Identifying a package's closure

I have a NixOS config that disallows non-source packages that aren’t kernel firmware (with an explicit exclusion list, finalNonSourcePackageNames):

  nixpkgs.config = {
    allowNonSource = false;
    allowNonSourcePredicate =
      pkg:
      lib.elem (lib.getName pkg) cfg.finalNonSourcePackageNames
      || lib.all (
        provenance:
        provenance.isSource
        || provenance == lib.sourceTypes.binaryFirmware && config.hardware.enableRedistributableFirmware
      ) pkg.meta.sourceProvenance;
  };

This was working simply enough until recently, as fetchNupkg in nixpkgs was changed (in be577a25f468db75c2927d65e6d16473dc25c3e2) to specify that it downloads binary blobs.

Unfortunately every single little dependency of any dotnet package is considered a separate package, so adding everything manually to the exclusion list is a bit onerous.

How would I go about getting a certain package’s closure so I can add it to the exclusion list?

I only use a couple of dotnet packages, so excluding them is simple enough if I can come up with a general concept.

I gave up and just reverted the nixpkgs commit in question.