Skip to main content

Lockfile

A lockfile records the exact, resolved version of every dependency in a project — direct and transitive — so installs are reproducible and the true dependency set is auditable.

A lockfile is the machine-generated file that records the exact, resolved version of every package a project depends on — including transitive dependencies your direct dependencies pull in. Examples include package-lock.json and pnpm-lock.yaml (Node.js), poetry.lock and uv.lock (Python), Cargo.lock (Rust), and Gemfile.lock (Ruby).

How It Works

A manifest (like package.json) states version ranges you would accept; the lockfile states what was actually resolved. Committing it makes every install reproduce the same dependency tree on every machine and in CI — which is also a supply-chain control, since builds cannot silently pick up a different (possibly compromised) version.

Why It Matters

Because the lockfile is the ground truth of what a project really runs, it is the ideal scanning input: a scanner can compute drift and match vulnerability advisories from the lockfile alone, without reading any source code. Scores stamped against a lockfile at a specific commit are reproducible — the same input always yields the same answer.

Related Terms

Lockfiles feed drift metrics like DriftScore, underpin SBOM generation, and belong in version control.