Browse all docs

Uploading a lockfile

Walk through the upload flow, what happens after, and how to refresh.

From the dashboard, open the Lockfiles tab and click Upload lockfile. Pick a file from one of the supported formats and submit.

What happens on upload #

  1. Parse. We read the file and extract every package + version pair. Files larger than 2 MB or with more than 10,000 entries are rejected up front — that's a guardrail against accidentally uploading the wrong file (a bundle, a yarn-cache, etc.).
  2. Match. Each package is resolved against its registry to find the GitHub repo. See Package matching for what we do when a package can't be matched.
  3. Choose what to track. You see a checklist of every matched package. On the Hobbyist tier you pick up to 10; paid tiers can select all.
  4. Track. Selected packages become tracked sources. From this point they're treated like any other source — see Sources.

Refreshing later #

When your project's dependency tree changes, re-upload the lockfile from the same Lockfiles tab. We compare the new versions against the previous upload and use the diff to drive alerts.

Privacy note #

We extract package names and versions only — no source code, no comments, no secrets. The raw file is not retained after parsing. See Account → Privacy for the full data-handling breakdown.

PreviousOverviewNext Supported formats