openclaw: 2026.3.12 -> 2026.4.2 (#506908)

  versionCheckHook,

  rolldown,

  installShellFiles,

  version ? "2026.3.12",

  version ? "2026.4.2",

}:

stdenvNoCC.mkDerivation (finalAttrs: {

  pname = "openclaw";

    owner = "openclaw";

    repo = "openclaw";

    tag = "v${finalAttrs.version}";

    hash = "sha256-dGKfXkC7vHflGbg+SkgSMfM5LW8w1YQIWicgp3BKDQ8=";

    hash = "sha256-wVS2OuBNrF1yWjmINxde0kC5mvY2QUUtwYpYrZcARkI=";

  };

  pnpmDepsHash = "sha256-GHTkpwOj2Y29YUcS/kbZlCdo9DL8C3WW3WHe0PMIN/M=";

  pnpmDepsHash = "sha256-aHepSWiQ4+UyjPHBF+4+M9/nFrgfCw422q671saJM+U=";

  pnpmDeps = fetchPnpmDeps {

    inherit (finalAttrs) pname version src;

    installShellFiles

  ];

  preBuild = ''

    rm -rf node_modules/rolldown node_modules/@rolldown/pluginutils

    mkdir -p node_modules/@rolldown

    cp -r ${rolldown}/lib/node_modules/rolldown node_modules/rolldown

    cp -r ${rolldown}/lib/node_modules/@rolldown/pluginutils node_modules/@rolldown/pluginutils

    chmod -R u+w node_modules/rolldown node_modules/@rolldown/pluginutils

  '';

  buildPhase = ''

    runHook preBuild

    pnpm install --frozen-lockfile

    # Replace pnpm-installed rolldown with the Nix-built version

    rm -rf node_modules/rolldown node_modules/@rolldown/pluginutils

    mkdir -p node_modules/@rolldown node_modules/.pnpm/node_modules/@rolldown

    cp -r ${rolldown}/lib/node_modules/rolldown node_modules/rolldown

    cp -r ${rolldown}/lib/node_modules/@rolldown/pluginutils node_modules/@rolldown/pluginutils

    cp -r ${rolldown}/lib/node_modules/rolldown node_modules/.pnpm/node_modules/rolldown

    cp -r ${rolldown}/lib/node_modules/@rolldown/pluginutils node_modules/.pnpm/node_modules/@rolldown/pluginutils

    chmod -R u+w node_modules/rolldown node_modules/@rolldown/pluginutils \

      node_modules/.pnpm/node_modules/rolldown node_modules/.pnpm/node_modules/@rolldown/pluginutils

    # In Nix sandbox, npm install has no network access. Patch the staging

    # script to accept version-mismatched deps from root node_modules

    # instead of falling back to npm install.

    sed -i 's/if (installedVersion === null || !dependencyVersionSatisfied(spec, installedVersion)) {/if (installedVersion === null) {/' scripts/stage-bundled-plugin-runtime-deps.mjs

    pnpm build

    pnpm ui:build

    cp --reflink=auto -r package.json dist node_modules $libdir/

    cp --reflink=auto -r assets docs skills patches extensions $libdir/ 2>/dev/null || true

    cp --reflink=auto -r assets docs skills patches extensions $libdir/

    rm -f $libdir/node_modules/.pnpm/node_modules/clawdbot \

      $libdir/node_modules/.pnpm/node_modules/moltbot \

      $libdir/node_modules/.pnpm/node_modules/openclaw-control-ui

    # Remove broken symlinks created by pnpm workspace linking in extensions

    find $libdir/extensions -xtype l -delete

    makeWrapper ${lib.getExe nodejs_22} $out/bin/openclaw \

      --add-flags "$libdir/dist/index.js" \

      --set NODE_PATH "$libdir/node_modules"

    changelog = "https://github.com/openclaw/openclaw/releases/tag/${finalAttrs.src.tag}";

    license = lib.licenses.mit;

    mainProgram = "openclaw";

    maintainers = with lib.maintainers; [ chrisportela ];

    maintainers = with lib.maintainers; [

      chrisportela

      mkg20001

    ];

    platforms = with lib.platforms; linux ++ darwin;

    knownVulnerabilities = [

      "Project uses LLMs to parse untrusted content, making it vulnerable to prompt injection, while having full access to system by default."