Lockfile
A lockfile is an automatically generated file that records the exact resolved versions of every direct and transitive dependency in your project. When you run npm install for the first time, npm picks the latest compatible version of every package and writes those choices to package-lock.json. The next time anyone installs — on a different machine or in CI — npm reads the lockfile and installs those exact same versions.
Why lockfiles matter for security
Without a lockfile, two developers running npm install on the same project on different days might get different transitive dependency versions — because a new version of a transitive package was published between the two installs. One version might be vulnerable, the other not.
With a lockfile committed to your repo, everyone gets the same versions. Your CI environment and your local machine match. Dependency changes are explicit and reviewable in git diffs.
Lockfiles by ecosystem
- npm — package-lock.json
- yarn — yarn.lock
- Python/pip — no official lockfile from pip; use poetry.lock (Poetry) or pip freeze > requirements.txt
- Python/Poetry — poetry.lock
- Ruby — Gemfile.lock
- PHP — composer.lock
- Go — go.sum
- Rust — Cargo.lock
- Java/Maven — no standard lockfile; effective POM + dependency tree
Always commit your lockfile
Some projects have .gitignore entries that exclude lockfiles — this is almost always a mistake. The lockfile is critical for reproducible builds and security scanning. PackageFix can scan transitive dependencies when you provide the lockfile alongside your manifest — drop both files into the scanner for the most complete vulnerability coverage.
Check your dependencies for CVEs, CISA KEV entries, and supply chain risks.
Open PackageFix →Free · No signup · No CLI · Runs in your browser