Lax dependency version handling is causing unnecessary lockfile updates

[peralmq]

We have @aws-crypto/sha256-js as a transient dependency and since it's package.json.dependencies are locked to update on any "minor" our lockfile (yarn.lock) keeps getting updated anytime we do yarn install.

I.e. https://github.com/elsaapp/aws-sdk-js-crypto-helpers/blob/61ed3814c1f11a9531bc75e394cfc651be2770a8/packages/sha256-js/package.json#L25-L26

"@aws-sdk/types": "^3.222.0",
"tslib": "^2.6.2"

As far as I can tell this repository doesn't make direct use of the automatic "minor" updates so I'm hoping that we can be stricter and either:

1. change from "minor" to "patch" version, i.e. ^ to ~
2. use exact versioning

[peralmq]

The last time that package.json was updated it was updated like this da43dc0#diff-d688b9781000c65d64e8ec51a60185ff0268824b836391c6b93507db8f71a966L24 so it looks like you're already updating the types manually on a "minor" level when needed.

[texastony]

@peralmq we have merged a fix, but you probably need us to push out a new release of this package before you can benefit from this.

I am re-opening this issue and labeling it as pending release.