fix: cover plugin package locks in dependency review

test/scripts/dependency-change-awareness-workflow.test.ts

@@ -94,6 +94,7 @@ describe("dependency change awareness workflow", () => {
     expect(script).toContain('filename === "ui/package.json"');
     expect(script).toContain('filename.startsWith("patches/")');
     expect(script).toContain("^packages\\/[^/]+\\/package\\.json$");
+    expect(script).toContain("^extensions\\/[^/]+\\/package-lock\\.json$");
     expect(script).toContain("^extensions\\/[^/]+\\/npm-shrinkwrap\\.json$");
     expect(script).toContain("^extensions\\/[^/]+\\/package\\.json$");
   });
@@ -108,6 +109,7 @@ describe("dependency change awareness workflow", () => {
     );
     expect(codeowners).toContain("/package-lock.json @openclaw/openclaw-secops");
     expect(codeowners).toContain("/npm-shrinkwrap.json @openclaw/openclaw-secops");
+    expect(codeowners).toContain("/extensions/*/package-lock.json @openclaw/openclaw-secops");
     expect(codeowners).toContain("/extensions/*/npm-shrinkwrap.json @openclaw/openclaw-secops");
   });
 });

test/scripts/dependency-changes-report.test.ts

@@ -48,11 +48,13 @@ describe("dependency-changes-report", () => {
     expect(isDependencyFile("npm-shrinkwrap.json")).toBe(true);
     expect(isDependencyFile("extensions/discord/npm-shrinkwrap.json")).toBe(true);
     expect(isDependencyFile("package-lock.json")).toBe(true);
+    expect(isDependencyFile("extensions/discord/package-lock.json")).toBe(true);
     expect(isDependencyFile("pnpm-lock.yaml")).toBe(true);
     expect(isDependencyFile("docs/gateway/security/index.md")).toBe(false);
   });
 
   it("includes plugin shrinkwrap files in git diff pathspecs", () => {
+    expect(dependencyDiffPathspecs()).toContain("extensions/*/package-lock.json");
     expect(dependencyDiffPathspecs()).toContain("extensions/*/npm-shrinkwrap.json");
   });
 });