Skip to content

build(deps): bump github.com/openclaw/crawlkit from 0.13.1 to 0.13.3#36

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/openclaw/crawlkit-0.13.3
Closed

build(deps): bump github.com/openclaw/crawlkit from 0.13.1 to 0.13.3#36
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/openclaw/crawlkit-0.13.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/openclaw/crawlkit from 0.13.1 to 0.13.3.

Release notes

Sourced from github.com/openclaw/crawlkit's releases.

Crawlkit v0.13.3

Changes

  • Update the TOML parser to v2.4.3 for recursion, panic, and deeply nested input hardening.
  • Keep paired CodeQL actions on one version during dependency updates and update TruffleHog to v3.95.8.

Verification

  • Linux: module tidy, vet, dead-code scan, vulnerability scan, tests, and race tests
  • Windows: full test suite
  • CodeQL and secret scanning
  • Downstream compatibility: gitcrawl, discrawl, notcrawl, wacrawl, telecrawl, and slacrawl test suites against the release candidate

Crawlkit v0.13.2

Changes

  • Add explicit monotonic snapshot merge planning and import-impact reporting so cache consumers can apply changed shards without silently replacing local rows, while exact mirrors retain replacement semantics.

Verification

  • Linux: module tidy, vet, vulnerability scan, tests, race tests
  • Windows: full test suite
  • CodeQL and secret scanning
Changelog

Sourced from github.com/openclaw/crawlkit's changelog.

v0.13.3 - 2026-07-06

  • Update the TOML parser to v2.4.3 for recursion, panic, and deeply nested input hardening.
  • Keep paired CodeQL actions on one version during dependency updates and update TruffleHog to v3.95.8.

v0.13.2 - 2026-07-02

  • Add explicit monotonic snapshot merge planning and import-impact reporting so cache consumers can apply changed shards without silently replacing local rows, while exact mirrors retain replacement semantics.
Commits
  • affaed1 chore(release): prepare v0.13.3
  • 8f5e50b build(deps): bump github.com/pelletier/go-toml/v2 from 2.4.2 to 2.4.3 (#47)
  • 06bb3ae fix(ci): keep CodeQL action updates in lockstep (#46)
  • 3c1dc6d build(deps): bump trufflesecurity/trufflehog from 3.95.6 to 3.95.8 (#44)
  • 009c5f5 chore: reopen changelog after v0.13.2
  • a8c08fa chore(release): prepare v0.13.2
  • f4cb025 feat(snapshot): add safe merge import plans (#42)
  • d9bb157 build(deps): bump github.com/pelletier/go-toml/v2 to 2.4.2
  • baf4d6c build(deps): bump modernc.org/sqlite to 1.53.0
  • de6c38a build(deps): bump actions/setup-go to 6.5.0
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/openclaw/crawlkit](https://github.com/openclaw/crawlkit) from 0.13.1 to 0.13.3.
- [Release notes](https://github.com/openclaw/crawlkit/releases)
- [Changelog](https://github.com/openclaw/crawlkit/blob/main/CHANGELOG.md)
- [Commits](openclaw/crawlkit@v0.13.1...v0.13.3)

---
updated-dependencies:
- dependency-name: github.com/openclaw/crawlkit
  dependency-version: 0.13.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 8, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 8, 2026 06:43
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 8, 2026
@github-actions github-actions Bot added the build label Jul 8, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgithub.com/​openclaw/​crawlkit@​v0.13.1 ⏵ v0.13.391 +1100100100100
Updatedgithub.com/​pelletier/​go-toml/​v2@​v2.4.2 ⏵ v2.4.399100100100100

View full report

@clawsweeper

clawsweeper Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 8, 2026, 2:49 AM ET / 06:49 UTC.

Summary
Updates go.mod and go.sum from github.com/openclaw/crawlkit v0.13.1 to v0.13.3 and github.com/pelletier/go-toml/v2 v2.4.2 to v2.4.3.

Reproducibility: not applicable. this is a dependency update PR, not a bug report. The relevant current-main check is that go.mod still pins crawlkit v0.13.1 while the PR updates it to v0.13.3.

Review metrics: 2 noteworthy metrics.

