GHSA-w6wx-jq6j-6mcj: OpenClaw: pnpm dlx approvals did not bind local script operands

April 7, 2026

Before OpenClaw 2026.4.2, pnpm dlx approval planning did not bind local script operands the same way as related pnpm exec flows. A local script approved through a pnpm dlx path could be replaced before execution without invalidating the approval.

References

github.com/advisories/GHSA-w6wx-jq6j-6mcj
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/176c059b05357df1bc09d4328a2380670859eeff
github.com/openclaw/openclaw/security/advisories/GHSA-w6wx-jq6j-6mcj

Code Behaviors & Features

Detect and mitigate GHSA-w6wx-jq6j-6mcj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →