Home

Lockfiles

A lockfile is a file produced by a package manager that records the exact versions of a project's dependencies that were installed, along with metadata needed to reproduce those installations. It serves as a snapshot of the dependency graph at a given point in time.

The primary purpose of a lockfile is to enable reproducible builds. By pinning exact versions of both

Lockfiles exist across many ecosystems. Examples include npm's package-lock.json (and npm-shrinkwrap.json in some cases), Yarn's yarn.lock,

Contents usually include resolved version numbers, package integrity checksums, resolved registry URLs, and the dependency graph.

Maintenance considerations include committing lockfiles to version control, updating them when dependencies are added or patched,

direct
and
transitive
dependencies,
it
prevents
drift
that
can
occur
when
dependencies
are
updated
upstream.
This
ensures
that
installations
on
different
machines
or
at
different
times
resolve
to
the
same
set
of
packages,
with
identical
contents
and
behavior.
Lockfiles
also
typically
include
integrity
hashes
to
verify
the
authenticity
of
downloaded
packages.
pnpm's
pnpm-lock.yaml,
Python's
Pipfile.lock
(and
poetry.lock
used
by
Poetry),
Ruby's
Gemfile.lock,
and
Rust's
Cargo.lock.
They
are
distinct
from
manifest
files
(such
as
package.json,
pyproject.toml,
or
Gemfile)
which
declare
constraints
or
desired
ranges
rather
than
the
exact
resolved
graph.
They
are
often
updated
automatically
when
installing
or
upgrading
dependencies;
in
many
pipelines
a
dedicated
command
or
flag
prevents
automatic
updates
to
enforce
reproducible
builds
(for
example,
npm
ci
or
similar
modes
in
other
tools).
and
running
tests
to
detect
issues
arising
from
upgrades.
Potential
challenges
include
merge
conflicts,
platform-specific
quirks,
and
the
need
to
refresh
lockfiles
after
security
fixes
or
major
ecosystem
changes.