chore(deps): lock file maintenance

[shunkakinoki]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

---

Summary by cubic

Refresh lock files (bun.lock, flake.lock) to pick up current dependency versions and Nix inputs. No application code changes.

• Dependencies
  • Bumped @noble/curves to 1.9.7 and @opentelemetry/api to 1.9.1; cleaned up a few alias entries.
  • Updated Nix inputs to newer nixpkgs-nightly and NUR revisions.

^{Written for commit 85aa4b6. Summary will update on new commits.}

[indent]

PR Summary

Routine Renovate lockFileMaintenance refresh of bun.lock and flake.lock. No package.json or flake.nix declarations are touched, and no package versions or integrity hashes for retained entries are altered, so there is no resolution or supply-chain delta beyond the rolling Nix inputs.

• bun.lock: prunes redundant hoisted nested entries (mostly duplicate @opentelemetry/.../api-logs/@opentelemetry/api@1.9.1 hoists and several openclaw/@mariozechner/.../@aws-sdk/client-bedrock-runtime + @aws-sdk/token-providers@3.1045.0 entries); net +9/-69 lines, deletions only.
• flake.lock: bumps the two rolling inputs nixpkgs-nightly (75fd6ff… → b1c9fea…) and NUR (8186143… → 93212c6…), ~3.7-hour delta on the same upstream sources, with narHash updated accordingly.

Issues

1 potential issue found:

• The root tar entry in bun.lock moved from 7.5.15 to 7.5.13 because Bun deduplicated to openclaw's exact pin (tar: "7.5.13"); confirm any non-openclaw consumer hoisting the root tar is OK with the 2-patch rollback, otherwise bump openclaw's tar pin so dedup goes the other direction. → Autofix

CI Checks

Waiting for CI checks...

---

[mesa-dot-dev]

You do not have enough credits to review this pull request. Please purchase more credits to continue.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• bun.lock is excluded by !**/*.lock
• flake.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 11ebda47-60e8-4f5d-bea3-898294473927

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/lock-file-maintenance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mesa-dot-dev]

Mesa Description

TL;DR

Refreshed all lock files to use the latest dependency versions.

What changed?

All lock files were refreshed. Specific file changes are not available.

^{Description generated by Mesa. Update settings}

[cubic-dev-ai]

No issues found across 2 files

[gemini-code-assist]

Code Review

This pull request updates dependency lockfiles, specifically bun.lock and flake.lock, including updates to OpenTelemetry, Noble curves, and Nix flake inputs. Feedback highlights several concerns: the removal of @aws-sdk/client-bedrock-runtime from certain dependency paths may break AWS Bedrock integration, the tar package was unexpectedly downgraded, and a version mismatch for @opentelemetry/api was introduced, which could lead to telemetry data conflicts.

[gemini-code-assist]

The removal of @aws-sdk/client-bedrock-runtime from the dependency tree of @mariozechner/pi-ai and others is a significant change that will break any code relying on AWS Bedrock. This appears to be an unintended side effect of the lockfile refresh, as the parent package versions have not changed.

[gemini-code-assist]

The tar package has been downgraded from 7.5.15 to 7.5.13. This is a regression in dependency freshness. While it may have been done for deduplication, aligning on the newer version is preferred to ensure the latest fixes are included.

[gemini-code-assist]

This entry introduces @opentelemetry/api@1.9.0 for the ai package, creating a version mismatch with the root @opentelemetry/api@1.9.1. Multiple versions of the OpenTelemetry API can conflict over global state registration, which often leads to telemetry data loss. Deduplicating this to a single version is recommended.

[indent]

Root tar resolved version downgraded 7.5.15 → 7.5.13. The pre-PR lockfile had two tar entries: root tar@7.5.15 and openclaw/tar@7.5.13 (openclaw pins tar: "7.5.13" exactly — see line 2849). This PR's deduplication dropped the nested entry and converged the root onto 7.5.13, so any non-openclaw consumer that hoists the root tar silently moved two patch versions back. Low impact since openclaw is the dominant consumer here, but if you want to keep the root on the newer release, the proper fix is to bump openclaw's pinned tar version upstream so Bun dedups to the higher version instead.