node scripts/run-vitest.mjs run src/plugins/official-external-plugin-catalog.test.ts test/official-channel-catalog.test.ts test/release-check.test.tspassed.pnpm tsgo:corepassed.git diff --check origin/main...HEADpassed.