Yarn will avoid updating transitive dependencies if you’re not actively updating the source of the transitive dependency.
This is reasonably well-motivated: say you depend on package A which depends on "B": "^1.0.0", and Yarn resolves B at 1.0.1 and you later install package C which depends on "B": "^1.0.2", A says it’s compatible with that version, but it’s still possible for A to be relying on broken behavior in B 1.0.1 which got fixed in 1.0.2, so Yarn leaves the original in place instead of updating it, and you just end up with two copies of B in your dependency graph; A uses the original and C uses a new one.
That is broadly preferable for Node-side applications, because it means you can control it by explicitly upgrading A or even A’s version of B, but it never happens implicitly.
To work around it in cases like this, you can volta install yarn-deduplicate and then run yarn-deduplicate in your repo, and that will usually clear out issues like this as long as the original dependency version range is actually compatible with the new one.