Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix fix(plugin-sdk): zod bare import fails to resolve in pnpm global installs [3 pull requests, 2 comments, 3 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#78398Fetched 2026-05-07 03:37:23
View on GitHub
Comments
2
Participants
3
Timeline
7
Reactions
2
Author
ggzengggzeng
Participants
clawsweeper[bot]clawsweeper[bot]ggzengggzenghera8939hera8939
Timeline (top)
cross-referenced ×3commented ×2mentioned ×1subscribed ×1

After upgrading to OpenClaw 2026.5.x via pnpm install -g openclaw, the bundled plugin-sdk re-export export * from "zod" in dist/plugin-sdk/zod.js fails to resolve at runtime. This causes all channel plugins that depend on plugin-sdk/zod (e.g. feishu, bluebubbles) to silently fail during registration.

Error Message

[plugins] feishu failed during register from .../feishu/dist/index.js: Error: Cannot find module 'zod' Require stack:

  • /home/user/.local/share/pnpm/global/5/node_modules/openclaw/dist/plugin-sdk/zod.js

Root Cause

dist/plugin-sdk/zod.js contains:

import "../zod-D2c0iocA.js";
export * from "zod";

The second line is a runtime bare import of zod. In pnpm's strict dependency isolation mode, zod is NOT hoisted/symlinked into openclaw/node_modules/ during a global install, so Node.js ESM resolution fails.

Verified by removing the manual fix and re-running pnpm install -g — zod is not linked:

$ ls openclaw/node_modules/
# Only .bin/ directory, no zod symlink

Fix Action

Fix / Workaround

Current Workaround

PR fix notes

PR #78464: fix(plugin-sdk): bundle zod subpath artifact

Description (problem / solution / changelog)

Summary

  • Problem: openclaw/plugin-sdk/zod shipped as dist/plugin-sdk/zod.js with a bare runtime export * from "zod", which can fail in pnpm global installs where zod is not resolvable from the OpenClaw package root.
  • Why it matters: bundled and third-party channel plugins import this public SDK subpath during registration, so a missing bare zod dependency can prevent plugins such as Feishu and BlueBubbles from registering.
  • What changed: force zod into the tsdown bundle graph so the published SDK subpath imports only package-local chunks.
  • Guardrail: extend the npm postpublish verifier with a package-artifact check that rejects dist/plugin-sdk/zod.js when it imports or re-exports bare zod.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor required for the fix
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

  • Fixes #78398
  • This PR fixes a bug or regression

Root Cause (if applicable)

src/plugin-sdk/zod.ts re-exported from bare zod, and the build did not force that dependency to stay bundled for the public SDK subpath. Published artifacts could therefore contain export * from "zod", which relies on Node resolving zod from the installed OpenClaw package location. pnpm global installs can leave that dependency unavailable from that path.

Regression Test Plan (if applicable)

  • Coverage level that should have caught this:
    • Unit test
    • Package-artifact smoke
  • Target test or file:
    • test/openclaw-npm-postpublish-verify.test.ts
    • scripts/openclaw-npm-postpublish-verify.ts
  • Scenario the test locks in: installed dist/plugin-sdk/zod.js must be self-contained and must not import or re-export bare zod.

Security Impact (required)

  • New permissions/capabilities? (Yes/No) No
  • Secrets/tokens handling changed? (Yes/No) No
  • New/changed network calls? (Yes/No) No
  • Command/tool execution surface changed? (Yes/No) No
  • Data access scope changed? (Yes/No) No
  • If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

  • OS: Linux workspace
  • Runtime/container: Node v24.15.0, pnpm 10.33.2/10.33.3 via Corepack
  • Integration/channel: package artifact and plugin SDK zod subpath

Steps

  1. Build the package.
  2. Inspect dist/plugin-sdk/zod.js for bare zod imports/exports.
  3. Pack the candidate tarball.
  4. Install it into an isolated pnpm global root.
  5. Import openclaw/plugin-sdk/zod from the installed package.

Expected

The zod SDK subpath imports successfully and the installed artifact verifier reports no bare zod import/export.

Actual

After this patch, the installed pnpm global tarball import succeeded and the verifier returned [].

