.lock File — Dependency Lock File

Lock files record the exact resolved versions of all dependencies (direct and transitive) in a project, ensuring that every developer and deployment environment installs identical dependency trees. While the concept is general, specific lock file formats exist for each package manager: package-lock.json (npm), yarn.lock (Yarn), pnpm-lock.yaml (pnpm), Gemfile.lock (Ruby Bundler), Pipfile.lock (Python Pipenv), poetry.lock (Python Poetry), Cargo.lock (Rust), composer.lock (PHP), and go.sum (Go modules). Lock files store resolved package versions, download URLs, integrity hashes (SHA-256/SHA-512), and the complete dependency resolution graph. They should be committed to version control for applications (ensuring reproducible builds) but are typically excluded for libraries (allowing consumers to resolve their own dependency versions). Lock files solve the problem of dependency drift — without them, different installs at different times could resolve to different versions, introducing subtle bugs and "works on my machine" issues. Lock files also serve as a security measure, as integrity hashes detect if a published package has been modified after the lock file was created. Modern lock file formats are automatically maintained by package managers.