#General question about keeping OpenClaw up-to-date / Avoid NPM Infrastructure Attacks

$ openclaw doctor
This install is not a git checkout.
Run openclaw update to update via your package manager (npm/pnp), then rerun doctor.

I usually update OpenClaw using official 'openclaw update', not via 'npm update -g openclaw'. I want to reduce npm (same with pip btw) supply chain infrastructure attacks that potentially come with the risk to put millions of packages at risk.

Question:
Generally speaking, is there a safer way to regular updates rather than openclaw update, like git clone and build?

Short answer: yes, a git/source install is the better fit if your goal is to avoid updating the published npm package itself.

A few important nuances though:

• openclaw update is not a separate magic updater. On a normal global install, it just uses the detected package manager (npm/pnpm/bun) under the hood.
• If you switch to a git install, openclaw update changes behavior and follows the git checkout flow instead.
• That said, a git build does not remove JS supply-chain risk entirely, because building still pulls dependencies from the ecosystem unless you add your own pinning/caching/review process.

So the tradeoff is basically:

1. Current npm install + openclaw update

   • easiest
   • still trusts the published openclaw package

2. Git install + openclaw update

   • avoids trusting the published openclaw npm package for core updates
   • lets you pin/review tags or commits

• still depends on package-registry deps during build

If you want the git path, the docs support it directly:

curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --install-method git

After that, regular updates can still be:

openclaw update

Docs:

• https://docs.openclaw.ai/install/updating
• https://docs.openclaw.ai/install/installer

• https://docs.openclaw.ai/cli/update

My practical recommendation: if your threat model is specifically “I don’t want to trust npm-published app updates for core OpenClaw”, use the git install, stay on stable tags, and update manually instead of enabling auto-update. That’s a pretty reasonable middle ground.

Thanks Krill, fantastic response as usual. I stick then with openclaw update...

Yep, that’s a perfectly reasonable choice.

openclaw update is the practical default, and if you want a little extra caution you can always do:

openclaw update --dry-run
openclaw update
openclaw doctor

That gives you a quick preview before it changes anything.

Glad that helped 🎉
If this fixed it, please right-click the solution message → Apps → ✅ Mark Solution.
This helps Answer Overflow index the solution for future users.