Implementation:Openclaw Openclaw Pnpm Lock Dependency Manifest
| Knowledge Sources | |
|---|---|
| Domains | Dependency_Management, Build_System, Reproducibility |
| Last Updated | 2026-02-06 12:00 GMT |
Overview
The pnpm lockfile that pins exact dependency versions, integrity hashes, and resolution metadata for deterministic, reproducible installs across all OpenClaw workspaces.
Description
The pnpm-lock.yaml file (lockfile version 9.0) is the authoritative record of resolved dependency versions for the entire OpenClaw monorepo. At 11,342 lines, it captures:
- Overrides: Forced version pins for security or compatibility (e.g., `fast-xml-parser: 5.3.4`, `hono: 4.11.7`, `tar: 7.5.7`).
- Importers: Per-workspace dependency resolutions for the root package and workspace packages (extensions, UI, etc.).
- Packages: Complete resolution graph with integrity hashes (SHA-512), peer dependency metadata, and engine requirements.
- Snapshots: Flattened dependency snapshots for efficient installation.
This file ensures that every `pnpm install` produces identical `node_modules/` across all environments (developer machines, CI, Docker builds, production servers).
Usage
This file is auto-generated by `pnpm install` and should be committed to version control. Manual edits are discouraged. When dependency versions change in `package.json`, run `pnpm install` to regenerate. The CLAUDE.md notes: "keep `pnpm-lock.yaml` + Bun patching in sync when touching deps/patches" and "any dependency with `pnpm.patchedDependencies` must use an exact version (no `^`/`~`)".
Code Reference
Source Location
- Repository: Openclaw_Openclaw
- File: pnpm-lock.yaml
- Lines: 1-11342
Signature
lockfileVersion: '9.0'
settings:
autoInstallPeers: true
excludeLinksFromLockfile: false
overrides:
fast-xml-parser: 5.3.4
form-data: 2.5.4
'@hono/node-server>hono': 4.11.7
hono: 4.11.7
qs: 6.14.1
'@sinclair/typebox': 0.34.47
tar: 7.5.7
tough-cookie: 4.1.3
importers:
.:
dependencies:
# ... root workspace dependencies
devDependencies:
# ... root workspace dev dependencies
packages:
# ... resolved package metadata with integrity hashes
snapshots:
# ... flattened dependency snapshots
Import
# Not imported in code; consumed by pnpm CLI:
pnpm install # Reads lockfile, installs exact versions
pnpm install --frozen-lockfile # CI mode: fails if lockfile is outdated
I/O Contract
Inputs
| Name | Type | Required | Description |
|---|---|---|---|
| package.json (root) | JSON | Yes | Root workspace dependency declarations |
| package.json (workspaces) | JSON | Yes | Per-workspace dependency declarations |
| pnpm-workspace.yaml | YAML | Yes | Workspace package glob patterns |
| overrides | YAML (in lockfile) | No | Forced version pins for transitive dependencies |
Outputs
| Name | Type | Description |
|---|---|---|
| node_modules/ | Directory tree | Deterministic dependency installation |
| Integrity verification | SHA-512 hashes | Ensures packages match expected content |
| Peer dependency resolution | Metadata | Resolves peer dependency requirements across workspaces |
Usage Examples
Clean Install from Lockfile
# Standard install (reads lockfile for exact versions):
pnpm install
# CI frozen install (fails if lockfile doesn't match package.json):
pnpm install --frozen-lockfile
# Update a specific dependency and regenerate lockfile:
pnpm update hono@4.11.7
Checking Override Versions
# Verify overrides are applied:
grep -A 10 'overrides:' pnpm-lock.yaml
# Check a specific package resolution:
grep 'fast-xml-parser' pnpm-lock.yaml