yarn install --frozen-lockfile does not install according to lockfile

Do you want to request a feature or report a bug? __bug__

What is the current behavior?
When using yarn workspace, when a module's dependency is updated (say it was depending on @angular/common 5.2.3 and updated to @angular/common 5.2.5, and the lockfile at the workspace level says @angular/common 5.2.3. when we run yarn install --frozen-lockfile, no errors are reported and the installed version of @angular/common is 5.2.5.

It also happens to local file dependencies. Say there is a local dependency to the module foo, and foo depends on @angular/common 5.2.3 and our yarn.lock file also says that. If we update foo's dependency of @angular/common to 5.2.5 and then yarn install --frozen-lockfile and check the @angular/common that is installed, it will be 5.2.5 instead of 5.2.3.

If the current behavior is a bug, please provide the steps to reproduce.
https://github.com/rongduan-zhu/yarn-workspace

1. Clone the repo
2. Check yarn.lock file says "@angular/[email protected]"
3. Run yarn install --frozen-lockfile
4. Check node_modules/@angular/common/package.json, it will say 5.2.5

For the second scenario, please use the branch local-files

What is the expected behavior?
Same as non workspace scenario, yarn install will error out and say lockfile needs to be updated.

Please mention your node.js, yarn and operating system version.
Node: 9.4.0
yarn: 1.3.2
OS: Windows 10