fix: include plugin shrinkwraps in dependency reports

scripts/dependency-changes-report.mjs

@@ -20,6 +20,17 @@ const DEPENDENCY_FILE_PATTERNS = [
   /\/package\.json$/u,
 ];
 
+const DEPENDENCY_DIFF_PATHS = [
+  "package.json",
+  "package-lock.json",
+  "npm-shrinkwrap.json",
+  "pnpm-lock.yaml",
+  "pnpm-workspace.yaml",
+  "extensions/*/npm-shrinkwrap.json",
+  "*package.json",
+  "patches",
+];
+
 function payloadFromLockfile(lockfileText) {
   return createBulkAdvisoryPayload(collectAllResolvedPackagesFromLockfile(lockfileText));
 }
@@ -175,22 +186,14 @@ export function isDependencyFile(filePath) {
   return DEPENDENCY_FILE_PATTERNS.some((pattern) => pattern.test(filePath));
 }
 
+export function dependencyDiffPathspecs() {
+  return [...DEPENDENCY_DIFF_PATHS];
+}
+
 function gitDiffDependencyFiles(baseRef, cwd) {
   const output = execFileSync(
     "git",
-    [
-      "diff",
-      "--name-status",
-      baseRef,
-      "--",
-      "package.json",
-      "package-lock.json",
-      "npm-shrinkwrap.json",
-      "pnpm-lock.yaml",
-      "pnpm-workspace.yaml",
-      "*package.json",
-      "patches",
-    ],
+    ["diff", "--name-status", baseRef, "--", ...DEPENDENCY_DIFF_PATHS],
     {
       cwd,
       encoding: "utf8",

test/scripts/dependency-changes-report.test.ts

@@ -1,6 +1,7 @@
 import { describe, expect, it } from "vitest";
 import {
   createDependencyChangesReport,
+  dependencyDiffPathspecs,
   isDependencyFile,
 } from "../../scripts/dependency-changes-report.mjs";
 
@@ -50,4 +51,8 @@ describe("dependency-changes-report", () => {
     expect(isDependencyFile("pnpm-lock.yaml")).toBe(true);
     expect(isDependencyFile("docs/gateway/security/index.md")).toBe(false);
   });
+
+  it("includes plugin shrinkwrap files in git diff pathspecs", () => {
+    expect(dependencyDiffPathspecs()).toContain("extensions/*/npm-shrinkwrap.json");
+  });
 });