Bug: plugin install can fail due to dependencies releasing incompatible versions

[mars]

It seems that plugin installation does not honor the plugin's yarn.lock, but instead installs dependencies based on the range-specifications in package.json.

This results in plugins that are not truly versioned. Two people install the same plugin versions at different times, and due to releases made by third-party dependencies, can end up with plugins that work (or fail) differently.

The example that we experienced this morning is:

sfdx plugins:install @salesforce/plugin-functions
…
Installing plugin functions...
…
error boolean@3.1.3: The engine "node" is incompatible with this module. Expected version ">= 16.7.0". Got "14.17.5"
error Found incompatible module.
    Error: yarn add @salesforce/plugin-functions@latest --non-interactive 
    --mutex=file:/home/circleci/.local/share/sfdx/yarn.lock 
    --preferred-cache-folder=/home/circleci/.cache/sfdx/yarn --check-files 

Could plugin installation be enhanced to honor a lock file when present? yarn.lock seems like the standard in oclif.