package.json resolutions is not respected for dependent packages

[SteveShaffer]

What is the current behavior?

The package.json resolutions section appears not to be respected for dependent packages or something like that. This is causing issues like https://github.com/justadudewhohacks/face-api.js/issues/455 in repos that rely on older versions of packages that reportedly don't manifest when using npm to install dependencies (something I can't do though with a yarn monorepo).

Reproducible steps

1. Create a project with this in its package.json:

   {
   "name": "yarn-resolutions",
   "version": "1.0.0",
   "main": "index.js",
   "license": "MIT",
   "dependencies": {
   "face-api.js": "^0.21.0",
   "@tensorflow/tfjs-core": "1.2.9",
   "@tensorflow/tfjs-node": "1.2.9"
   },
   "resolutions": {
   "tfjs-image-recognition-base/@tensorflow/tfjs-core": "1.2.9"
   }
   }

2. Run yarn

What is the expected behavior? In yarn.lock (and in the node_modules of the tfjs-image-recognition-base package) we see @tensorflow/tfjs-core is resolved to v1.2.9

Actual behavior In yarn.lock (and in the node_modules of the tfjs-image-recognition-base package) we see @tensorflow/tfjs-core is resolved to v1.3.1 (per the dependency's package.json which says ~1.2.9)

Please mention your node.js, yarn and operating system version. node: v12.13.0 yarn: 1.19.1 OS: macOS High Sierra 10.13.6

Workarounds Manually editing yarn.lock to change the "@tensorflow/tfjs-core@^1.2.9": section to match the "@tensorflow/tfjs-core@1.2.9": section appears to fix the issue.

[bondar-pavel]

Is there any plans on fixing it? I am affected by this issue and looks like many folks here as well: https://github.com/justadudewhohacks/face-api.js/issues/455

Workaround works for me, so I end up with manually editing yarn.lock to fix the build each time something changes in package.json