ClawHosters ClawHosters
Subs -30% SUB30
OpenClaw Foundation Plans LTS Release After Supply Chain Scare
$ ./blog/news
News

OpenClaw Foundation Plans LTS Release After Supply Chain Scare

ClawHosters
ClawHosters by Daniel Samer
3 min read

Peter Steinberger published a candid blog post this week, and a new openclaw lts release track is the direct result. The short version: the openclaw rough week between April 24 and 29 was worse than it looked from the outside, and the OpenClaw Foundation is doing something about it.

The rapid push toward npm-first plugin architecture left the project in what Steinberger called "the worst middle state: too much moved toward plugins, while too many plugins were still bundled." Plugin dependency repair was running in startup and update paths. Bundled plugins and external ones were half-split. Things broke.

Then it got worse. The Axios npm compromise exposed transitive dependency vulnerabilities across the openclaw supply chain. When your plugin system relies on npm packages, a compromised package upstream means your AI agent is running code you didn't audit.

What the OpenClaw Foundation Is Doing

Steinberger was blunt about the root cause: "Too much release, review, packaging and support work sat with me." Too founder-driven. Too many single points of failure.

The response has two parts. First, the OpenClaw Foundation and OpenAI are building out a real team to reduce the bus-factor risk. Second, and this matters for anyone running OpenClaw in production, an openclaw lts release track is coming later this month.

The idea behind openclaw long term support is straightforward. The core gets smaller. Optional functionality moves to ClawHub plugins. LTS releases receive only security patches and critical fixes, no feature churn. You pick a version and it stays stable.

What This Means if You Self-Host

An LTS track is good news. But it doesn't eliminate the work. You still need to apply security patches when they land, test that your config didn't break, and keep your Docker setup current. The v2026.5.5 OAuth regression from earlier this week is a good reminder: even "stable" releases can ship regressions. Our security hardening guide covers what to watch for.

What This Means on ClawHosters

Whether OpenClaw ships an LTS track or not, the managed hosting story doesn't change. We already test updates before applying them. When v2026.5.5 shipped that OAuth regression, self-hosters got hit. ClawHosters customers didn't.

You shouldn't have to choose between security patches and stability. That's the whole point of managed hosting, and it's what an openclaw lts release is trying to solve for the self-hosting crowd too.

We'll track the LTS timeline as it develops. Check the security overview for how ClawHosters handles update validation.

Frequently Asked Questions

The OpenClaw LTS release is a planned long-term support track where releases receive only security patches and critical bug fixes, no new features. The OpenClaw Foundation announced it after the April 2026 supply chain incident. It's expected later in May 2026.

The npm-first plugin migration left the project in an unstable middle state with half-bundled, half-external plugins. An Axios npm compromise then exposed transitive dependency risks. Steinberger acknowledged the project was too founder-driven, with too much work sitting with one person.

Yes. ClawHosters tests every update before deploying it. When OpenClaw v2026.5.5 shipped an OAuth regression, self-hosters were affected. ClawHosters customers were not. Managed hosting already filters out broken releases regardless of whether you're on LTS or stable.

Sources

  1. 1 ClawHub plugins
  2. 2 security hardening guide
  3. 3 managed hosting
  4. 4 security overview
$ ./related --posts