fix(plugins): sanitize workspace deps before plugin install

Co-authored-by: guanyu-zhang <guanyu-zhang@users.noreply.github.com>
2026-02-22 19:17:40 +01:00
parent e55ab6fd91
commit 1bd79add8f
3 changed files with 97 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -32,6 +32,7 @@ Docs: https://docs.openclaw.ai
 - Security/Feishu: enforce ID-only allowlist matching for DM/group sender authorization, normalize Feishu ID prefixes during checks, and ignore mutable display names so display-name collisions cannot satisfy allowlist entries. This ships in the next npm release. Thanks @jiseoung for reporting.
 - Feishu/Commands: in group chats, command authorization now falls back to top-level `channels.feishu.allowFrom` when per-group `allowFrom` is not set, so `/command` no longer gets blocked by an unintended empty allowlist. (#23756)
 - Feishu/Plugins: restore bundled Feishu SDK availability for global installs and strip `openclaw: workspace:*` from plugin `devDependencies` during plugin-version sync so npm-installed Feishu plugins do not fail dependency install. (#23611, #23645, #23603)
+- Plugins/Install: strip `workspace:*` devDependency entries from copied plugin manifests before `npm install --omit=dev`, preventing `EUNSUPPORTEDPROTOCOL` install failures for npm-published channel plugins (including Feishu and MS Teams).
 - Dev tooling: prevent `CLAUDE.md` symlink target regressions by excluding CLAUDE symlink sentinels from `oxfmt` and marking them `-text` in `.gitattributes`, so formatter/EOL normalization cannot reintroduce trailing-newline targets. Thanks @vincentkoc.
 - Cron: honor `cron.maxConcurrentRuns` in the timer loop so due jobs can execute up to the configured parallelism instead of always running serially. (#11595) Thanks @Takhoffman.
 - Agents/Compaction: restore embedded compaction safeguard/context-pruning extension loading in production by wiring bundled extension factories into the resource loader instead of runtime file-path resolution. (#22349) Thanks @Glucksberg.
--- a/src/infra/install-package-dir.ts
+++ b/src/infra/install-package-dir.ts
@@ -1,7 +1,53 @@
 import fs from "node:fs/promises";
+import path from "node:path";
 import { runCommandWithTimeout } from "../process/exec.js";
 import { fileExists } from "./archive.js";

+function isObjectRecord(value: unknown): value is Record<string, unknown> {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+
+async function sanitizeManifestForNpmInstall(targetDir: string): Promise<void> {
+  const manifestPath = path.join(targetDir, "package.json");
+  let manifestRaw = "";
+  try {
+    manifestRaw = await fs.readFile(manifestPath, "utf-8");
+  } catch {
+    return;
+  }
+
+  let manifest: Record<string, unknown>;
+  try {
+    const parsed = JSON.parse(manifestRaw) as unknown;
+    if (!isObjectRecord(parsed)) {
+      return;
+    }
+    manifest = parsed;
+  } catch {
+    return;
+  }
+
+  const devDependencies = manifest.devDependencies;
+  if (!isObjectRecord(devDependencies)) {
+    return;
+  }
+
+  const filteredEntries = Object.entries(devDependencies).filter(([, rawSpec]) => {
+    const spec = typeof rawSpec === "string" ? rawSpec.trim() : "";
+    return !spec.startsWith("workspace:");
+  });
+  if (filteredEntries.length === Object.keys(devDependencies).length) {
+    return;
+  }
+
+  if (filteredEntries.length === 0) {
+    delete manifest.devDependencies;
+  } else {
+    manifest.devDependencies = Object.fromEntries(filteredEntries);
+  }
+  await fs.writeFile(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`, "utf-8");
+}
+
 export async function installPackageDir(params: {
  sourceDir: string;
  targetDir: string;
@@ -43,6 +89,7 @@ export async function installPackageDir(params: {
  }

  if (params.hasDeps) {
+    await sanitizeManifestForNpmInstall(params.targetDir);
    params.logger?.info?.(params.depsLogMessage);
    const npmRes = await runCommandWithTimeout(
      ["npm", "install", "--omit=dev", "--silent", "--ignore-scripts"],
--- a/src/plugins/install.test.ts
+++ b/src/plugins/install.test.ts
@@ -486,6 +486,55 @@ describe("installPluginFromDir", () => {
      expectedCwd: res.targetDir,
    });
  });
+
+  it("strips workspace devDependencies before npm install", async () => {
+    const workDir = makeTempDir();
+    const stateDir = makeTempDir();
+    const pluginDir = path.join(workDir, "plugin");
+    fs.mkdirSync(path.join(pluginDir, "dist"), { recursive: true });
+    fs.writeFileSync(
+      path.join(pluginDir, "package.json"),
+      JSON.stringify({
+        name: "@openclaw/test-plugin",
+        version: "0.0.1",
+        openclaw: { extensions: ["./dist/index.js"] },
+        dependencies: { "left-pad": "1.3.0" },
+        devDependencies: {
+          openclaw: "workspace:*",
+          vitest: "^3.0.0",
+        },
+      }),
+      "utf-8",
+    );
+    fs.writeFileSync(path.join(pluginDir, "dist", "index.js"), "export {};", "utf-8");
+
+    const run = vi.mocked(runCommandWithTimeout);
+    run.mockResolvedValue({
+      code: 0,
+      stdout: "",
+      stderr: "",
+      signal: null,
+      killed: false,
+      termination: "exit",
+    });
+
+    const res = await installPluginFromDir({
+      dirPath: pluginDir,
+      extensionsDir: path.join(stateDir, "extensions"),
+    });
+    expect(res.ok).toBe(true);
+    if (!res.ok) {
+      return;
+    }
+
+    const manifest = JSON.parse(
+      fs.readFileSync(path.join(res.targetDir, "package.json"), "utf-8"),
+    ) as {
+      devDependencies?: Record<string, string>;
+    };
+    expect(manifest.devDependencies?.openclaw).toBeUndefined();
+    expect(manifest.devDependencies?.vitest).toBe("^3.0.0");
+  });
 });

 describe("installPluginFromNpmSpec", () => {