In order to get consistent installs across machines, Yarn needs more information
than the dependencies you configure in your package.json
. Yarn needs to store
exactly which versions of each dependency were installed.
To do this Yarn uses a yarn.lock
file in the root of your project. These
“lockfiles” look like this:
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1
package-1@^1.0.0:
version "1.0.3"
resolved "https://registry.npmjs.org/package-1/-/package-1-1.0.3.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"
package-2@^2.0.0:
version "2.0.1"
resolved "https://registry.npmjs.org/package-2/-/package-2-2.0.1.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"
dependencies:
package-4 "^4.0.0"
package-3@^3.0.0:
version "3.1.9"
resolved "https://registry.npmjs.org/package-3/-/package-3-3.1.9.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"
dependencies:
package-4 "^4.5.0"
package-4@^4.0.0, package-4@^4.5.0:
version "4.6.3"
resolved "https://registry.npmjs.org/package-4/-/package-4-2.6.3.tgz#a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"
This is comparable to lockfiles in other package managers like Bundler or
Cargo. It’s similar to npm’s npm-shrinkwrap.json
, however it’s not lossy and
it creates reproducible results.
Your yarn.lock
file is auto-generated and should be handled entirely by Yarn.
As you add/upgrade/remove dependencies with the Yarn CLI, it will automatically
update your yarn.lock
file. Do not edit this file directly as it is easy to
break something.
During install Yarn will only use the top-level yarn.lock
file and will
ignore any yarn.lock
files that exist within dependencies. The top-level
yarn.lock
file includes everything Yarn needs to lock the versions of all
packages in the entire dependency tree.
All yarn.lock
files should be checked into source control (e.g. git or
mercurial). This allows Yarn to install the same exact dependency tree across
all machines, whether it be your coworker’s laptop or a CI server.
← Previous: package.json