chore(deps): bump uuid and openclaw in /openclaw-plugin

[dependabot]

Bumps uuid to 14.0.0 and updates ancestor dependency openclaw. These dependencies need to be updated together.

Updates uuid from 9.0.1 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

• expect crypto to be global everywhere (requires node@20+) (#935)
• drop node@18 support (#934)

Features

• drop node@18 support (#934) (dc4ddb8)

Bug Fixes

• expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
• Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

• backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

• make browser exports the default (#901)

Bug Fixes

• make browser exports the default (#901) (bce9d72)

v12.0.1

12.0.1 (2026-04-29)

Bug Fixes

• backport fix for GHSA-w5hq-g745-h8pq (3d61d6a)

v12.0.0

12.0.0 (2025-09-05)

... (truncated)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@20+) (#935)
• drop node@18 support (#934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

• make browser exports the default (#901)

Bug Fixes

• make browser exports the default (#901) (bce9d72)

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

• update to typescript@5.2 (#887)
• remove CommonJS support (#886)
• drop node@16 support (#883)

Features

• add node@24 to ci matrix (#879) (42b6178)
• drop node@16 support (#883) (0f38cf1)
• remove CommonJS support (#886) (ae786e2)
• update to typescript@5.2 (#887) (c7ee405)

Bug Fixes

• improve v4() performance (#894) (5fd974c)
• restore node: prefix (#889) (e1f42a3)

11.1.0 (2025-02-19)

... (truncated)

Commits

• 7c1ea08 chore(main): release 14.0.0 (#926)
• 3d2c5b0 Merge commit from fork
• f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
• 529ef08 chore: upgrade TypeScript and fixup types (#927)
• 086fd79 chore: update dependencies (#933)
• dc4ddb8 feat!: drop node@18 support (#934)
• 0f1f9c9 chore: switch to Biome for parsing and linting (#932)
• e2879e6 chore: use maintained version of npm-run-all (#930)
• ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
• 0423d49 docs: remove obsolete v1 option notes (#915)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates openclaw from 2026.4.8 to 2026.5.2

Release notes

Sourced from openclaw's releases.

openclaw 2026.5.2

Highlights

• External plugin installation, update, doctor repair, dependency reporting, and artifact metadata now cover the npm-first cutover, stale configured installs, missing package payloads, and beta-channel plugin fallback. Thanks @​vincentkoc.
• Gateway and agent hot paths are leaner across startup, session listing, task maintenance, prompt prep, plugin loading, tool descriptor planning, filesystem guards, and large runtime configs.
• Control UI and WebChat are more resilient across Sessions, Cron, long-running Gateway WebSockets, grouped-message width, slash-command feedback, iOS PWA bounds, selection contrast, and Talk diagnostics.
• Messaging fixes cover WhatsApp Channel/Newsletter targets, Telegram topic commands and networking, Discord delivery/startup edge cases, Slack threads, Signal groups/media, and visible reply routing.
• Provider and media fixes cover OpenAI-compatible TTS/Realtime, OpenRouter/DeepSeek replay, Anthropic-compatible streaming, LM Studio reasoning metadata, Brave/SearXNG/Firecrawl web search, media paths, music, and voice-call routing.