Evidence

$ pnpm build
OK: All 4 required plugin-sdk exports verified.
[build-all] write-cli-compat

$ rg -n 'from "zod"|from "zod/|export \* from "zod|import\("zod' dist/plugin-sdk/zod.js dist -g '*.js' | head -100
# no output

$ pnpm pack --pack-destination /tmp/openclaw-zod-smoke
Tarball Details
/tmp/openclaw-zod-smoke/openclaw-2026.5.6.tgz

$ PNPM_HOME=/tmp/openclaw-zod-smoke/pnpm-home HOME=/tmp/openclaw-zod-smoke/home PATH=/tmp/openclaw-zod-smoke/pnpm-home:$PATH pnpm install -g /tmp/openclaw-zod-smoke/openclaw-2026.5.6.tgz --global-dir /tmp/openclaw-zod-smoke/global --store-dir /tmp/openclaw-zod-smoke/store --no-lockfile --dangerously-allow-all-builds
/tmp/openclaw-zod-smoke/global/5:
+ openclaw 2026.5.6

$ node --input-type=module --eval "const mod = await import('openclaw/plugin-sdk/zod'); console.log(typeof mod.z.object, typeof mod.object);"
function function

$ node --import tsx --input-type=module --eval "import { collectInstalledPluginSdkZodArtifactErrors } from './scripts/openclaw-npm-postpublish-verify.ts'; const errors = collectInstalledPluginSdkZodArtifactErrors('/tmp/openclaw-zod-smoke/global/5/node_modules/openclaw'); console.log(JSON.stringify(errors));"
[]

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes/No) Yes
  • Config/env changes? (Yes/No) No
  • Migration needed? (Yes/No) No
  • If yes, exact upgrade steps: N/A

Risks and Mitigations

  • Risk: packaging more zod code into the OpenClaw runtime artifact could increase package size.
    • Mitigation: this only forces an existing root runtime dependency into the bundle graph for a public SDK subpath that must work from installed packages.

Changed files

  • CHANGELOG.md (modified, +1/-0)
  • scripts/openclaw-npm-postpublish-verify.ts (modified, +34/-0)
  • test/openclaw-npm-postpublish-verify.test.ts (modified, +43/-0)
  • tsdown.config.ts (modified, +6/-1)

PR #78485: fix(plugin-sdk): bundle zod to resolve bare import in pnpm global installs (#78398)

Description (problem / solution / changelog)

Summary

Fixes #78398 — plugin-sdk/zod bare import fails in pnpm global installs.

Root cause: dist/plugin-sdk/zod.js contains export * from "zod". In pnpm's strict isolation mode, zod is not symlinked into openclaw/node_modules/, so the bare import fails and all plugins depending on openclaw/plugin-sdk/zod (Feishu, BlueBubbles, etc.) register.

Fix: Add zod to bundledDependencies in package.json. This tells npm to include zod directly in the published tarball's node_modules/, ensuring the bare import resolves regardless of the package manager's linking strategy.

Verification

# 1. npm pack includes zod
npm pack --dry-run 2>&1 | grep node_modules/zod
# → package/node_modules/zod/LICENSE, package/node_modules/zod/v4/core/api.cjs, ...

# 2. Build passes
pnpm build
# → OK: All 4 required plugin-sdk exports verified.

# 3. Plugin-sdk exports intact
ls dist/plugin-sdk/zod.js dist/plugin-sdk/zod.d.ts

Impact

  • Fixes all pnpm global install users
  • No runtime behavior change — zod was already a dependency, now it's bundled
  • Tarball size increase: ~200KB (zod is small)

Changed files

  • extensions/memory-core/src/dreaming-phases.ts (modified, +2/-2)
  • extensions/memory-core/src/dreaming-repair.ts (modified, +1/-1)
  • extensions/memory-core/src/short-term-promotion.ts (modified, +2/-2)
  • package.json (modified, +3/-0)

PR #78515: fix(build): bundle zod inline to fix pnpm global install resolution

Description (problem / solution / changelog)

Summary

Add deps.alwaysBundle: ["zod"] to tsdown config so that plugin-sdk/zod.ts is bundled inline instead of leaving import * from "zod" as a bare external import in the dist output.

Problem

In pnpm global installs (pnpm install -g openclaw), zod is not symlinked into openclaw/node_modules/ due to pnpm's strict dependency isolation. This causes dist/plugin-sdk/zod.js to fail at runtime:

Error: Cannot find module 'zod'
Require stack:
- .../openclaw/dist/plugin-sdk/zod.js

All channel plugins that import from "openclaw/plugin-sdk/zod" (feishu, bluebubbles, mattermost, zalo, etc.) silently fail during registration.

Current dist output (plugin-sdk/zod.js):

import "../zod-D2c0iocA.js";
export * from "zod";   // ← bare import fails under pnpm global

Fix

Add alwaysBundle: ["zod"] to the tsdown config so zod is inlined:

deps: {
  neverBundle: shouldNeverBundleDependency,
  alwaysBundle: ["zod"],  // ← new
},

This produces a self-contained plugin-sdk/zod.js with no bare zod import.

