mirror of
https://github.com/openclaw/openclaw.git
synced 2026-02-19 18:39:20 -05:00
2ddc13cdb7
SecurityScorecard's STRIKE research recently identified over 40,000 exposed OpenClaw gateway instances, with 35.4% running known-vulnerable versions. The gateway already performs an npm update check on startup and compares against the registry every 24 hours — but the result is only logged to the server console. The control UI has zero visibility into whether the running version is outdated, which means operators have no idea they're exposed unless they happen to read server logs. OpenClaw's user base is broadening well beyond developers who live in terminals. Self-hosters, small teams, and non-technical operators are deploying gateways and relying on the control dashboard as their primary management interface. For these users, security has to be surfaced where they already are — not hidden behind CLI output they will never see. Making version awareness frictionless and actionable is a prerequisite for reducing that 35.4% number. This PR adds a sticky red warning banner to the top of the control UI content area whenever the gateway detects it is running behind the latest published version. The banner includes an "Update now" button wired to the existing update.run RPC (the same mechanism the config page already uses), so operators can act immediately without switching to a terminal. Server side: - Cache the update check result in a module-level variable with a typed UpdateAvailable shape (currentVersion, latestVersion, channel) - Export a getUpdateAvailable() getter for the rest of the process - Add an optional updateAvailable field to SnapshotSchema (backward compatible — old clients ignore it, old servers simply omit it) - Include the cached update status in buildGatewaySnapshot() so it is delivered to every UI client on connect and reconnect UI side: - Add updateAvailable to GatewayHost, AppViewState, and the app's reactive state so it flows through the standard snapshot pipeline - Extract updateAvailable from the hello snapshot in applySnapshot() - Render a .update-banner.callout.danger element with role="alert" as the first child of <main>, before the content header - Wire the "Update now" button to runUpdate(state), the same controller function used by the config tab - Use position:sticky and negative margins to pin the banner edge-to-edge at the top of the scrollable content area