Changes

• Gateway/startup and restart: skip plugin-backed auth-profile overlays during startup secrets preflight, reducing gateway readiness latency while keeping reload and OAuth recovery paths overlay-capable; add openclaw gateway restart --force and --wait <duration>, log active task run IDs before restart deferral timers, and report timeout restarts as explicit forced restarts. (#68327) Thanks @​JIRBOY.
• Plugins/ClawHub: make diagnostics, onboarding, doctor repair, and channel setup carry ClawPack metadata through install records while keeping explicit clawhub: installs on ClawHub and bare package installs on npm for the launch cutover. Thanks @​vincentkoc.
• Plugins/CLI: include package dependency install state in openclaw plugins list --json so scripts can spot missing plugin dependencies without runtime-loading plugins.
• Plugins/update: on the beta OpenClaw update channel, default-line npm and ClawHub plugin updates try @beta first and fall back to default/latest when no plugin beta release exists.
• Plugins/runtime: scope broad runtime preloads to the effective plugin ids derived from config, startup planning, configured channels, slots, and auto-enable rules instead of importing every discoverable plugin.
• Agents/runtime: reuse the startup-loaded plugin registry for request-time providers, tools, channel actions, web/capability/memory/migration helpers, and memoized provider extra-params, and memoize transcript replay-policy resolution for stable config and process-env runs while preserving model-specific transport hook patches and custom-env provider behavior. Thanks @​DmitryPogodaev.
• Infra/path-guards: add a fast path for canonical absolute POSIX containment checks, avoiding repeated path.resolve and path.relative work in hot filesystem walkers. Refs #75895, #75575, and #68782. Thanks @​Enderfga.
• Tools/plugins: add a platform-level tool descriptor planner for descriptor-first visibility, generic availability checks, and executor references, and cache plugin tool descriptors captured from api.registerTool(...) so repeated prompt-time planning can skip plugin runtime loading while execution still loads the live plugin tool. (#76079) Thanks @​shakkernerd.
• Docs/Codex: clarify that ChatGPT/Codex subscription setups should use openai/gpt-* with agentRuntime.id: "codex" for native Codex runtime, while openai-codex/* remains the PI OAuth route. Thanks @​pashpashpash.
• Plugins/source checkout: load bundled plugins from the extensions/* pnpm workspace tree in source checkouts, so plugin-local dependencies and edits are used directly while packaged installs keep using the built runtime tree. Thanks @​vincentkoc.
• Plugins/beta: externalize ACPX behind @openclaw/acpx and diagnostics OpenTelemetry behind @openclaw/diagnostics-otel, keeping their heavier runtime stacks out of the core package until installed; prepare Google Chat, LINE, Matrix, Mattermost, BlueBubbles, diagnostics Prometheus, Google Meet, Nextcloud Talk, Nostr, Zalo, Zalo Personal, diagnostics OpenTelemetry, Discord, Diffs, Lobster, Memory LanceDB, Microsoft Teams, QQ Bot, Voice Call, WhatsApp, Brave, Codex, Feishu, Synology Chat, Tlon, and Twitch for 2026.5.1-beta.1/2026.5.1-beta.2 npm and ClawHub publishing, and keep publishable plugin dist trees out of the core npm package. Thanks @​vincentkoc.
• Providers/xAI: add Grok 4.3 to the bundled catalog and make it the default xAI chat model.
• Google Meet: let API-created rooms set accessType and entryPointAccess, add googlemeet end-active-conference for closing managed spaces after a call, and add googlemeet test-listen plus the matching google_meet test_listen action so transcribe-mode joins wait for real caption or transcript movement before reporting listen-first health. (#74824; refs #72478) Thanks @​BsnizND and @​DougButdorf.
• Plugins/ClawHub/onboarding: prefer versioned ClawPack artifacts when ClawHub publishes digest metadata, verify ClawPack response headers and downloaded bytes, persist ClawPack digest/artifact metadata on install/update records and install-on-demand provider setup entries, and allow official bundled-plugin cutovers to record ClawHub artifact metadata while preserving npm as the launch default for bare package specs and retaining npm/local fallback paths. Thanks @​vincentkoc.
• Plugins/Crestodian: add ClawHub plugin search plus Crestodian plugin list/search/install/uninstall operations, with approval and audit coverage for install and uninstall.
• Channels/thread bindings: replace split subagent/ACP thread-spawn toggles with threadBindings.spawnSessions, default thread-bound spawns on, and let openclaw doctor --fix migrate the legacy keys. (#75943)
• Providers/OpenAI: add extraBody/extra_body passthrough for OpenAI-compatible TTS endpoints, so custom speech servers can receive fields such as lang in /audio/speech requests. Fixes #39900. Thanks @​R3NK0R.
• Channels/WhatsApp: support explicit WhatsApp Channel/Newsletter @newsletter outbound message targets with channel session metadata instead of DM routing. Fixes #13417; carries forward the narrow outbound target idea from #13424. Thanks @​vincentkoc and @​agentz-manfred.
• Dependencies: refresh workspace, bundled runtime, and plugin dependency pins, including TypeBox 1.1.37, AWS SDK 3.1041.0, Microsoft Teams 2.0.9, Marked 18.0.3, Pi 0.71.1, OpenAI 6.35.0, Codex 0.128.0, Zod 4.4.1, and Matrix 41.4.0. Thanks @​mariozechner, @​aws, and @​microsoft.
• Discord/channels: add reusable message-channel access groups plus Discord channel-audience DM authorization, so allowlists can reference accessGroup:<name> across channel auth paths. (#75813)
