From 325e97ead52804bb0fcb8fab4b2c298e87737383 Mon Sep 17 00:00:00 2001 From: ly85206559 Date: Wed, 15 Apr 2026 19:12:40 +0800 Subject: [PATCH] fix(docker): verify matrix-sdk-crypto native addon without hardcoded pnpm path (#65608) --- CHANGELOG.md | 2 ++ Dockerfile | 6 ++++++ src/dockerfile.test.ts | 9 +++++++++ 3 files changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26ea508c5de..5648a63c790 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,7 @@ Docs: https://docs.openclaw.ai - CLI/configure: re-read the persisted config hash after writes so config updates stop failing with stale-hash races. (#64188, #66528) - CLI/update: prune stale packaged `dist` chunks after npm upgrades and keep downgrade/verify inventory checks compat-safe so global upgrades stop failing on stale chunk imports. (#66959) Thanks @obviyus. - Onboarding/CLI: fix channel-selection crashes on globally installed CLI setups during onboarding. (#66736) +- Video generation/live tests: bound provider polling for live video smoke, default to the fast non-FAL text-to-video path, and use a one-second lobster prompt so release validation no longer waits indefinitely on slow provider queues. - Memory-core/QMD `memory_get`: reject reads of arbitrary workspace markdown paths and only allow canonical memory files (`MEMORY.md`, `memory.md`, `DREAMS.md`, `dreams.md`, `memory/**`) plus exact paths of active indexed QMD workspace documents, so the QMD memory backend can no longer be used as a generic workspace-file read shim that bypasses `read` tool-policy denials. (#66026) Thanks @eleqtrizit. - Cron/agents: forward embedded-run tool policy and internal event params into the attempt layer so `--tools` allowlists, cron-owned message-tool suppression, explicit message targeting, and command-path internal events all take effect at runtime again. (#62675) Thanks @hexsprite. - Setup/providers: guard preferred-provider lookup during setup so malformed plugin metadata with a missing provider id no longer crashes the wizard with `Cannot read properties of undefined (reading 'trim')`. (#66649) Thanks @Tianworld. @@ -64,6 +65,7 @@ Docs: https://docs.openclaw.ai - Control UI/chat: keep optimistic user message cards visible during active sends by deferring same-session history reloads until the active run ends, including aborted and errored runs. (#66997) Thanks @scotthuang and @vincentkoc. - Media/Slack: allow host-local CSV and Markdown uploads only when the fallback buffer actually decodes as text, so real plain-text files work without letting opaque non-text blobs renamed to `.csv` or `.md` slip past the host-read guard. (#67047) Thanks @Unayung. - Ollama/onboarding: split setup into `Cloud + Local`, `Cloud only`, and `Local only`, support direct `OLLAMA_API_KEY` cloud setup without a local daemon, and keep Ollama web search on the local-host path. (#67005) Thanks @obviyus. +- Docker/build: verify `@matrix-org/matrix-sdk-crypto-nodejs` native bindings with `find` under `node_modules` instead of a hardcoded `.pnpm/...` path so pnpm v10+ virtual-store layouts no longer fail the image build. (#67143) thanks @ly85206559. ## 2026.4.14 diff --git a/Dockerfile b/Dockerfile index bd5f9d02175..33eac6364d1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -74,6 +74,12 @@ COPY --from=ext-deps /out/ ./${OPENCLAW_BUNDLED_PLUGIN_DIR}/ RUN --mount=type=cache,id=openclaw-pnpm-store,target=/root/.local/share/pnpm/store,sharing=locked \ NODE_OPTIONS=--max-old-space-size=2048 pnpm install --frozen-lockfile +# pnpm v10+ may append peer-resolution hashes to virtual-store folder names; do not hardcode `.pnpm/...` +# paths. Fail fast here if the Matrix native binding did not materialize after install. +RUN echo "==> Verifying critical native addons..." && \ + find /app/node_modules -name "matrix-sdk-crypto*.node" 2>/dev/null | grep -q . || \ + (echo "ERROR: matrix-sdk-crypto native addon missing (pnpm install may have silently failed on this arch)" >&2 && exit 1) + COPY . . # Normalize extension paths now so runtime COPY preserves safe modes diff --git a/src/dockerfile.test.ts b/src/dockerfile.test.ts index 1adae61f634..353dce89584 100644 --- a/src/dockerfile.test.ts +++ b/src/dockerfile.test.ts @@ -42,6 +42,15 @@ describe("Dockerfile", () => { expect(dockerfile).toContain("apt-get install -y --no-install-recommends xvfb"); }); + it("verifies matrix-sdk-crypto native addons without hardcoded pnpm virtual-store paths", async () => { + const dockerfile = await readFile(dockerfilePath, "utf8"); + expect(dockerfile).toContain("Verifying critical native addons"); + expect(dockerfile).toContain('find /app/node_modules -name "matrix-sdk-crypto*.node"'); + expect(dockerfile).not.toMatch( + /ADDON_DIR=.*node_modules\/\.pnpm\/@matrix-org\+matrix-sdk-crypto-nodejs@/, + ); + }); + it("prunes runtime dependencies after the build stage", async () => { const dockerfile = await readFile(dockerfilePath, "utf8"); expect(dockerfile).toContain("FROM build AS runtime-assets");