Lock vs Non-Lock Manifests
Most package managers support some form of version syntax when you include packages, this allows the user to instruct the package manager about what ranges of versions may be automatically installed when the package manager installs packages.
For instance, you may wish to update all minor versions but not the next major. This works great until you are ready to release code and want to ensure you are using a known and tested version of a package. This is where lock files come into play. A lock file contains the exact package versions that were installed when the lock file was generated, or updated.
For package managers which support them, SOOS recommends turning on the Use Lock File setting, found under Dependency Configurations, as it gives SOOS the most accurate version of the packages used in your codebase to scan against.
Supported Languages and Files contains information about manifest formats and lock files.
