From f9ac92d1ccfcd67ad6b82a3343e1dff0ece95ebf Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Fri, 24 Apr 2026 19:15:12 -0700
Subject: [PATCH] fix(deps): keep plugin ownership records live (#71331)

---
 scripts/sbom-risk-report.mjs          |  8 +++-
 test/scripts/sbom-risk-report.test.ts | 58 +++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 2 deletions(-)

diff --git a/scripts/sbom-risk-report.mjs b/scripts/sbom-risk-report.mjs
index 5b3760ac926..2d27bd793de 100644
--- a/scripts/sbom-risk-report.mjs
+++ b/scripts/sbom-risk-report.mjs
@@ -184,13 +184,17 @@ export function collectSbomRiskReport(params = {}) {
       return left.importer.localeCompare(right.importer);
     });
 
-  const rootDependencyNames = new Set(rootDependencies.map((dependency) => dependency.name));
+  const workspaceDependencyNames = new Set(
+    Object.values(lockfile.importers ?? {}).flatMap((record) =>
+      normalizeDependencies(record).map((dependency) => dependency.name),
+    ),
+  );
   const ownershipGaps = rootDependencies
     .filter((dependency) => !ownershipFor(dependencyOwnership, dependency.name))
     .map((dependency) => dependency.name)
     .toSorted(compareStrings);
   const staleOwnershipRecords = Object.keys(dependencyOwnership.dependencies ?? {})
-    .filter((name) => !rootDependencyNames.has(name))
+    .filter((name) => !workspaceDependencyNames.has(name))
     .toSorted(compareStrings);
   const ownershipWarnings = rootDependencyRows
     .filter(
diff --git a/test/scripts/sbom-risk-report.test.ts b/test/scripts/sbom-risk-report.test.ts
index 7925254dc30..dd9d7cfef7d 100644
--- a/test/scripts/sbom-risk-report.test.ts
+++ b/test/scripts/sbom-risk-report.test.ts
@@ -118,4 +118,62 @@ snapshots:
       "root dependency 'missing-owner' is missing from scripts/lib/dependency-ownership.json",
     ]);
   });
+
+  it("does not mark plugin importer dependencies as stale ownership records", () => {
+    const repoRoot = makeTempRepo();
+    writeRepoFile(
+      repoRoot,
+      "package.json",
+      JSON.stringify({
+        dependencies: {
+          "core-lib": "1.0.0",
+        },
+      }),
+    );
+    writeRepoFile(
+      repoRoot,
+      "pnpm-lock.yaml",
+      `
+lockfileVersion: '9.0'
+importers:
+  .:
+    dependencies:
+      core-lib:
+        specifier: 1.0.0
+        version: 1.0.0
+  extensions/web-readability:
+    dependencies:
+      plugin-readable:
+        specifier: 2.0.0
+        version: 2.0.0
+packages:
+  core-lib@1.0.0: {}
+  plugin-readable@2.0.0: {}
+snapshots:
+  core-lib@1.0.0: {}
+  plugin-readable@2.0.0: {}
+`,
+    );
+    writeRepoFile(
+      repoRoot,
+      "scripts/lib/dependency-ownership.json",
+      JSON.stringify({
+        schemaVersion: 1,
+        dependencies: {
+          "core-lib": { owner: "core:test", class: "core-runtime", risk: ["network"] },
+          "plugin-readable": {
+            owner: "plugin:web-readability",
+            class: "plugin-runtime",
+            risk: ["html"],
+          },
+          "removed-lib": { owner: "core:test", class: "core-runtime", risk: ["unused"] },
+        },
+      }),
+    );
+
+    const report = collectSbomRiskReport({ repoRoot });
+
+    expect(report.ownershipGaps).toEqual([]);
+    expect(report.staleOwnershipRecords).toEqual(["removed-lib"]);
+  });
 });