"I'm still running March 13 build because we had a string of crap builds come out." โ r/openclaw, this week.
This is a legitimate strategy. The OpenClaw team ships fast โ five 4.x releases in the first week of April alone โ and not every release is stable. If you have a working setup, staying put while the new releases bake is often smarter than chasing the latest version.
Here's how to do it correctly: pin your version, monitor for CVEs that affect your version, and have a tested upgrade path ready when the time comes.
Recent Release Stability (Community Assessment)
| Version | Community Stability | Known Issues |
|---|---|---|
| 2026.3.13 (March 13) | Stable | Older; missing 4.x features, but solid for daily use |
| 2026.3.22 | Stable | Breaking config key rename during upgrade; see migration guide |
| 2026.3.31 | Caution | Tools broken post-update for some users |
| 2026.4.1 | Caution | exec-approvals.json reset silently blocks exec; fix here |
| 2026.4.2 | Caution | Dreaming docs ahead of release; heartbeat isolated sessions issues |
| 2026.4.5 | Caution | CLI breakage on some npm updates; Dreaming ships as experimental; fix here |
Step 1 โ Pin Your Current Version
The simplest protection against accidental upgrades: use a pinned version in any install commands, and stop using @latest.
First, check what you're running:
openclaw --version
Then install that exact version explicitly (this re-pins it in npm's global registry):
# Example: pin to 3.22 npm install -g openclaw@2026.3.22 # Or pin to 4.4 (last stable before 4.5 issues) npm install -g openclaw@2026.4.4
Add a reminder alias to your shell profile so you never accidentally run a bare npm install -g openclaw:
# In ~/.bashrc or ~/.zshrc alias openclaw-update='echo "Pinned version. To upgrade intentionally: npm install -g openclaw@VERSION"'
Step 2 โ Prevent Automatic Updates
If you have any automation (cron jobs, systemd services, update scripts) that could touch openclaw's npm package, lock them down:
# Check for npm auto-update scripts crontab -l | grep npm grep -r "npm update" ~/.bashrc ~/.zshrc ~/.profile /etc/cron.d/
Also check if your system has unattended-upgrades or a Node version manager that might touch global packages.
WSL users: If you run Windows Update or upgrade WSL, your global npm packages are usually preserved. But if you ever reinstall Node.js or your Node version manager, be explicit about which openclaw version to reinstall โ don't let it default to @latest.
Step 3 โ Monitor CVEs on Your Pinned Version
Staying on an older version is only safe if you know what vulnerabilities affect it. Your monitoring checklist:
- github.com/jgamblin/OpenClawCVEs โ community-maintained CVE tracker. Star it and check monthly.
- OpenClaw GitHub releases page โ release notes always call out security fixes. Scan for "security", "CVE", "patch" in each release you've skipped.
- r/openclaw โ active exploits get flagged here within hours of disclosure.
The key question for each skipped release: does this fix a CVE that affects my version? If yes, upgrade just for that. If not, skip it.
Step 4 โ Safe Upgrade Testing Pattern
When you're ready to evaluate a new release, test it without committing your production setup:
# Backup current config first openclaw backup create # Note your current version openclaw --version > /tmp/openclaw-version-before.txt # Test the new version in a temp directory cd /tmp mkdir openclaw-test && cd openclaw-test npm install openclaw@2026.4.5 # Run doctor against the new version's requirements ./node_modules/.bin/openclaw doctor # If doctor passes cleanly, check the changelog against your config # If not, see what changed and whether it affects you
This way you're evaluating the new version without having already overwritten your working global install.
When to Actually Upgrade
Three scenarios where staying pinned stops being smart:
- A CVE with active exploitation affects your version. ClawBleed (CVE-2026-25253) patched in 2026.2.2 is the example. No patch = active risk. Upgrade for security, even if the release has other issues.
- You need a feature that only exists in a newer release. Dreaming (4.5), video generation (4.5), isolated heartbeat sessions (4.x) โ these require upgrading. Only upgrade when the feature value exceeds the upgrade risk for your setup.
- Your current version falls out of active maintenance. The OpenClaw team doesn't explicitly publish an EOL date, but releases older than ~3 months stop getting CVE backports. At that point, staying pinned becomes risky.
The practical policy: Run openclaw backup create weekly. Check CVEs monthly. Upgrade only when a security fix or a feature you need ships. Never upgrade the day a release drops โ wait 48โ72 hours for the community to surface any breakage first.