Skip to content

build(deps): bump github.com/openclaw/crawlkit from 0.13.1 to 0.13.3#36

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/openclaw/crawlkit-0.13.3
Open

build(deps): bump github.com/openclaw/crawlkit from 0.13.1 to 0.13.3#36
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/openclaw/crawlkit-0.13.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/openclaw/crawlkit from 0.13.1 to 0.13.3.

Release notes

Sourced from github.com/openclaw/crawlkit's releases.

Crawlkit v0.13.3

Changes

  • Update the TOML parser to v2.4.3 for recursion, panic, and deeply nested input hardening.
  • Keep paired CodeQL actions on one version during dependency updates and update TruffleHog to v3.95.8.

Verification

  • Linux: module tidy, vet, dead-code scan, vulnerability scan, tests, and race tests
  • Windows: full test suite
  • CodeQL and secret scanning
  • Downstream compatibility: gitcrawl, discrawl, notcrawl, wacrawl, telecrawl, and slacrawl test suites against the release candidate

Crawlkit v0.13.2

Changes

  • Add explicit monotonic snapshot merge planning and import-impact reporting so cache consumers can apply changed shards without silently replacing local rows, while exact mirrors retain replacement semantics.

Verification

  • Linux: module tidy, vet, vulnerability scan, tests, race tests
  • Windows: full test suite
  • CodeQL and secret scanning
Changelog

Sourced from github.com/openclaw/crawlkit's changelog.

v0.13.3 - 2026-07-06

  • Update the TOML parser to v2.4.3 for recursion, panic, and deeply nested input hardening.
  • Keep paired CodeQL actions on one version during dependency updates and update TruffleHog to v3.95.8.

v0.13.2 - 2026-07-02

  • Add explicit monotonic snapshot merge planning and import-impact reporting so cache consumers can apply changed shards without silently replacing local rows, while exact mirrors retain replacement semantics.
Commits
  • affaed1 chore(release): prepare v0.13.3
  • 8f5e50b build(deps): bump github.com/pelletier/go-toml/v2 from 2.4.2 to 2.4.3 (#47)
  • 06bb3ae fix(ci): keep CodeQL action updates in lockstep (#46)
  • 3c1dc6d build(deps): bump trufflesecurity/trufflehog from 3.95.6 to 3.95.8 (#44)
  • 009c5f5 chore: reopen changelog after v0.13.2
  • a8c08fa chore(release): prepare v0.13.2
  • f4cb025 feat(snapshot): add safe merge import plans (#42)
  • d9bb157 build(deps): bump github.com/pelletier/go-toml/v2 to 2.4.2
  • baf4d6c build(deps): bump modernc.org/sqlite to 1.53.0
  • de6c38a build(deps): bump actions/setup-go to 6.5.0
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/openclaw/crawlkit](https://github.com/openclaw/crawlkit) from 0.13.1 to 0.13.3.
- [Release notes](https://github.com/openclaw/crawlkit/releases)
- [Changelog](https://github.com/openclaw/crawlkit/blob/main/CHANGELOG.md)
- [Commits](openclaw/crawlkit@v0.13.1...v0.13.3)

---
updated-dependencies:
- dependency-name: github.com/openclaw/crawlkit
  dependency-version: 0.13.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 8, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 8, 2026 06:43
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 8, 2026
@github-actions github-actions Bot added the build label Jul 8, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgithub.com/​openclaw/​crawlkit@​v0.13.1 ⏵ v0.13.391 +1100100100100
Updatedgithub.com/​pelletier/​go-toml/​v2@​v2.4.2 ⏵ v2.4.399100100100100

View full report

@clawsweeper

clawsweeper Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 8, 2026, 2:49 AM ET / 06:49 UTC.

Summary
Updates go.mod and go.sum from github.com/openclaw/crawlkit v0.13.1 to v0.13.3 and github.com/pelletier/go-toml/v2 v2.4.2 to v2.4.3.

Reproducibility: not applicable. this is a dependency update PR, not a bug report. The relevant current-main check is that go.mod still pins crawlkit v0.13.1 while the PR updates it to v0.13.3.

