- Release performance sweep: GitHub Releases from
v2026.5.28back through stablev2026.4.23, using theOpenClaw Performanceworkflow,profile=smoke, mock-provider lane. Most tag rows are one sample; thev2026.5.27andv2026.5.28rows use the latest repeat-3 release-branch artifacts. - Earlier April context: published
clawgrit-reportsmock-provider baselines fromv2026.4.1throughv2026.5.2, used only to avoid treating the broken late-April releases as the public performance baseline. - Install footprint sweep: fresh
npm install --ignore-scriptsinstalls into temporary packages, withdu -sk node_modulesfor size and anode_moduleswalk for package-instance counts. - npm package size sweep:
npm pack openclaw@<version> --dry-run --jsonfor published releases, recording compressed tarball size, unpacked size, and file count.
Snapshot
Performance coverage: 77 requested releases, 74 artifact-backed points, and 3 unavailable CI runs. Latest stable measured point:v2026.5.28.
Stable agent turn
5.1x faster cold turn
v2026.4.14: 9.8sv2026.5.28: 1.9s
Published package
17.9MB tarballLatest stable package, down from the 43.3MB March package-size peak.
Latest stable install
361.7MiB fresh installCuts the nested OpenClaw dependency tree sharply from the
2026.5.22
shrinkwrap-introduction peak, though a smaller 259.7MiB nested tree still
remains in the local install audit.Dependency graph
300 installed packagesMeasured as unique package name/version roots in a fresh install with
scripts disabled; 71 fewer roots than the prior stable release.
What Changed In 5.28
The cleanup betweenv2026.5.27 and v2026.5.28 reduced the default-install
graph instead of removing the capabilities themselves.
Root default graph
Unique package name/version roots fell from 371 to 300. Package
instances fell from 372 to 301.
Nested tree
Nested
openclaw/node_modules fell from 656.1MiB to 259.7MiB in
the same local install audit.Native optional cones
The all-platform
@napi-rs/canvas native package cone stopped landing in
the default install.Supply-chain surface
Fewer default packages means fewer tarballs, maintainers, native binaries,
install-time behaviors, and transitive update paths to trust by default.
Headline Numbers
Do not use the late-April broken rows as public performance baselines.v2026.4.23 and v2026.4.29 are useful regression evidence, but the large
14x-style deltas mostly describe the recovery from a bad release line.
For the blog narrative, use the earlier April published baseline as scale.
The baseline is v2026.4.14 from the published clawgrit-reports
mock-provider run (repeat 3; that run failed only because the diagnostic
timeline was not emitted, so the cold, warm, and RSS medians are still useful
as rough scale). Treat this as narrative context, not a release-gate
statistic.
Within the May sweep, the latest release-branch row moved materially from
v2026.5.2:
Compared with the previous stable release:
Install footprint
npm package size
2026.5.12 is the visible plugin-extraction milestone in the changelog:
Amazon Bedrock, Bedrock Mantle, Slack, OpenShell sandbox, Anthropic Vertex,
Matrix, and WhatsApp moved out of the core dependency path so their dependency
cones install with those plugins instead of every core install.
Kova agent turn summary
The April stable line contains two different stories. Earlier April was slow but recognizable. Late April became a regression cliff.v2026.5.2 is where
the mock-provider lane first drops into the 3-5s range and starts passing
consistently in the supplied sweep.
Earlier published context:
Supplied sweep:
Source probes
Source probes were skipped for 17 successful older refs because those source trees did not yet have the required probe entry points. Agent-turn metrics still exist for those refs. Representative source-probe points:
The
v2026.5.22 CLI health spike is visible in this table even though the
agent-turn lane still passed. Keep the source probes when investigating
targeted CLI or gateway regressions.
Install footprint audit
Dependency samples use one stable release per month, plus the2026.5.22 shrinkwrap-introduction event and the latest 2026.5.28 release.
Shrinkwrap boundary
2026.5.20 shipped with no root shrinkwrap and no large nested OpenClaw
dependency tree. 2026.5.22 introduced root shrinkwrap and installed 911.8MB
under nested openclaw/node_modules. 2026.5.28 keeps shrinkwrap and still
installs 259.7MiB under nested openclaw/node_modules, but no longer installs
any @napi-rs/canvas packages in the local fresh-install audit.
Published tarball inspection verifies the boundary:
The important distinction: shrinkwrap itself is not the problem.
v2026.5.28 still ships root shrinkwrap. The problem was the package shape
that made npm materialize a large nested OpenClaw dependency tree and all 12
@napi-rs/canvas platform packages. The nested tree is smaller in v2026.5.28,
and the canvas platform fanout no longer lands in the local audit.
For a plain-English explanation of shrinkwrap and the maintainer-level package
checks, see npm shrinkwrap.
Supply-chain interpretation
Dependency count is an operational security metric, not only an install-size metric. Every package expands the set of maintainers, tarballs, transitive updates, optional native binaries, and install-time behaviors that operators must trust. The cleanup direction is:- keep heavy and optional capabilities outside the default core install
- make plugin packages own their runtime dependency graph
- avoid runtime package-manager repair during Gateway startup
- preserve deterministic installs without causing all-platform native package materialization
- keep install scripts disabled in package acceptance and measurement paths
- catch nested dependency trees and native optional dependency explosions before publishing