Commit package lock files¶
Package managers usually have a definition file which describes dependencies, and their versions in a fuzzy manner: following SemVer they describe what range of version of a dependency is expected to be supported.
At the time of resolving the dependencies, usually a lock file is created which acts as a snapshot. It contains every dependency in their actual exact version.
These lock files must be committed into the version control system. A lock file represent an application as-is and as-reviewed. Resolving dependencies on build-time is dangerous because it can lead to unintended regressions when a new version is introduced. A committed lock file guarantees the dependencies are reproduced the same way anywhere the project is installed.