In order to get consistent installs across machines, Yarn needs more information than the dependencies you configure in your
package.json. Yarn needs to store exactly which versions of each dependency were installed.
To do this Yarn uses a
yarn.lock file in the root of your project. These “lockfiles” look like this:
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. # yarn lockfile v1 package-1@^1.0.0: version "1.0.3" resolved "https://registry.npmjs.org/package-1/-/package-1-1.0.3.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0" package-2@^2.0.0: version "2.0.1" resolved "https://registry.npmjs.org/package-2/-/package-2-2.0.1.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0" dependencies: package-4 "^4.0.0" package-3@^3.0.0: version "3.1.9" resolved "https://registry.npmjs.org/package-3/-/package-3-3.1.9.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0" dependencies: package-4 "^4.5.0" package-4@^4.0.0, package-4@^4.5.0: version "4.6.3" resolved "https://registry.npmjs.org/package-4/-/package-4-2.6.3.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"
This is comparable to lockfiles in other package managers like Bundler or Cargo. It’s similar to npm’s
npm-shrinkwrap.json, however it’s not lossy and it creates reproducible results.
yarn.lock file is auto-generated and should be handled entirely by Yarn. As you add/upgrade/remove dependencies with the Yarn CLI, it will automatically update your
yarn.lock file. Do not edit this file directly as it is easy to break something.
During install Yarn will only use the top-level
yarn.lock file and will ignore any
yarn.lock files that exist within dependencies. The top-level
yarn.lock file includes everything Yarn needs to lock the versions of all packages in the entire dependency tree.
yarn.lock files should be checked into source control (e.g. git or mercurial). This allows Yarn to install the same exact dependency tree across all machines, whether it be your coworker’s laptop or a CI server.
Framework and library authors should also check
yarn.lock into source control. Don’t worry about publishing the
yarn.lock file as it won’t have any effect on users of the library.
© 2016–present Yarn Contributors
Licensed under the BSD License.