package.json resolutions is not respected for dependent packages

[SteveShaffer]

What is the current behavior?

The package.json resolutions section appears not to be respected for dependent packages or something like that. This is causing issues like justadudewhohacks/face-api.js#455 in repos that rely on older versions of packages that reportedly don't manifest when using npm to install dependencies (something I can't do though with a yarn monorepo).

Reproducible steps

1. Create a project with this in its package.json:

{
  "name": "yarn-resolutions",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "face-api.js": "^0.21.0",
    "@tensorflow/tfjs-core": "1.2.9",
    "@tensorflow/tfjs-node": "1.2.9"
  },
  "resolutions": {
    "tfjs-image-recognition-base/@tensorflow/tfjs-core": "1.2.9"
  }
}

2. Run yarn

What is the expected behavior?
In yarn.lock (and in the node_modules of the tfjs-image-recognition-base package) we see @tensorflow/tfjs-core is resolved to v1.2.9

Actual behavior
In yarn.lock (and in the node_modules of the tfjs-image-recognition-base package) we see @tensorflow/tfjs-core is resolved to v1.3.1 (per the dependency's package.json which says ~1.2.9)

Please mention your node.js, yarn and operating system version.
node: v12.13.0
yarn: 1.19.1
OS: macOS High Sierra 10.13.6

Workarounds
Manually editing yarn.lock to change the "@tensorflow/tfjs-core@^1.2.9": section to match the "@tensorflow/tfjs-core@1.2.9": section appears to fix the issue.

[bondar-pavel]

Is there any plans on fixing it?
I am affected by this issue and looks like many folks here as well: justadudewhohacks/face-api.js#455

Workaround works for me, so I end up with manually editing yarn.lock to fix the build each time something changes in package.json