What Is a Lockfile?
A lockfile is a generated file that pins the exact versions, and often the cryptographic hashes, of every direct and transitive dependency that a project resolved to. Files like package-lock.json, yarn.lock, and Cargo.lock let any machine reinstall the identical dependency tree. They make builds deterministic and protect against unexpected upstream changes.
Why it matters
Version ranges in a manifest can resolve differently from one install to the next, causing "works on my machine" bugs and supply-chain risk. A committed lockfile freezes the resolution so CI installs exactly what developers tested, and recorded hashes detect tampering.
Related concepts
- Captures transitive dependencies, not just direct ones
- Hashes provide integrity verification
- Use a frozen-install mode in CI to enforce it
Related guides
What Is Dependency Pinning?Dependency pinning fixes dependencies to exact versions (or hashes) instead of ranges, so builds are predicta…
What Is a Transitive Dependency?A transitive dependency is one you do not require directly but pull in indirectly because a dependency of you…
What Is a Reproducible Build?A reproducible build produces bit-for-bit identical output every time from the same source, letting anyone in…