From c571936e2549f762fbbc3ed21ec910dcdc66d307 Mon Sep 17 00:00:00 2001
From: Taylor Buchanan <me+dev.git@taylorbuchanan.com>
Date: Sat, 6 Jun 2026 11:36:42 -0500
Subject: [PATCH] Skip workspace specifiers in dependency Version Check

The Version Check iterates every newly-added dependency from GitHub's
dependency-graph compare. pnpm records both the manifest entry (version
`catalog:`) and the lockfile-resolved entry (e.g. `1.4.0`). The script
could not parse `catalog:` as a version and flagged it stale, so any PR
adding a catalog dependency failed even when the resolved version was at
latest.

Skip pnpm/yarn manifest specifiers (catalog:, workspace:, link:, file:,
npm: aliases, git/http URLs) before the version comparison. The resolved
version is reported as a separate lockfile entry and is still checked.
---
 .github/workflows/dependency-review.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index b3dcc5a..5488f0d 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -48,6 +48,17 @@ jobs:
 
           stale=0
           while IFS=$'\t' read -r ecosystem name version; do
+            # pnpm/yarn manifest specifiers (catalog:, workspace:, link:,
+            # file:, npm: aliases, ...) are not resolvable versions. The
+            # resolved version is reported as a separate lockfile entry and
+            # checked there, so skip the specifier to avoid false positives.
+            case "$version" in
+              catalog:*|workspace:*|link:*|file:*|npm:*|git:*|http:*|https:*)
+                echo "OK  $ecosystem:$name@$version (manifest specifier, skipped)"
+                continue
+                ;;
+            esac
+
             case "$ecosystem" in
               actions)
                 # SHA pins are intentional immutable pinning.