Sunday 05 July 2026 00:58:50 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

WIKICROOK

Lockfile

A file that records exact dependency versions to make installs repeatable and less vulnerable to unexpected changes.

A lockfile is a dependency record that captures the exact versions resolved during installation, rather than leaving them open to the newest matching release. In Python projects, examples include files generated by package managers that pin transitive dependencies so every developer, build server, and container installs the same set of packages.

Lockfiles matter because software supply chains are often attacked through dependency changes. If a registry release is poisoned or a package is updated unexpectedly, a lockfile can prevent routine installs from silently pulling in a new, potentially malicious version. Defenders use lockfiles with version pinning and hash verification to make builds repeatable and easier to audit. Attackers, meanwhile, try to exploit projects that use floating versions, stale lockfiles, or ignored dependency changes, because those environments are more likely to accept a tainted package without notice.

← WIKICROOK index