build(deps): bump undici and openclaw

[dependabot]

Removes undici. It's no longer used after updating ancestor dependency openclaw. These dependencies need to be updated together.

Removes undici

Updates openclaw from 2026.6.1 to 2026.6.9

Release notes

Sourced from openclaw's releases.

openclaw 2026.6.9

2026.6.9

Highlights

• Richer Telegram delivery: Telegram now sends rich HTML, preserves rich markdown and sticker paths, renders progress drafts and command output more faithfully, normalizes HTML tables safely, and keeps mentions and spooled handlers on the right delivery path. (#93286, #93164, #93124, #93364, #93130, #93088, #93281, #94891, #94856) Thanks @​obviyus, @​vincentkoc, @​goutamadwant, @​kesslerio, @​NianJiuZst, @​SweetSophia, @​Marvinthebored, @​aaajiao, @​zhangqueping, and @​jairrab.
• More dependable agent recovery: retries, terminal outcomes, usage after compaction, session history repair, and reply reconciliation now keep more interrupted or partial turns moving toward a visible final result. (#92191, #93073, #93228, #93084, #93469, #93291, #90943) Thanks @​ai-hpc, @​lml2468, @​fuller-stack-dev, @​Hollychou924, @​leno23, @​de1tydev, @​425072024, @​wuwahe3, @​drvoss, @​yetval, @​sandieman2, and @​vincentkoc.
• A stronger Codex integration: Codex gains automatic plugin approvals, GPT-5.3 Spark OAuth routing, remote-node exec as a dynamic tool, and more reliable app-server teardown and terminal outcomes. (#92625, #89133, #93654, #91767, #93287) Thanks @​kevinslin, @​VACInc, @​vincentkoc, @​JPKay-AI, and @​aliahnaf2013-max.
• Standalone official provider plugins: external provider packages are now first-class npm releases, externally installed channel plugins load at Gateway startup, and StepFun is available from npm and ClawHub. (#93470) Thanks @​sunlit-deng, @​cxdnicole, and @​vincentkoc.
• More capable web and native clients: the Control UI adds a session workspace rail and extension health, iOS adds Watch controls, and Android shows chat context. (#92856, #91952, #93387, #92837) Thanks @​Solvely-Colin, @​jalehman, @​joshavant, and @​Tosko4.
• More useful search and skills: Codex Hosted Search is available, key-free search providers remain deliberate opt-ins, and ClawHub skill installs retain verified source provenance. (#93446, #93616, #93283, #93506) Thanks @​fuller-stack-dev, @​davemorin, @​momothemage, @​nmccready-tars, and @​vincentkoc.

Changes

• Providers and auth: add Codex Hosted Search, improve Gemini CLI OAuth behind proxies, and keep external provider onboarding on current choices and package metadata. (#93446, #92815) Thanks @​fuller-stack-dev, @​yetval, @​EvetteYoung, and @​vincentkoc.
• Plugins and installs: externalized official providers publish as independent npm packages, Gateway discovers installed channel plugins at startup, and StepFun installs from npm or ClawHub. (#93470) Thanks @​sunlit-deng, @​cxdnicole, and @​vincentkoc.
• Dashboard and mobile: add a session workspace rail, plugin health in status, compact cron lists, and iOS Watch controls. (#92856, #91952, #93395, #93387) Thanks @​Solvely-Colin, @​jalehman, @​yu-xin-c, @​centralpc, @​joshavant, and @​vincentkoc.
• Codex, observability, and skills: add automatic plugin approvals and SecretRefs, preserve ClawHub skill provenance, add OpenTelemetry log export, and expose remote-node execution to Codex when a node is connected. (#92625, #94324, #93283, #94561, #93654) Thanks @​kevinslin, @​kevinlin-openai, @​momothemage, @​nmccready-tars, @​jesse-merhi, @​vincentkoc, and @​JPKay-AI.
• QA and release engineering: QA scenarios now use YAML, with broader profile evidence and release coverage for the plugin and channel matrix. Thanks @​vincentkoc.

Fixes

• Security and privacy: redact secrets from debug/config output, block internal HTTP session overrides, audit open-DM tool exposure, and retain plugin write ownership checks. (#93333, #88496, #93443, #92883, #93353) Thanks @​Alix-007, @​jason-allen-oneal, @​coygeek, @​RichardCao, @​yu-xin-c, @​cjg20ss, @​eleqtrizit, and @​vincentkoc.
• Agent and session runtime: retry thinking-only and empty post-tool turns, prevent duplicate hook execution, preserve pending subagent delivery, preserve fresh usage through compaction, and repair partial JSON/history artifacts. (#92191, #93073, #93009, #93084, #93469, #94349, #92383, #94257) Thanks @​ai-hpc, @​lml2468, @​fuller-stack-dev, @​zenglingbiao, @​dertbv, @​Hollychou924, @​leno23, @​de1tydev, @​425072024, @​wuwahe3, @​drvoss, @​vincentkoc, @​sallyom, @​oiGaDio, @​Hidetsugu55, and @​Nas01010101.
• Channels and replies: fix Telegram rich delivery, table rendering, action-error handling, and ingress recovery; preserve command progress detail across channel adapters; retain WhatsApp opening text after a media failure; keep Mattermost thread replies intact; and harden Discord action handling. (#93286, #93364, #93281, #93076, #93334, #93424, #93488, #94868, #94891, #94856, #94810, #93823) Thanks @​obviyus, @​NianJiuZst, @​mcaxtr, @​rushindrasinha, @​amknight, @​lzyyzznl, @​darealgege, @​vincentkoc, @​zhangqueping, @​jairrab, @​ZOOWH, @​parveshsaini, and @​yetval.
• Storage and migrations: avoid SQLite WAL on network filesystems, clean reindex artifacts, keep setup state out of workspace dot-directories, and import default-agent auth profiles into SQLite. (#93454, #92891, #93182, #93295, #93520, #93156) Thanks @​vincentkoc, @​ZengWen-DT, @​Zeng-wen, @​potterdigital, @​Alix-007, @​Pick-cat, @​sallyom, @​1qh, and @​Tazio7.
• Provider and model behavior: fix Gemini CLI proxy OAuth, restore Codex Spark OAuth routing, correct Bedrock embedding model IDs, and preserve configured defaults in embedded runs. (#92815, #89133, #93452, #93428) Thanks @​yetval, @​EvetteYoung, @​VACInc, @​LiuwqGit, @​aleck31, @​zenglingbiao, @​danielgerlag, and @​vincentkoc.
• CLI, TUI, and apps: accept global flags after subcommands, keep terminal output and activity indicators visible, preserve CJK IME composition, and refresh stale UI state. (#93455, #93460, #93006, #93427, #93498, #93606) Thanks @​ooiuuii, @​Alix-007, @​ZengWen-DT, @​Zeng-wen, @​AlethiaQuizForge, @​Zhaoqj2016, @​liuhao1024, @​BrianClaw1955, @​vincentkoc, and @​NicoBoom13.
• Operations and updates: harden official plugin recovery, restart managed Gateways after failed update handoff, keep safe cron delivery defaults, avoid Node-specific npm prefixes, and keep package validation paths reliable. (#93325, #92111, #93650, #94453, #91685) Thanks @​vincentkoc, @​yetval, @​ofan, @​yaanfpv, @​jincheng-xydt, @​sallyom, @​davectr, and @​nxmxbbd.

Complete contribution record

This audited record covers the complete v2026.6.8..HEAD history: 422 merged PRs. The generation manifest also supplies direct commits as editorial input; the grouped notes above prioritize user impact.

Pull requests

• PR #90463 refactor: add session accessor seam with gateway consumer. Thanks @​jalehman.
• PR #88656 Drop reasoning-only length turns from replay. Thanks @​abel-zer0.
• PR #92856 feat(webui): add session workspace rail. Thanks @​Solvely-Colin.
• PR #92845 docs(browser-control): document OPENCLAW_EAGER_BROWSER_CONTROL_SERVER requirement. Related #92841. Thanks @​liuhao1024 and @​jeugregg.
• PR #82366 fix: use passive periodic sqlite wal checkpoints. Related #81715. Thanks @​honor2030 and @​KrasimirKralev.
• PR #92815 fix(google): route Gemini CLI OAuth through the env proxy (#46184). Thanks @​yetval and @​EvetteYoung.
• PR #91331 fix(mattermost): merge progress preview lines by identity. Related #89761. Thanks @​iloveleon19 and @​leonthe8th and @​vincentkoc.
• PR #92909 fix(tui): keep spinner active when toggling tools. Related #49763. Thanks @​ZengWen-DT and @​Zeng-wen and @​vincentkoc and @​CrimsonDump.
• PR #92904 fix(elevenlabs): use current TTS model ids. Thanks @​vortexopenclaw and @​vincentkoc.
• PR #92642 fix #86872: Subagent run reports success but fails to write output file. Thanks @​zhangguiping-xydt and @​vincentkoc and @​zapper35.
• PR #89122 refactor: route command session reads through seam. Thanks @​jalehman.
• PR #90943 fix(reply): deliver final reply when queued follow-up claims session; scope dedupe to routed thread. Thanks @​sandieman2 and @​vincentkoc.
• PR #92894 fix(skills): keep managed prompt paths readable. Related #92875. Thanks @​kesslerio and @​sallyom.
• PR #39617 fix: reload config in slash command routing so dmScope is respected. Related #39605. Thanks @​Ciward.

... (truncated)

Commits

• c645ec4 fix(release): terminate command descendants on signal
• c04126a test(release): align full validation workflow contract
• 99f3728 fix(ci): deduplicate release Telegram validation
• aee871b fix(plugins): restore StepFun ClawHub release
• b86293f docs(changelog): finalize 2026.6.9 ledger
• 55ee540 test(release): stabilize validation contracts
• 4ddd670 docs(changelog): finalize 2026.6.9 ledger
• 0fafe13 merge: synchronize release branch with latest main
• 437164c docs(changelog): finalize 2026.6.9 ledger
• 1988e1a chore(deadcode): remove memory wiki helper shims
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #16.

[josephismikhail]

@dependabot rebase

[dependabot]

Looks like this PR is closed. If the branch still exists, you can re-open the PR and then use @dependabot rebase or @dependabot recreate. If the branch was deleted, Dependabot will create a new PR on the next scheduled run, or you can trigger an update from the Dependency graph page.