-
Notifications
You must be signed in to change notification settings - Fork 74
dependencies
github-actions[bot] edited this page Feb 26, 2026
·
2 revisions
| Layer | Primary Dependencies | Why It Exists |
|---|---|---|
| Frontend runtime |
react, react-dom, react-router-dom, lucide-react
|
UI rendering, routing, iconography. |
| Markdown rendering |
react-markdown, remark-gfm
|
Render skill docs/readmes and in-app wiki markdown pages. |
| Build tooling |
vite, @vitejs/plugin-react, typescript
|
Fast TS/TSX bundling and production builds. |
| Python utilities | stdlib + ruff/bandit policy from pyproject.toml
|
Validate/package skills and run static checks. |
| Shell automation |
bash, jq, curl, openssl, sha256sum/shasum
|
Feed polling, signing, checksum generation, release checks. |
| Package | Version Constraint | Scope |
|---|---|---|
react / react-dom
|
^19.2.4 |
Frontend runtime |
react-router-dom |
^7.13.1 |
Frontend routing |
lucide-react |
^0.575.0 |
UI icon set |
vite |
^7.3.1 |
Dev server + build |
typescript |
~5.8.2 |
Type checking |
eslint |
^9.39.2 |
JS/TS linting |
@typescript-eslint/* |
^8.55.0 / ^8.56.0
|
TS lint parser/rules |
fast-check |
^4.5.3 |
Property/fuzz style tests |
| Override | Pinned Version | Rationale |
|---|---|---|
ajv |
6.14.0 |
Security and compatibility stabilization. |
balanced-match |
4.0.3 |
Transitive vulnerability control. |
brace-expansion |
5.0.2 |
Transitive dependency hardening. |
minimatch |
10.2.1 |
Deterministic dependency behavior. |
| Service | Used By | Function |
|---|---|---|
NVD API (services.nvd.nist.gov) |
poll-nvd-cves workflow + local feed script |
Pull CVEs by keyword/date window. |
| GitHub API | Deploy/release workflows | Discover releases, download assets, publish outputs. |
| GitHub Pages | Deploy workflow | Serve static site and mirrored artifacts. |
| ClawHub CLI/registry | Install scripts + optional publish jobs | Install and publish skills. |
| Optional local SMTP/sendmail |
openclaw-audit-watchdog scripts |
Deliver audit reports by email. |
| Tool | Invocation | Coverage |
|---|---|---|
| ESLint | npx eslint . --ext .ts,.tsx,.js,.jsx,.mjs --max-warnings 0 |
Frontend and script linting. |
| TypeScript | npx tsc --noEmit |
Compile-time TS contract checks. |
| Ruff | ruff check utils/ |
Python style and bug pattern checks. |
| Bandit | bandit -r utils/ -ll |
Python security checks. |
| Trivy | Workflow + optional local run | FS/config vulnerability scans. |
| Gitleaks |
scripts/prepare-to-push.sh optional local run |
Secret leak detection before push. |
{
"scripts": {
"dev": "vite",
"build": "vite build",
"preview": "vite preview"
},
"dependencies": {
"react": "^19.2.4",
"react-router-dom": "^7.13.1"
}
}[tool.ruff]
target-version = "py310"
line-length = 120
[tool.bandit]
exclude_dirs = ["__pycache__", ".venv"]
skips = ["B101"]- Local scripts account for macOS vs Linux differences in
dateandstatusage. - Some workflows/scripts require OpenSSL features used with Ed25519 and
pkeyutl -rawin. - Windows support is strongest for Node-based tooling; POSIX shell paths may require WSL/Git Bash.
- Feed consumers include compatibility bypasses for migration phases, but signed mode is the intended steady state.
- Skill release tags follow
<skill>-v<semver>and are parsed by CI/deploy automation. - PR validation enforces version parity between
skill.jsonandSKILL.mdfrontmatter for bumped skills. - The public skills index keeps latest discovered version per skill for UI display.
- Signed artifact manifests (
checksums.json) are versioned per release and include file hashes and URLs.
- package.json
- package-lock.json
- pyproject.toml
- eslint.config.js
- tsconfig.json
- scripts/prepare-to-push.sh
- scripts/populate-local-feed.sh
- scripts/populate-local-skills.sh
- .github/workflows/ci.yml
- .github/workflows/codeql.yml
- .github/workflows/scorecard.yml
- .github/workflows/poll-nvd-cves.yml
- .github/workflows/deploy-pages.yml
- .github/workflows/skill-release.yml