Lockfiles
Track the dependencies that are actually in your project, not just libraries you've heard of.
A lockfile is your project's exact dependency snapshot:
package-lock.json, yarn.lock, poetry.lock, go.sum, and so on. Upload
one and DevUpdate.io does two things with it:
- Discover sources automatically. We resolve each package against its registry (npm, PyPI, crates.io, etc.) and add the matching GitHub repo as a tracked source. No more pasting URLs by hand.
- Surface available upgrades. For each monitored dependency that's
trailing the latest known release of its source, we surface an available
upgrade (
pinned → latest) with risk aggregated across every release in the jump, so the heads-up tells you "yourreact@18.2.0can move to19.1.0," not just "react updated." Because risk spans the whole range, a security fix or breaking change several versions back still counts even when the newest release itself is benign. Upgrades auto-resolve when a later sync shows you've bumped the dependency; dismiss one to snooze it until a newer version appears. - Score every dependency for trust. Each package gets a 0-100
trust score backed by OpenSSF Scorecard
when one exists. The lockfile dependency table shows the badge next
to every row, and upgrades surface the trust band so a "low-trust
- breaking change" combination is obvious at a glance.
Why upload a lockfile instead of adding sources manually? #
Manual addition assumes you remember every transitive dependency. Lockfiles
are exhaustive. node_modules typically has hundreds of packages, and the
risky one is rarely the one you'd think to add by hand. The lockfile approach
catches them all in one upload.
Limits #
- Hobbyist tier: 1 lockfile, with up to 1,000 packages selected for source discovery: enough to fully cover one real project. The selection UI shows your available slots and prevents you from exceeding the cap.
- Professional & Team: unlimited lockfiles and unlimited package selection.
- File size: uploads are capped at 2 MB and 10,000 parsed entries to prevent runaway parses.
See Billing → Plans for full plan details.
Automatic syncing #
Besides manually re-uploading a file whenever your dependency tree changes, you can connect a lockfile to a GitHub repository (public or private) so DevUpdate.io fetches updates automatically on a schedule. This keeps your monitoring live without any manual steps. See Live lockfile connection for how to set it up and what data is involved.
Managing many lockfiles #
The Lockfiles tab lists every lockfile you track. Lockfiles synced from a GitHub repository show the repository as the card title, with the file path beneath it, so it's obvious at a glance which repo each one belongs to. When you track more than one, a Sort by control lets you order the list by repository (the default), name, most recent sync, or number of available upgrades, so a large set stays easy to scan.
Inside a lockfile's detail page, a search box above the Package Sources table filters the dependency list by name, so finding one package among hundreds is a few keystrokes, and Select All scopes to the matches while a filter is active.
What's next #
- Upload a lockfile: UI walkthrough.
- Supported formats: which ecosystems we parse.
- Package matching: how we resolve a package name to a GitHub repository.
- Available upgrades: how upgrades are surfaced, how risk is aggregated, and the auto-resolve / dismiss lifecycle.