Yes this is a major bug in the process. I came to the comments to say this as well.

They say this but do the exact opposite as you point out:

> The --frozen flag ensures the lock file doesn’t get updated. That’s exactly what we want because we expect the lock file to have a complete list of exact versions we want to use for all dependencies that get installed.