Skip to content
Latchkey

buf "buf.lock is out of date" (buf dep update) in CI

buf compares buf.lock against the dependencies declared in buf.yaml. When a dep was added, removed, or bumped without relocking, the lock is out of date and a locked/verified command fails.

What this error means

buf fails with "buf.lock is out of date" or reports that a declared dependency is missing from (or extra in) buf.lock, typically in a check step.

buf
Failure: buf.lock is out of date with buf.yaml: dependency
"buf.build/googleapis/googleapis" is declared but not locked.
Run "buf dep update".

Common causes

A dependency changed without relocking

You edited buf.yaml deps but did not run buf dep update, so buf.lock no longer reflects the declared set.

buf.lock was not committed

The lock updated locally but the change was left out of the commit, so CI sees a stale lock.

How to fix it

Relock and commit

  1. Run buf dep update to bring buf.lock in sync with buf.yaml.
  2. Commit the updated buf.lock.
  3. Push so the locked command passes in CI.
Terminal
buf dep update
git add buf.lock && git commit -m "update buf.lock"

Gate lock consistency in CI

Regenerate the lock and fail if it changes, so a stale lock is caught at review time.

Terminal
buf dep update
git diff --exit-code buf.lock

How to prevent it

  • Run buf dep update on every dependency change.
  • Commit buf.lock alongside the buf.yaml edit.
  • Add a buf.lock diff check to CI.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →