Most package managers support some form of version syntax when you include packages, this allows the package manager to always get the latest version of a package as defined by the version syntax. This works great until you are ready to release code and want to ensure you are using a known and tested version of a package. This is where lock files come into play. A lock file contains the exact package versions that were installed when the lock file was generated, or updated.

SOOS recommends turning on the Use Lock File setting, as it gives us the most accurate version of the packages used in your codebase to scan against.  Find this setting under Configure in the left navigation menu.

Use lock file setting

  • When the Use Lock File setting is disabled manifests will be scanned and lock files will be ignored.
  • When Use Lock File is enabled lock files will be scanned. Any manifest found will be ignored if it supports a corresponding lock file format.
    • If a manifest does not have a corresponding lock file format it will be scanned regardless of the Use Lock File setting.

View our Supported Languages & Manifests article to see the full list of supported manifest formats.

The table below outlines the corresponding lock files for our supported manifest formats, and also indicates which manifests do not have corresponding lock files.

List of lock files associated with supported manifests

** For supported versions of packages.lock.json please visit