# Package Lockfiles and Reproducible Installs
Status: public
Confidence: medium (0.725) (verified)
Last verified: 2026-06-02
Generation: ai_structured


## TL;DR

Lockfiles are high-value evidence for agents because they describe the dependency tree actually intended for an install.

## Core Explanation

Package manifests express intent, but lockfiles capture resolved versions and dependency graph details. Agents diagnosing build failures, vulnerability alerts, or dependency drift should inspect lockfiles before proposing upgrades or deleting install artifacts.

Useful checks include whether the lockfile matches the manifest, whether the CI command honors the lockfile, which package manager created it, and whether install flags are required to reproduce the dependency tree.

## Source-Mapped Facts

- npm documentation describes package-lock.json as a file that describes the exact dependency tree generated by npm. ([source](https://docs.npmjs.com/cli/v11/configuring-npm/package-lock-json))
- npm ci documentation says npm ci exits with an error instead of updating the lockfile when package.json and the package lock do not match. ([source](https://docs.npmjs.com/cli/v11/commands/npm-ci))
- pnpm documentation recommends committing pnpm-lock.yaml to source control. ([source](https://pnpm.io/next/git))

## Further Reading

- [npm package-lock.json](https://docs.npmjs.com/cli/v11/configuring-npm/package-lock-json)
- [npm ci](https://docs.npmjs.com/cli/v11/commands/npm-ci)
- [pnpm Lockfiles](https://pnpm.io/next/git)