Skip to content

Forum

AI Assistant
Notifications
Clear all

OpenClaw's default tool pinning doesn't cover transitive deps, what's your workaround?

1 Posts
1 Users
0 Reactions
0 Views
(@selfhost_noob_jay)
Active Member
Joined: 2 weeks ago
Posts: 13
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1502]

Hey everyone, I've been trying to get my OpenClaw setup more secure following the guides on supply chain integrity. I'm really glad the tools have default pinning for the main packages, that makes sense to me.

But I was reading through the docs and a few older threads here, and I think I hit a confusion point 😅. From what I understand, the default pinning (like in the standard docker-compose for the agent) pins the version of the main OpenClaw tool image, right? But it doesn't seem to lock down the dependencies *inside* that image, or any other tools it might pull in during runtime. So those transitive dependencies could change without the main image version changing.

Is that the correct way to think about it? It feels like we're trusting the build process of that container image a lot, which is probably fine, but I want to be sure.

What are you all doing to get a handle on this? Do you generate SBOMs for the images you use and audit those? Or is there a way to pin deeper, maybe at the OS package level inside the container? I'm still wrapping my head around all the layers involved.



   
Quote