Testing

Before fix

$ pnpm install -g [email protected]
$ node -e "require.resolve('zod', {paths:[\"$(pnpm root -g)/openclaw\"]})"
# → MODULE_NOT_FOUND

After fix (manual verification with symlink workaround)

memory-lancedb-pro: initialized successfully (embedding: OK, retrieval: OK)
feishu: WebSocket client started

Related

  • #78398 — detailed bug report
  • #12067 — bluebubbles zod error (same root cause)
  • #26762 — extensions with deps fail on pnpm (same class of issue)
<details> <summary>Workaround for existing installs (before this fix lands)</summary> 
OPENCLAW_DIR=$(pnpm root -g)/openclaw
ZOD_STORE=$(find "$(dirname $(pnpm store path))" -path "*/[email protected]/node_modules/zod" -type d | head -1)
mkdir -p "$OPENCLAW_DIR/node_modules"
ln -s "$ZOD_STORE" "$OPENCLAW_DIR/node_modules/zod"
openclaw gateway restart
</details>

Changed files

  • tsdown.config.ts (modified, +5/-0)

Code Example

[plugins] feishu failed during register from .../feishu/dist/index.js: Error: Cannot find module 'zod'
Require stack:
- /home/user/.local/share/pnpm/global/5/node_modules/openclaw/dist/plugin-sdk/zod.js

---

import "../zod-D2c0iocA.js";
export * from "zod";

---

$ ls openclaw/node_modules/
# Only .bin/ directory, no zod symlink

---

OPENCLAW_DIR=$(pnpm root -g)/openclaw
ZOD_STORE=$(find "$(pnpm store path)" -path "*/[email protected]/node_modules/zod" -type d | head -1)
mkdir -p "$OPENCLAW_DIR/node_modules"
ln -s "$ZOD_STORE" "$OPENCLAW_DIR/node_modules/zod"
openclaw gateway restart
RAW_BUFFERClick to expand / collapse

Bug Report

Summary

After upgrading to OpenClaw 2026.5.x via pnpm install -g openclaw, the bundled plugin-sdk re-export export * from "zod" in dist/plugin-sdk/zod.js fails to resolve at runtime. This causes all channel plugins that depend on plugin-sdk/zod (e.g. feishu, bluebubbles) to silently fail during registration.

Environment

  • OpenClaw: 2026.5.4
  • Install method: pnpm install -g openclaw (pnpm v10.33.0)
  • Node.js: v24.14.0
  • OS: Linux (Docker Ubuntu 24.04)

Reproduction

  1. pnpm install -g [email protected]
  2. openclaw gateway start
  3. Observe gateway logs:
[plugins] feishu failed during register from .../feishu/dist/index.js: Error: Cannot find module 'zod'
Require stack:
- /home/user/.local/share/pnpm/global/5/node_modules/openclaw/dist/plugin-sdk/zod.js
  1. Verify: node -e "require.resolve('zod', {paths:['/path/to/pnpm/global/node_modules/openclaw']})" → MODULE_NOT_FOUND

Root Cause

dist/plugin-sdk/zod.js contains:

import "../zod-D2c0iocA.js";
export * from "zod";

The second line is a runtime bare import of zod. In pnpm's strict dependency isolation mode, zod is NOT hoisted/symlinked into openclaw/node_modules/ during a global install, so Node.js ESM resolution fails.

Verified by removing the manual fix and re-running pnpm install -g — zod is not linked:

$ ls openclaw/node_modules/
# Only .bin/ directory, no zod symlink

Current Workaround

Manually symlink zod into openclaw's node_modules:

OPENCLAW_DIR=$(pnpm root -g)/openclaw
ZOD_STORE=$(find "$(pnpm store path)" -path "*/[email protected]/node_modules/zod" -type d | head -1)
mkdir -p "$OPENCLAW_DIR/node_modules"
ln -s "$ZOD_STORE" "$OPENCLAW_DIR/node_modules/zod"
openclaw gateway restart

Suggested Fix

The build should inline zod into plugin-sdk/zod.js rather than using a bare runtime import. Since this file is a public API re-export for plugins (import { z } from "openclaw/plugin-sdk/zod"), the bundler (esbuild/rollup) should bundle the zod dependency inline rather than marking it external.

Alternatively, add a postinstall or doctor check that ensures zod is resolvable from the openclaw package location.

Related Issues

  • #12067 — bluebubbles plugin zod error (same root cause, different plugin)
  • #26762 — Extensions with dependencies fail to load when installed via pnpm

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#index setup#retrieval issue#search optimization#API routing

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - ✅(Solved) Fix fix(plugin-sdk): zod bare import fails to resolve in pnpm global installs [3 pull requests, 2 comments, 3 participants]