Under certain circumstances (bad merges?) the yarn.lock file might
contain extranous root dependencies. This is not a security risk because
the dependencies are simply not downloaded. However, it can be confusing
because a `yarn install` updates `yarn.lock` locally, while a `yarn
install --frozen-lockfile` does not fail in CI.

The last time this happened was after
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/55062
was merged.

Interestingly a `yarn check --integrity` would fail. We already utilize
this locally when running `yarn run jest`. This is also not executed in
CI, because we run `yarn run jest:ci` there. Simply adding the same
check to our `static-analysis` will solve the problem in the future.