Skip to content
Latchkey

What Is a Lockfile?

A lockfile is a generated file that pins the exact versions, and often the cryptographic hashes, of every direct and transitive dependency that a project resolved to. Files like package-lock.json, yarn.lock, and Cargo.lock let any machine reinstall the identical dependency tree. They make builds deterministic and protect against unexpected upstream changes.

Why it matters

Version ranges in a manifest can resolve differently from one install to the next, causing "works on my machine" bugs and supply-chain risk. A committed lockfile freezes the resolution so CI installs exactly what developers tested, and recorded hashes detect tampering.

Related concepts

  • Captures transitive dependencies, not just direct ones
  • Hashes provide integrity verification
  • Use a frozen-install mode in CI to enforce it

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →