Supported lockfile formats
The nine lockfile formats we parse, with notes on each ecosystem's quirks.
DevUpdate.io parses nine lockfile formats across five ecosystems. All of them get full automatic source discovery.
JavaScript / TypeScript #
| File | Notes |
|---|---|
package-lock.json | npm v6 and v7+ formats both supported. |
yarn.lock | Yarn 1 (Classic) and Yarn 2+ (Berry) formats both supported. |
pnpm-lock.yaml | All current pnpm versions. |
Resolution path: package name → npm registry (registry.npmjs.org) → GitHub
repo from the package's repository field.
Python #
| File | Notes |
|---|---|
poetry.lock | Recommended for Poetry projects — most accurate version pins. |
Pipfile.lock | Pipenv lockfile. |
requirements.txt | Pinned versions only (==); ranges are skipped. |
Resolution path: package name → PyPI (pypi.org/pypi/<name>/json) → GitHub
repo from the package's project metadata.
Rust #
| File | Notes |
|---|---|
Cargo.lock | Standard Cargo lockfile. |
Resolution path: crate name → crates.io → GitHub repo from the crate metadata.
Go #
| File | Notes |
|---|---|
go.sum | We extract module paths from go.sum. |
Resolution path: module path → direct (github.com/<owner>/<repo> is
already in the path for most public Go modules). No registry hop needed.
PHP #
| File | Notes |
|---|---|
composer.lock | Composer's lockfile. |
Resolution path: package name → Packagist → GitHub repo.
What if my ecosystem isn't here? #
Tell us — every format we've added has been driven by user requests. Email
info@devupdate.io with the format and a sample file (with secrets
redacted) and we'll prioritize.