  • Dependency files changed: 2 modified; 6 additions, 6 deletions. The patch is confined to go.mod and go.sum, which keeps the review surface narrow.
  • Observed PR checks: 12 successful, 1 skipped. CI, CodeQL, secret scanning, and Socket passed on the PR head, with only the release draft update skipped.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • none.

Next step before merge

  • [P2] No repair lane is needed because the narrow bot dependency bump has no actionable review finding and should proceed through normal dependency PR merge gates.

Security
Cleared: The diff only updates existing Go module checksums for an OpenClaw dependency and its TOML parser dependency; upstream release notes, Socket, CodeQL, and secret scanning show no concrete supply-chain concern.

Review details

Best possible solution:

Merge the dependency-only update through the normal protected dependency PR path if maintainers are satisfied with the green checks and release-owner review.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency update PR, not a bug report. The relevant current-main check is that go.mod still pins crawlkit v0.13.1 while the PR updates it to v0.13.3.

Is this the best way to solve the issue?

Yes: the narrow go.mod/go.sum update is the maintainable path for this Dependabot bump, and no duplicate implementation or source-code change is needed.

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against b5c480e0492b.

Label changes

Label changes:

  • add P3: This is a low-risk routine dependency patch with a narrow diff and green validation rather than an urgent user-facing defect.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot dependency update, so the external contributor real-behavior proof gate does not apply; CI provides supplemental validation.

Label justifications:

  • P3: This is a low-risk routine dependency patch with a narrow diff and green validation rather than an urgent user-facing defect.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot dependency update, so the external contributor real-behavior proof gate does not apply; CI provides supplemental validation.
Evidence reviewed

What I checked:

  • Current main still has old versions: go.mod on current main requires github.com/openclaw/crawlkit v0.13.1 and github.com/pelletier/go-toml/v2 v2.4.2, so the PR is not already implemented on main. (go.mod:6, b5c480e0492b)
  • PR diff is dependency-only: The PR diff changes only go.mod and go.sum, replacing crawlkit v0.13.1/v2.4.2 checksums with crawlkit v0.13.3 and go-toml v2.4.3 checksums. (go.mod:6, de95f9e5d0e5)
  • Crawlkit release purpose: The v0.13.3 upstream release notes describe TOML parser hardening plus CI/security workflow dependency updates, with downstream compatibility suites run against the release candidate.
  • Local crawlkit call surface inspected: graincrawl currently uses crawlkit snapshot Import with DB, RootDir, and DeleteTables, and imports crawlkit config App; the upstream v0.13.3 snapshot API keeps the ImportOptions fields and replacement Import behavior used here. (internal/portable/snapshot.go:35, b5c480e0492b)
  • PR checks passed: GitHub reported successful CI deps, lint, test, release-check, CodeQL, secret scanning, and Socket checks for the PR head; the only skipped check was release draft update. (de95f9e5d0e5)
  • Release-integrity ownership: CODEOWNERS marks go.mod and go.sum as release and package integrity surfaces owned by the OpenClaw secops team, which is relevant routing context for dependency updates. (.github/CODEOWNERS:8, b5c480e0492b)

Likely related people:

  • vincentkoc: GitHub auto-assigned vincentkoc to this PR, and local history shows prior work on dependency, release-check, and protected automation surfaces relevant to go.mod/go.sum changes. (role: assigned reviewer and adjacent dependency/release contributor; confidence: medium; commits: 4feeb7b5c023, 6bec62d9fa1c, 1b6d3d130cf8; files: go.mod, go.sum, .github/CODEOWNERS)
  • steipete: Peter Steinberger introduced the current release baseline in this checkout and authored the upstream crawlkit snapshot planning change included between v0.13.1 and v0.13.3. (role: recent release baseline and upstream crawlkit contributor; confidence: medium; commits: 2cc577b8ebf4, 2ed582cc1bef, f4cb0257b20b; files: go.mod, go.sum, internal/portable/snapshot.go)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jul 8, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Looks like github.com/openclaw/crawlkit is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 9, 2026
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/openclaw/crawlkit-0.13.3 branch July 9, 2026 10:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

build dependencies Pull requests that update a dependency file go Pull requests that update go code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant