fix(security): bump openclaw to 2026.3.28

[fdzdev]

Summary

• Bump openclaw from 2026.3.11 to 2026.3.28 (latest stable) (NVBUG 6018704)
• Addresses CVE-2026-22172 (CRITICAL: WebSocket auth bypass), CVE-2026-29087, CVE-2022-25878
• Test fixtures in install-preflight.test.js updated to match new version (13 references)
• Blueprint min_openclaw_version is 2026.3.0, so 2026.3.28 is compatible

Test plan

• npm install succeeds with no peer dependency conflicts
• npx vitest run test/install-preflight.test.js — 46 tests pass
• nemoclaw onboard completes with the new openclaw version
• Plugin registration and slash commands still work

Summary by CodeRabbit

• Chores
  • Updated a core CLI dependency to a newer release and updated build base image tooling to match.
• Tests
  • Synchronized test fixtures, mocked outputs, and generated artifacts across suites to reflect the upgraded dependency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8bb88c27-f083-4ab3-b524-f38f62788016

📥 Commits

Reviewing files that changed from the base of the PR and between a634c6a and a6ae6b8.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• Dockerfile.base
• package.json
• test/Dockerfile.sandbox
• test/install-preflight.test.js

✅ Files skipped from review due to trivial changes (3)

• Dockerfile.base
• package.json
• test/Dockerfile.sandbox

🚧 Files skipped from review as they are similar to previous changes (1)

• test/install-preflight.test.js

---

📝 Walkthrough

Walkthrough

Updated OpenClaw version references from 2026.3.11 to 2026.3.28 across package metadata, Docker base image installation, and multiple test fixture stubs and generated JSON fixtures.

Changes

Cohort / File(s)	Summary
Package manifest package.json	Bumped dependencies.openclaw from 2026.3.11 to 2026.3.28.
Test fixtures & mocks test/install-preflight.test.js, test/Dockerfile.sandbox	Replaced 2026.3.11 with 2026.3.28 in mocked package.json outputs, npm pack tarball names, and generated JSON fixture fields (wizard.lastRunVersion, meta.lastTouchedVersion).
Docker base image Dockerfile.base	Changed global npm install -g openclaw@2026.3.11 to openclaw@2026.3.28; other Dockerfile content unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I hopped through files both near and far,
Bumped a version—now we shine like a star.
From manifests to tests, neat and fleet,
2026.3.28—what a treat! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: upgrading the openclaw dependency to version 2026.3.28, which is the primary objective of the PR addressing security vulnerabilities.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/install-preflight.test.js (1)

32-32: Consider centralizing the OpenClaw test version into one constant.

"2026.3.28" is repeated in many fixtures; a single OPENCLAW_VERSION constant would make future security bumps safer and less error-prone.

♻️ Refactor sketch

+const OPENCLAW_VERSION = "2026.3.28";
...
-echo "2026.3.28"
+echo "${OPENCLAW_VERSION}"
...
-`openclaw-2026.3.28.tgz`
+`openclaw-${OPENCLAW_VERSION}.tgz`

Also applies to: 146-146, 240-240, 382-382, 452-452, 510-510, 573-573, 691-691, 987-987, 1046-1046, 1465-1465, 1505-1505, 1546-1546

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/install-preflight.test.js` at line 32, Centralize the repeated OpenClaw
version by adding a single constant OPENCLAW_VERSION (e.g., at the top of
test/install-preflight.test.js) and replace all hard-coded "2026.3.28" literals
in fixtures (the echo "2026.3.28" occurrences noted across the file) with that
constant; update any helper/fixture-generation functions that emit the version
so they reference OPENCLAW_VERSION (search for echo "2026.3.28" instances and
replace them) to make future version bumps a single change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 19: The package.json bump sets "openclaw": "2026.3.28" but
Dockerfile.base still installs openclaw@2026.3.11; update the Dockerfile.base
installation step that pins openclaw (the RUN/npm/yarn install line referencing
openclaw@2026.3.11) to use openclaw@2026.3.28 so all install paths match the
package.json pin.

---

Nitpick comments:
In `@test/install-preflight.test.js`:
- Line 32: Centralize the repeated OpenClaw version by adding a single constant
OPENCLAW_VERSION (e.g., at the top of test/install-preflight.test.js) and
replace all hard-coded "2026.3.28" literals in fixtures (the echo "2026.3.28"
occurrences noted across the file) with that constant; update any
helper/fixture-generation functions that emit the version so they reference
OPENCLAW_VERSION (search for echo "2026.3.28" instances and replace them) to
make future version bumps a single change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e5f016ab-4216-41e5-aff0-0c862899477e

📥 Commits

Reviewing files that changed from the base of the PR and between 836a05c and a634c6a.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• package.json
• test/install-preflight.test.js

[cv]

Please address #1144 (comment)

[fdzdev]

ugh. lovely.

[fdzdev]

Addressed — Dockerfile.base now pins openclaw@2026.3.28 (was the missing piece). Also updated version metadata in test/Dockerfile.sandbox.

All openclaw version references are now consistent across package.json, package-lock.json, Dockerfile.base, and test fixtures.