Review metrics: 2 noteworthy metrics.

  • Dependency files changed: 2 modified; 6 additions, 6 deletions. The patch is confined to go.mod and go.sum, which keeps the review surface narrow.
  • Observed PR checks: 12 successful, 1 skipped. CI, CodeQL, secret scanning, and Socket passed on the PR head, with only the release draft update skipped.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • none.

Next step before merge

  • [P2] No repair lane is needed because the narrow bot dependency bump has no actionable review finding and should proceed through normal dependency PR merge gates.

Security
Cleared: The diff only updates existing Go module checksums for an OpenClaw dependency and its TOML parser dependency; upstream release notes, Socket, CodeQL, and secret scanning show no concrete supply-chain concern.

Review details

Best possible solution:

Merge the dependency-only update through the normal protected dependency PR path if maintainers are satisfied with the green checks and release-owner review.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency update PR, not a bug report. The relevant current-main check is that go.mod still pins crawlkit v0.13.1 while the PR updates it to v0.13.3.

Is this the best way to solve the issue?

Yes: the narrow go.mod/go.sum update is the maintainable path for this Dependabot bump, and no duplicate implementation or source-code change is needed.

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against b5c480e0492b.

Label changes

Label changes:

  • add P3: This is a low-risk routine dependency patch with a narrow diff and green validation rather than an urgent user-facing defect.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot dependency update, so the external contributor real-behavior proof gate does not apply; CI provides supplemental validation.

Label justifications:

  • P3: This is a low-risk routine dependency patch with a narrow diff and green validation rather than an urgent user-facing defect.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot dependency update, so the external contributor real-behavior proof gate does not apply; CI provides supplemental validation.
Evidence reviewed

What I checked:

  • Current main still has old versions: go.mod on current main requires github.com/openclaw/crawlkit v0.13.1 and github.com/pelletier/go-toml/v2 v2.4.2, so the PR is not already implemented on main. (go.mod:6, b5c480e0492b)
  • PR diff is dependency-only: The PR diff changes only go.mod and go.sum, replacing crawlkit v0.13.1/v2.4.2 checksums with crawlkit v0.13.3 and go-toml v2.4.3 checksums. (go.mod:6, de95f9e5d0e5)
  • Crawlkit release purpose: The v0.13.3 upstream release notes describe TOML parser hardening plus CI/security workflow dependency updates, with downstream compatibility suites run against the release candidate.
  • Local crawlkit call surface inspected: graincrawl currently uses crawlkit snapshot Import with DB, RootDir, and DeleteTables, and imports crawlkit config App; the upstream v0.13.3 snapshot API keeps the ImportOptions fields and replacement Import behavior used here. (internal/portable/snapshot.go:35, b5c480e0492b)
  • PR checks passed: GitHub reported successful CI deps, lint, test, release-check, CodeQL, secret scanning, and Socket checks for the PR head; the only skipped check was release draft update. (de95f9e5d0e5)
  • Release-integrity ownership: CODEOWNERS marks go.mod and go.sum as release and package integrity surfaces owned by the OpenClaw secops team, which is relevant routing context for dependency updates. (.github/CODEOWNERS:8, b5c480e0492b)

Likely related people:

  • vincentkoc: GitHub auto-assigned vincentkoc to this PR, and local history shows prior work on dependency, release-check, and protected automation surfaces relevant to go.mod/go.sum changes. (role: assigned reviewer and adjacent dependency/release contributor; confidence: medium; commits: 4feeb7b5c023, 6bec62d9fa1c, 1b6d3d130cf8; files: go.mod, go.sum, .github/CODEOWNERS)
  • steipete: Peter Steinberger introduced the current release baseline in this checkout and authored the upstream crawlkit snapshot planning change included between v0.13.1 and v0.13.3. (role: recent release baseline and upstream crawlkit contributor; confidence: medium; commits: 2cc577b8ebf4, 2ed582cc1bef, f4cb0257b20b; files: go.mod, go.sum, internal/portable/snapshot.go)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

build dependencies Pull requests that update a dependency file go Pull requests that update go code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant