fix: cover plugin package locks in dependency review

2026-05-27 19:58:50 +00:00 · 2026-05-21 23:08:25 +08:00
parent a1b05aae7c
commit bfa5b39648
6 changed files with 10 additions and 2 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -15,6 +15,7 @@
 /test/scripts/dependency-change-awareness-workflow.test.ts @openclaw/openclaw-secops
 /package-lock.json @openclaw/openclaw-secops
 /npm-shrinkwrap.json @openclaw/openclaw-secops
+/extensions/*/package-lock.json @openclaw/openclaw-secops
 /extensions/*/npm-shrinkwrap.json @openclaw/openclaw-secops
 /pnpm-lock.yaml @openclaw/openclaw-secops
 /scripts/generate-npm-shrinkwrap.mjs @openclaw/openclaw-secops
--- a/.github/workflows/dependency-change-awareness.yml
+++ b/.github/workflows/dependency-change-awareness.yml
@@ -41,6 +41,7 @@ jobs:
              filename === "ui/package.json" ||
              filename.startsWith("patches/") ||
              /^packages\/[^/]+\/package\.json$/u.test(filename) ||
+              /^extensions\/[^/]+\/package-lock\.json$/u.test(filename) ||
              /^extensions\/[^/]+\/npm-shrinkwrap\.json$/u.test(filename) ||
              /^extensions\/[^/]+\/package\.json$/u.test(filename);

--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -92,7 +92,7 @@ jobs:
            const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "npm-shrinkwrap.json", "yarn.lock", "bun.lockb"]);
            const totalChangedLines = files.reduce((total, file) => {
              const path = file.filename ?? "";
-              if (path.startsWith("docs/") || excludedLockfiles.has(path) || path.endsWith("/npm-shrinkwrap.json")) {
+              if (path.startsWith("docs/") || excludedLockfiles.has(path) || path.endsWith("/package-lock.json") || path.endsWith("/npm-shrinkwrap.json")) {
                return total;
              }
              return total + (file.additions ?? 0) + (file.deletions ?? 0);
@@ -606,7 +606,7 @@ jobs:
              const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "npm-shrinkwrap.json", "yarn.lock", "bun.lockb"]);
              const totalChangedLines = files.reduce((total, file) => {
                const path = file.filename ?? "";
-                if (path.startsWith("docs/") || excludedLockfiles.has(path) || path.endsWith("/npm-shrinkwrap.json")) {
+                if (path.startsWith("docs/") || excludedLockfiles.has(path) || path.endsWith("/package-lock.json") || path.endsWith("/npm-shrinkwrap.json")) {
                  return total;
                }
                return total + (file.additions ?? 0) + (file.deletions ?? 0);
--- a/scripts/dependency-changes-report.mjs
+++ b/scripts/dependency-changes-report.mjs
@@ -12,6 +12,7 @@ import {
 const DEPENDENCY_FILE_PATTERNS = [
  /^package\.json$/u,
  /^package-lock\.json$/u,
+  /\/package-lock\.json$/u,
  /^npm-shrinkwrap\.json$/u,
  /\/npm-shrinkwrap\.json$/u,
  /^pnpm-lock\.yaml$/u,
@@ -23,6 +24,7 @@ const DEPENDENCY_FILE_PATTERNS = [
 const DEPENDENCY_DIFF_PATHS = [
  "package.json",
  "package-lock.json",
+  "extensions/*/package-lock.json",
  "npm-shrinkwrap.json",
  "pnpm-lock.yaml",
  "pnpm-workspace.yaml",
--- a/test/scripts/dependency-change-awareness-workflow.test.ts
+++ b/test/scripts/dependency-change-awareness-workflow.test.ts
@@ -94,6 +94,7 @@ describe("dependency change awareness workflow", () => {
    expect(script).toContain('filename === "ui/package.json"');
    expect(script).toContain('filename.startsWith("patches/")');
    expect(script).toContain("^packages\\/[^/]+\\/package\\.json$");
+    expect(script).toContain("^extensions\\/[^/]+\\/package-lock\\.json$");
    expect(script).toContain("^extensions\\/[^/]+\\/npm-shrinkwrap\\.json$");
    expect(script).toContain("^extensions\\/[^/]+\\/package\\.json$");
  });
@@ -108,6 +109,7 @@ describe("dependency change awareness workflow", () => {
    );
    expect(codeowners).toContain("/package-lock.json @openclaw/openclaw-secops");
    expect(codeowners).toContain("/npm-shrinkwrap.json @openclaw/openclaw-secops");
+    expect(codeowners).toContain("/extensions/*/package-lock.json @openclaw/openclaw-secops");
    expect(codeowners).toContain("/extensions/*/npm-shrinkwrap.json @openclaw/openclaw-secops");
  });
 });
--- a/test/scripts/dependency-changes-report.test.ts
+++ b/test/scripts/dependency-changes-report.test.ts
@@ -48,11 +48,13 @@ describe("dependency-changes-report", () => {
    expect(isDependencyFile("npm-shrinkwrap.json")).toBe(true);
    expect(isDependencyFile("extensions/discord/npm-shrinkwrap.json")).toBe(true);
    expect(isDependencyFile("package-lock.json")).toBe(true);
+    expect(isDependencyFile("extensions/discord/package-lock.json")).toBe(true);
    expect(isDependencyFile("pnpm-lock.yaml")).toBe(true);
    expect(isDependencyFile("docs/gateway/security/index.md")).toBe(false);
  });

  it("includes plugin shrinkwrap files in git diff pathspecs", () => {
+    expect(dependencyDiffPathspecs()).toContain("extensions/*/package-lock.json");
    expect(dependencyDiffPathspecs()).toContain("extensions/*/npm-shrinkwrap.json");
  });
 });