chore(deps): update ghcr.io/openclaw/openclaw docker tag to v2026.4.14 #20
No reviewers
Labels
No labels
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
les_clankeurs/openclaw-image-2!20
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/docker-images"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
2026.4.12→2026.4.14Release Notes
openclaw/openclaw (ghcr.io/openclaw/openclaw)
v2026.4.14Compare Source
Changes
gpt-5.4-pro, including Codex pricing/limits and list/status visibility before the upstream catalog catches up. (#66453) Thanks @jepson-liu.Fixes
apiKeyin the codex provider catalog output so the Pi ModelRegistry validator no longer rejects the entry and silently drops all custom models from every provider inmodels.json. (#66180) Thanks @hoyyeva.allowFromowner allowlist to channel block-action and modal interactive events, require an expected sender id for cross-verification, and reject ambiguous channel types so interactive triggers can no longer bypass the documented allowlist intent in channels without auserslist. Open-by-default behavior is preserved when no allowlists are configured. (#66028) Thanks @eleqtrizit.realpath, so arealpatherror can no longer downgrade the canonical-roots allowlist check to a non-canonical comparison; attachments that also have a URL still fall back to the network fetch path. (#66022) Thanks @eleqtrizit.config.patchandconfig.applycalls from the model-facing gateway tool when they would newly enable any flag enumerated byopenclaw security audit(for exampledangerouslyDisableDeviceAuth,allowInsecureAuth,dangerouslyAllowHostHeaderOriginFallback,hooks.gmail.allowUnsafeExternalContent,tools.exec.applyPatch.workspaceOnly: false); already-enabled flags pass through unchanged so non-dangerous edits in the same patch still apply, and direct authenticated operator RPC behavior is unchanged. (#62006) Thanks @eleqtrizit./openaisuffix from configured Google base URLs only when calling the native Gemini image API so Gemini image requests stop 404ing without breaking explicit OpenAI-compatible Google endpoints. (#66445) Thanks @dapzthelegend.openclaw doctor --repairand service reinstall from re-embedding dotenv-backed secrets in user systemd units, while preserving newer inline overrides over stale state-dir.envvalues. (#66249) Thanks @tmimmanuel.stream_options.include_usagefor Ollama streaming completions so local Ollama runs report real usage instead of falling back to bogus prompt-token counts that trigger premature compaction. (#64568) Thanks @xchunzhao and @vincentkoc.preferOvercatalog lookups within each plugin auto-enable pass so largeagents.listconfigs no longer peg CPU and repeatedly reread plugin catalogs during doctor/plugins resolution. (#66246) Thanks @yfge.github-copilot/gpt-5.4to usexhighreasoning so Copilot GPT-5.4 matches the rest of the GPT-5.4 family. (#50168) Thanks @jakepresent and @vincentkoc.Unknown memory embedding provider. (#66452) Thanks @jlapenna.agents.defaults.contextTokensis the real limit. (#66236) Thanks @ImLukeF./json/newfallback requests on the local CDP control policy so browser follow-up fixes stop regressing normal navigation or self-blocking local CDP control. (#66386) Thanks @obviyus.openai-codex/gpt-5.4-codexruntime alias toopenai-codex/gpt-5.4while still honoring alias-specific and canonical per-model overrides. (#43060) Thanks @Sapientropic and @vincentkoc.browser.ssrfPolicy.allowPrivateNetwork: falseconfigs by normalizing the legacy alias to the canonical strict marker instead of silently widening those installs to the default non-strict hostname-navigation path.max_tokens=16for OpenAI-compatible verification probes so stricter custom endpoints stop rejecting onboarding checks that only need a tiny completion. (#66450) Thanks @WuKongAI-CMU.ERR_MODULE_NOT_FOUNDat runtime. (#66420) Thanks @obviyus.HTTP_PROXY/HTTPS_PROXYis active and the target is not bypassed byNO_PROXY, so remote media-understanding and transcription requests stop failing local DNS pre-resolution in proxy-only environments without widening SSRF bypasses. (#52162) Thanks @mjamiv and @vincentkoc.could not download mediaon Bot API file downloads after the DNS-pinning regression. (#66245) Thanks @dawei41468 and @vincentkoc.afterTurnis absent, so long-running tool loops can stay bounded without dropping engine state. (#63555) Thanks @Bikkies./statusinteractions instead of falling through to the synthetic✅ Done.ack when the generic dispatcher produces no visible reply. (#54629) Thanks @tkozzer and @vincentkoc.agents.defaults.timeoutSecondsoverride instead of always aborting after 15 seconds, so slow local Ollama runs stop silently dropping back to generic filenames. (#66237) Thanks @dmak and @vincentkoc..aacfilenames to.m4afor OpenAI-compatible audio uploads so AAC voice notes stop failing MIME-sensitive transcription endpoints. (#66446) Thanks @ben-z.sendPolicy: "deny"from blocking inbound message processing, so the agent still runs its turn while all outbound delivery is suppressed for observer-style setups. (#65461, #53328) Thanks @omarshahine.hook:wakesystem events [AI-assisted]. (#66031) Thanks @pgondhi987.sourceConfigandruntimeConfigalias fields inredactConfigSnapshot[AI]. (#66030) Thanks @pgondhi987.plugins inspectinstead of the owning plugin ID, so non-matching engine IDs and multi-engine plugins are classified correctly. (#58766) Thanks @zhuisDEV.info.iddoes not match their registered slot id, so malformed engines fail fast before id-based runtime branches can misbehave. (#63222) Thanks @fuller-stack-dev.ENOENTcrashes on image sends. (#65896) Thanks @frankekn.dist/entry.jsand currentdist/index.jspaths. (#65984) Thanks @mbelinky.target=last, instead of dropping them into the group root chat. (#66035) Thanks @mbelinky.heartbeattargets from poisoning later cron or user delivery. (#66073, #63733, #35300) Thanks @mbelinky.manual-cdpprofiles reuse the local loopback CDP control plane under strict default policy and remote-class probe timeouts, so tabs/snapshot stop falsely reporting a live local browser session as not running. (#65611, #66080) Thanks @mbelinky.sessioncontext on queued delivery entries and replay it during recovery, so write-ahead-queued sends keep their original outbound media policy context after restart instead of evaluating against a missing session. (#66025) Thanks @eleqtrizit.ollamaembedding adapter in memory-core so explicitmemorySearch.provider: "ollama"works again, and include endpoint-aware cache keys so different Ollama hosts do not reuse each other's embeddings. (#63429, #66078, #66163) Thanks @nnish16 and @vincentkoc.memory-wikigateway methods when the plugin is off, and refresh config before wiki reloads so the Dreaming tab stops showing misleading unknown-method failures. (#66140) Thanks @mbelinky.memory.mdas a second default root collection, so QMD recall no longer searches phantommemory-alt-*collections and builtin/QMD root-memory fallback stays aligned. (#66141) Thanks @mbelinky.dist/agents/subagent-registry.runtime.jsin npm builds soruntime: "subagent"runs stop stalling inqueuedafter the registry import fails. (#66189) Thanks @yqli2420 and @vincentkoc.minimalthinking to OpenAI's supportedlowreasoning effort for GPT-5.4 requests, so embedded runs stop failing request validation. Thanks @steipete.webhookSecurity.trustForwardingHeadersandtrustedProxyIPsare configured, and reservemaxConnectionscapacity for in-flight WebSocket upgrades so concurrent handshakes can no longer momentarily exceed the operator-set cap. (#66027) Thanks @eleqtrizit.user/chatkind, strip repeatedfeishu:/lark:provider prefixes, and stop folding opaque Feishu IDs to lowercase, so allowlist matching no longer crosses user/chat namespaces or widens to case-insensitive ID matches the operator did not intend. (#66021) Thanks @eleqtrizit./export-sessionon the normal lane so it cannot interleave with an in-flight session mutation. (#66226) Thanks @VACInc and @vincentkoc.C:\\...) as absolute when resolving sandbox and read-tool paths so workspace root is not prepended under POSIX path rules. (#54039) Thanks @ly85206559 and @vincentkoc.No channel reply.,Replied in-thread.,Replied in #..., wiki-update status variants ending inNo channel reply.) before channel delivery so internal housekeeping text does not leak to users.openclaw cronno longer fall back to Slack's broader contract surface, which could trigger Slack-related config-read crashes on affected setups. (#63192) Thanks @shhtheonlyperson./newand/resetsession-memory hooks so reset snapshots stay scoped to the right agent workspace instead of leaking into the default workspace. (#64735) Thanks @suboss87 and @vincentkoc.openclaw approvals getgateway timeout and report config-load timeouts explicitly, so slow hosts stop showing a misleadingConfig unavailable.note when the approvals snapshot succeeds but the follow-up config RPC needs more time. (#66239) Thanks @neeravmakwana.Configuration
📅 Schedule: Branch creation - Every minute ( * * * * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.