Lock File
A lock file records the exact versions of every dependency installed in your project — including transitive dependencies. It ensures that everyone working on the project (and every deployment) uses identical package versions, preventing the 'it works on my machine' problem caused by version differences.
Example
Your package.json says 'stripe: ^4.0.0' (any version 4.x). Without a lock file, one developer might get 4.1.0 and another gets 4.2.0. The lock file pins it to exactly 4.1.3 for everyone.
Lock files are boring but essential. They prevent a whole category of bugs caused by "but it works on my machine."
Lock File Names
| Package Manager | Lock File |
|---|---|
| npm | package-lock.json |
| bun | bun.lockb |
| pnpm | pnpm-lock.yaml |
| yarn | yarn.lock |
Why Lock Files Exist
Without a lock file:
package.json says: "react": "^19.0.0"
Developer A installs → gets React 19.0.0
Developer B installs next week → gets React 19.1.0
Production deploys → gets React 19.2.0
Same project, three different versions. Bugs happen.
With a lock file, everyone gets the exact same version.
Lock File Rules
Always Do
- Commit to version control — Everyone needs the same lock file
- Use one package manager — Don't mix npm and yarn lock files
- Let the tool manage it — Don't edit lock files manually
Never Do
- Add to .gitignore — Lock files must be committed
- Delete to fix problems — Usually makes things worse
- Edit manually — Let the package manager handle it
When Lock Files Cause Issues
Occasionally, lock files cause merge conflicts. The fix is usually:
- Accept one version of the lock file
- Delete
node_modules - Run
npm install(or your package manager's install command) - Commit the regenerated lock file
Ad
Related Terms:
Emergent — An agentic vibe-coding platform that builds production-ready apps