Browse all docs

Uploading a lockfile

Walk through the upload flow, what happens after, and how to refresh.

From the dashboard, open the Lockfiles tab and click Upload lockfile. Pick a file from one of the supported formats and submit.

What happens on upload #

  1. Parse. We read the file and extract every package + version pair. Files larger than 2 MB or with more than 10,000 entries are rejected up front; that's a guardrail against accidentally uploading the wrong file (a bundle, a yarn-cache, etc.).
  2. Match. Each package is resolved against its registry to find the GitHub repo. See Package matching for what we do when a package can't be matched.
  3. Choose what to track. You see a checklist of every matched package. On the Hobbyist tier you pick up to 100; paid tiers can select all.
  4. Track. Selected packages become tracked sources and start their first sync. Because a large lockfile is synced a few sources at a time, a Syncing N sources banner tracks the remaining backlog, and the package table shows a Queued status for each package waiting its turn and Syncing… while its first sync runs, so you can watch the count tick down without leaving the page. From this point they're treated like any other source; see Sources. Once monitoring starts for a package (after its source is discovered), we compute its available upgrades right away, so if your snapshot is trailing newer releases you'll see those upgrades without waiting for the next upload.

Refreshing later #

When your project's dependency tree changes, re-upload the lockfile from the same Lockfiles tab. We recompute the available upgrades against the new versions: upgrades you've taken auto-resolve and drop off, and any newly-available ones appear.

Finding a dependency #

The detail page's Package Sources table has a search box: type any part of a package name to filter the table to matching dependencies. With a filter active, Select All applies to the matches only, which makes it easy to toggle monitoring for a specific scope (say, everything matching @types/) without scrolling the full list.

Connecting the repo later #

If you eventually connect the GitHub repository this lockfile came from, we match the repo file to your manual upload and upgrade it to a live connection in place: your selections, watched sources, and dismissed upgrades all carry over, and no duplicate lockfile is created.

Privacy note #

We extract package names and versions only: no source code, no comments, no secrets. The raw file is not retained after parsing. See Account → Privacy for the full data-handling breakdown.

PreviousOverviewNext Live GitHub connection