• Crabbox/scripts: print the selected Crabbox binary, version, and supported providers before pnpm crabbox:* commands, and reject stale binaries that lack blacksmith-testbox provider support.
• Agents/Codex: add committed happy-path prompt snapshots for Codex/message-tool Telegram direct, Discord group, and heartbeat turns so prompt drift can be reviewed. Thanks @​pashpashpash.
• Agents/workspace: add agents.defaults.skipOptionalBootstrapFiles for skipping selected optional workspace files during bootstrap without disabling required workspace setup. (#62110) Thanks @​mainstay22.
• Plugins/CLI: add first-class git: plugin installs with ref checkout, commit metadata, normal scanner/staging, and plugins update support for recorded git sources. Thanks @​badlogic.
• Google Meet: add live caption health for Chrome transcribe mode, including caption observer state, transcript counters, last caption text, and recent transcript lines in status and doctor output. Refs #72478. Thanks @​DougButdorf.
• Voice Call/Google Meet: add Twilio Meet join phase logs around pre-connect DTMF, realtime stream setup, and initial greeting handoff for easier live-call debugging. Thanks @​donkeykong91 and @​PfanP.
• macOS app: move recent session context rows into a Context submenu while keeping usage and cost details root-level, so the menu bar companion stays compact with many active sessions. Thanks @​guti.
• Gateway/SDK: add SDK-facing tools.invoke RPC with shared HTTP policy, typed approval/refusal results, and SDK helper support. Refs #74705. Thanks @​BunsDev and @​ai-hpc.
• Discord: keep active buttons, selects, and forms working across Gateway restarts until they expire, so multi-step Discord interactions are less likely to break during upgrades or restarts. Thanks @​amknight.
• Messages/docs: clarify that BodyForAgent is the primary inbound model text while Body is the legacy envelope fallback, and add Signal coverage so channel hardening patches target the real prompt path. Refs #66198. Thanks @​defonota3box.
• Slack: publish a safe default App Home tab view on app_home_opened, include the Home tab event in setup manifests, and keep track of bot-participated threads across restarts so ongoing threaded conversations can continue auto-replying after the Gateway restarts. Fixes #11655; refs #52020. Thanks @​TinyTb and @​amknight.
• Control UI/Usage: add UTC quarter-hour token buckets for the Usage Mosaic and reuse them for hour filtering, keeping the legacy session-span fallback for older summaries. (#74337) Thanks @​konanok.
• BlueBubbles: add opt-in channels.bluebubbles.replyContextApiFallback that fetches the original message from the BlueBubbles HTTP API when the in-memory reply-context cache misses (multi-instance deployments sharing one BB account, post-restart, after long-lived TTL/LRU eviction). Off by default; channel-level setting propagates to accounts that omit the flag through mergeAccountConfig; routed through the typed BlueBubblesClient so every fetch is SSRF-guarded by the same three-mode policy as every other BB client request; reply-id shape is validated and part-index prefixes (p:0/<guid>) are stripped before the request; concurrent webhooks for the same replyToId coalesce into one fetch and successful responses populate the reply cache for subsequent hits. Also promotes BlueBubbles attachment download failures from verbose to runtime error so silently-dropped inbound images are visible at default log level, and extends sanitizeForLog to redact ?password=…/?token=… query params and Authorization: headers before they reach the log sink (CWE-532). (#71820) Thanks @​coletebou and @​zqchris.
• CLI/proxy: add openclaw proxy validate so operators can verify effective proxy configuration, proxy reachability, and expected allow/deny destination behavior before deploying proxy-routed OpenClaw commands. (#73438) Thanks @​jesse-merhi.
• Agents/Codex: default Codex app-server dynamic tools to native-first, keeping OpenClaw integration tools while leaving file, patch, exec, and process ownership to the Codex harness; default Codex-harness direct source replies to the OpenClaw message tool when visible reply delivery is not explicitly configured, keeping channel-visible output as a deliberate tool call. (#75308, #75765) Thanks @​pashpashpash.
• Heartbeats/agents: add a structured heartbeat_respond tool for tool-capable heartbeat runs so agents can record quiet outcomes or explicit notification text without relying only on HEARTBEAT_OK parsing. (#75765) Thanks @​pashpashpash.
• Gateway/config: allow $include directives to read files from operator-approved OPENCLAW_INCLUDE_ROOTS directories while preserving default config-directory confinement. Thanks @​ificator.

... (truncated)

Commits

• 8b2a6e5 docs: refresh plugin inventory for bundled channels
• 0accc7f fix(channels): keep matrix and mattermost bundled
• 8842a5b test(e2e): allow npm configured plugin installs
• c975bff fix: trusted installs
• 90079f5 test(tooling): align plugin prerelease expectations
• d8f31a2 fix(plugins): allow Discord install repair
• dd22838 test(docker): expect discord onboard package lane
• a121f98 test(plugins): avoid kitchen sink config drift
• 13e8c49 test(plugins): pin kitchen sink npm fixture
• 6cb5484 test(plugins): harden package plugin e2e lanes
• Additional commits viewable in compare view

Install script changes

This version adds preinstall script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.