From bfa5b39648c565e0bebdfa5e29b7cd70dc24485b Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Thu, 21 May 2026 23:08:25 +0800 Subject: [PATCH] fix: cover plugin package locks in dependency review --- .github/CODEOWNERS | 1 + .github/workflows/dependency-change-awareness.yml | 1 + .github/workflows/labeler.yml | 4 ++-- scripts/dependency-changes-report.mjs | 2 ++ test/scripts/dependency-change-awareness-workflow.test.ts | 2 ++ test/scripts/dependency-changes-report.test.ts | 2 ++ 6 files changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 39fde264d79..16688d596b7 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -15,6 +15,7 @@ /test/scripts/dependency-change-awareness-workflow.test.ts @openclaw/openclaw-secops /package-lock.json @openclaw/openclaw-secops /npm-shrinkwrap.json @openclaw/openclaw-secops +/extensions/*/package-lock.json @openclaw/openclaw-secops /extensions/*/npm-shrinkwrap.json @openclaw/openclaw-secops /pnpm-lock.yaml @openclaw/openclaw-secops /scripts/generate-npm-shrinkwrap.mjs @openclaw/openclaw-secops diff --git a/.github/workflows/dependency-change-awareness.yml b/.github/workflows/dependency-change-awareness.yml index f8af03cdaff..37d649ceda4 100644 --- a/.github/workflows/dependency-change-awareness.yml +++ b/.github/workflows/dependency-change-awareness.yml @@ -41,6 +41,7 @@ jobs: filename === "ui/package.json" || filename.startsWith("patches/") || /^packages\/[^/]+\/package\.json$/u.test(filename) || + /^extensions\/[^/]+\/package-lock\.json$/u.test(filename) || /^extensions\/[^/]+\/npm-shrinkwrap\.json$/u.test(filename) || /^extensions\/[^/]+\/package\.json$/u.test(filename); diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 16b1cc8c29a..6b4298f62c6 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -92,7 +92,7 @@ jobs: const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "npm-shrinkwrap.json", "yarn.lock", "bun.lockb"]); const totalChangedLines = files.reduce((total, file) => { const path = file.filename ?? ""; - if (path.startsWith("docs/") || excludedLockfiles.has(path) || path.endsWith("/npm-shrinkwrap.json")) { + if (path.startsWith("docs/") || excludedLockfiles.has(path) || path.endsWith("/package-lock.json") || path.endsWith("/npm-shrinkwrap.json")) { return total; } return total + (file.additions ?? 0) + (file.deletions ?? 0); @@ -606,7 +606,7 @@ jobs: const excludedLockfiles = new Set(["pnpm-lock.yaml", "package-lock.json", "npm-shrinkwrap.json", "yarn.lock", "bun.lockb"]); const totalChangedLines = files.reduce((total, file) => { const path = file.filename ?? ""; - if (path.startsWith("docs/") || excludedLockfiles.has(path) || path.endsWith("/npm-shrinkwrap.json")) { + if (path.startsWith("docs/") || excludedLockfiles.has(path) || path.endsWith("/package-lock.json") || path.endsWith("/npm-shrinkwrap.json")) { return total; } return total + (file.additions ?? 0) + (file.deletions ?? 0); diff --git a/scripts/dependency-changes-report.mjs b/scripts/dependency-changes-report.mjs index f2e9de9b785..23b11f9c14a 100644 --- a/scripts/dependency-changes-report.mjs +++ b/scripts/dependency-changes-report.mjs @@ -12,6 +12,7 @@ import { const DEPENDENCY_FILE_PATTERNS = [ /^package\.json$/u, /^package-lock\.json$/u, + /\/package-lock\.json$/u, /^npm-shrinkwrap\.json$/u, /\/npm-shrinkwrap\.json$/u, /^pnpm-lock\.yaml$/u, @@ -23,6 +24,7 @@ const DEPENDENCY_FILE_PATTERNS = [ const DEPENDENCY_DIFF_PATHS = [ "package.json", "package-lock.json", + "extensions/*/package-lock.json", "npm-shrinkwrap.json", "pnpm-lock.yaml", "pnpm-workspace.yaml", diff --git a/test/scripts/dependency-change-awareness-workflow.test.ts b/test/scripts/dependency-change-awareness-workflow.test.ts index 2840479d74e..cd917c48e55 100644 --- a/test/scripts/dependency-change-awareness-workflow.test.ts +++ b/test/scripts/dependency-change-awareness-workflow.test.ts @@ -94,6 +94,7 @@ describe("dependency change awareness workflow", () => { expect(script).toContain('filename === "ui/package.json"'); expect(script).toContain('filename.startsWith("patches/")'); expect(script).toContain("^packages\\/[^/]+\\/package\\.json$"); + expect(script).toContain("^extensions\\/[^/]+\\/package-lock\\.json$"); expect(script).toContain("^extensions\\/[^/]+\\/npm-shrinkwrap\\.json$"); expect(script).toContain("^extensions\\/[^/]+\\/package\\.json$"); }); @@ -108,6 +109,7 @@ describe("dependency change awareness workflow", () => { ); expect(codeowners).toContain("/package-lock.json @openclaw/openclaw-secops"); expect(codeowners).toContain("/npm-shrinkwrap.json @openclaw/openclaw-secops"); + expect(codeowners).toContain("/extensions/*/package-lock.json @openclaw/openclaw-secops"); expect(codeowners).toContain("/extensions/*/npm-shrinkwrap.json @openclaw/openclaw-secops"); }); }); diff --git a/test/scripts/dependency-changes-report.test.ts b/test/scripts/dependency-changes-report.test.ts index 4ca056cbabf..8c742ee9669 100644 --- a/test/scripts/dependency-changes-report.test.ts +++ b/test/scripts/dependency-changes-report.test.ts @@ -48,11 +48,13 @@ describe("dependency-changes-report", () => { expect(isDependencyFile("npm-shrinkwrap.json")).toBe(true); expect(isDependencyFile("extensions/discord/npm-shrinkwrap.json")).toBe(true); expect(isDependencyFile("package-lock.json")).toBe(true); + expect(isDependencyFile("extensions/discord/package-lock.json")).toBe(true); expect(isDependencyFile("pnpm-lock.yaml")).toBe(true); expect(isDependencyFile("docs/gateway/security/index.md")).toBe(false); }); it("includes plugin shrinkwrap files in git diff pathspecs", () => { + expect(dependencyDiffPathspecs()).toContain("extensions/*/package-lock.json"); expect(dependencyDiffPathspecs()).toContain("extensions/*/npm-shrinkwrap.json"); }); });