In order to get consistent installs across machines, Yarn needs more informationthan the dependencies you configure in your package.json
. Yarn needs to storeexactly which versions of each dependency were installed.
To do this Yarn uses a yarn.lock
file in the root of your project. These“lockfiles” look like this:
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.# yarn lockfile v1package-1@^1.0.0: version "1.0.3" resolved "https://registry.npmjs.org/package-1/-/package-1-1.0.3.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"package-2@^2.0.0: version "2.0.1" resolved "https://registry.npmjs.org/package-2/-/package-2-2.0.1.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0" dependencies: package-4 "^4.0.0"package-3@^3.0.0: version "3.1.9" resolved "https://registry.npmjs.org/package-3/-/package-3-3.1.9.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0" dependencies: package-4 "^4.5.0"package-4@^4.0.0, package-4@^4.5.0: version "4.6.3" resolved "https://registry.npmjs.org/package-4/-/package-4-2.6.3.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"
This is comparable to lockfiles in other package managers like Bundler orCargo. It’s similar to npm’s npm-shrinkwrap.json
, however it’s not lossy andit creates reproducible results.
Managed by Yarn
Your yarn.lock
file is auto-generated and should be handled entirely by Yarn.As you add/upgrade/remove dependencies with the Yarn CLI, it will automaticallyupdate your yarn.lock
file. Do not edit this file directly as it is easy tobreak something.
Current package only
During install, Yarn will only use the top-level yarn.lock
file and willignore any yarn.lock
files that exist within dependencies. The top-levelyarn.lock
file includes everything Yarn needs to lock the versions of allpackages in the entire dependency tree.
Check into source control
All yarn.lock
files should be checked into source control (e.g. git ormercurial). This allows Yarn to install the same exact dependency tree acrossall machines, whether it be your coworker’s laptop or a CI server.
Framework and library authors should also check yarn.lock
into sourcecontrol. Don’t worry about publishing the yarn.lock
file as it won’t haveany effect on users of the library.