Lock Files Considered Harmful | Lobsters
The author derides lock files as a “crutch”, but what the author wants – a list of dependency references which will always resolve to the same set of bytes – is literally what lock files provide. It’s not that dependency resolvers are commonly nondeterministic, it’s that developers generally don’t hand-specify the exact precise pinned-version-and-artifact-checksum style of reference needed to achieve that. The point of a lock file is to turn the less-precise human-specified dependency into a reference that can yield repeatable/reproducible installs.
For example, if I tell Python’s pip to install “django” I will get Django 5.1.4. But if I run the same pip command in a month or so (Django does monthly bugfix releases), it will resolve a different artifact because in the absence of a more precise specifier it will default to whatever is the latest version (which, at some point in January, will likely be 5.1.5).
If I want to ensure that I reproducibly always get exactly precisely the same Django 5.1.4 artifact I downloaded when I specified “django” today, I need to actually tell pip that’s what I want:
