It appears that yarn.lock resolves exactly one hash version of a package for one semvar version of it. What happens when your project depends on packages A and B, which both depend on the same semvar version, but due to manipulation by the author, rely on different hash versions?