Lockfiles
Track the dependencies that are actually in your project — not just libraries you've heard of.
A lockfile is your project's exact dependency snapshot:
package-lock.json, yarn.lock, poetry.lock, go.sum, and so on. Upload
one and DevUpdate.io does two things with it:
- Discover sources automatically. We resolve each package against its registry (npm, PyPI, crates.io, etc.) and add the matching GitHub repo as a tracked source. No more pasting URLs by hand.
- Generate alerts when things move. When one of those upstream repos
publishes a high-risk release, we cross-reference it against your
lockfile so the alert tells you "this affects your
react@18.2.0," not just "react updated."
Why upload a lockfile instead of adding sources manually? #
Manual addition assumes you remember every transitive dependency. Lockfiles
are exhaustive — node_modules typically has hundreds of packages, and the
risky one is rarely the one you'd think to add by hand. The lockfile approach
catches them all in one upload.
Limits #
- Hobbyist tier: 1 lockfile, with up to 10 packages selected for source discovery.
- Professional & Team: unlimited lockfiles and unlimited package selection.
- File size: uploads are capped at 2 MB and 10,000 parsed entries to prevent runaway parses.
See Billing → Plans for full plan details.
What's next #
- Upload a lockfile — UI walkthrough.
- Supported formats — which ecosystems we parse.
- Package matching — how we resolve a package name to a GitHub repository.
- Alerts — what triggers an alert and what the severity levels mean.