We've been adding npm/composer dependencies to a lot of extensions, but not necessarily been updating the .gitignore rules.
If an extension has npm dependencies, it needs to have a .gitignore with:
/node_modules
composer dependencies should have:
/composer.lock /vendor
To avoid git status thinking that the repo is not clean, etc.