fix(deps): keep plugin ownership records live (#71331)

2026-04-28 06:31:11 +00:00 · 2026-04-24 19:15:12 -07:00 · 2026-04-24 19:15:12 -07:00 · f9ac92d1cc
commit f9ac92d1cc
parent f550aa7622
2 changed files with 64 additions and 2 deletions
--- a/scripts/sbom-risk-report.mjs
+++ b/scripts/sbom-risk-report.mjs
@ -184,13 +184,17 @@ export function collectSbomRiskReport(params = {}) {
      return left.importer.localeCompare(right.importer);
    });

-  const rootDependencyNames = new Set(rootDependencies.map((dependency) => dependency.name));
+  const workspaceDependencyNames = new Set(
+    Object.values(lockfile.importers ?? {}).flatMap((record) =>
+      normalizeDependencies(record).map((dependency) => dependency.name),
+    ),
+  );
  const ownershipGaps = rootDependencies
    .filter((dependency) => !ownershipFor(dependencyOwnership, dependency.name))
    .map((dependency) => dependency.name)
    .toSorted(compareStrings);
  const staleOwnershipRecords = Object.keys(dependencyOwnership.dependencies ?? {})
-    .filter((name) => !rootDependencyNames.has(name))
+    .filter((name) => !workspaceDependencyNames.has(name))
    .toSorted(compareStrings);
  const ownershipWarnings = rootDependencyRows
    .filter(
--- a/test/scripts/sbom-risk-report.test.ts
+++ b/test/scripts/sbom-risk-report.test.ts
@ -118,4 +118,62 @@ snapshots:
      "root dependency 'missing-owner' is missing from scripts/lib/dependency-ownership.json",
    ]);
  });
+
+  it("does not mark plugin importer dependencies as stale ownership records", () => {
+    const repoRoot = makeTempRepo();
+    writeRepoFile(
+      repoRoot,
+      "package.json",
+      JSON.stringify({
+        dependencies: {
+          "core-lib": "1.0.0",
+        },
+      }),
+    );
+    writeRepoFile(
+      repoRoot,
+      "pnpm-lock.yaml",
+      `
+lockfileVersion: '9.0'
+importers:
+  .:
+    dependencies:
+      core-lib:
+        specifier: 1.0.0
+        version: 1.0.0
+  extensions/web-readability:
+    dependencies:
+      plugin-readable:
+        specifier: 2.0.0
+        version: 2.0.0
+packages:
+  core-lib@1.0.0: {}
+  plugin-readable@2.0.0: {}
+snapshots:
+  core-lib@1.0.0: {}
+  plugin-readable@2.0.0: {}
+`,
+    );
+    writeRepoFile(
+      repoRoot,
+      "scripts/lib/dependency-ownership.json",
+      JSON.stringify({
+        schemaVersion: 1,
+        dependencies: {
+          "core-lib": { owner: "core:test", class: "core-runtime", risk: ["network"] },
+          "plugin-readable": {
+            owner: "plugin:web-readability",
+            class: "plugin-runtime",
+            risk: ["html"],
+          },
+          "removed-lib": { owner: "core:test", class: "core-runtime", risk: ["unused"] },
+        },
+      }),
+    );
+
+    const report = collectSbomRiskReport({ repoRoot });
+
+    expect(report.ownershipGaps).toEqual([]);
+    expect(report.staleOwnershipRecords).toEqual(["removed-lib"]);
+  });
 });