Lockfile
A lockfile records the exact resolved version of every package in a dependency tree — direct and transitive — so any subsequent install reproduces the same versions. Examples: package-lock.json, yarn.lock, pnpm-lock.yaml, poetry.lock, Cargo.lock, Gemfile.lock, composer.lock.
Lockfiles are the unsung infrastructure of reproducible builds. The discipline: commit the lockfile to version control, install with the lockfile-honouring command (npm ci, yarn install --frozen-lockfile, pnpm install --frozen-lockfile), and regenerate the lockfile only via deliberate dependency updates. The common failure modes: lockfile drift between developers (one engineer's npm install regenerates with different versions than another's), lockfile not committed (defeats the purpose), or lockfile conflicts in PRs handled by 'just accept either side' merge (defeats reproducibility for the resolved file). Modern package managers have improved on each of these but the discipline still matters.
Related terms
- Dependency pinning
Dependency pinning fixes the exact version of every dependency (and transitively, every transitive dependency) so the same source produces the same build artefact regardless of when or where it's built.
- Semantic versioning (semver)
Semantic versioning is the package-versioning convention MAJOR.
- Software bill of materials (SBOM)
A Software Bill of Materials is a machine-readable inventory of every component, library, and dependency in a software artefact — typically in SPDX or CycloneDX format.