Supported Lockfiles
Vekt supports 22 lockfile formats across 12 ecosystems.
Table of contents
Full support matrix
| Lockfile | Ecosystem | OSV Ecosystem ID | Notes |
|---|---|---|---|
uv.lock |
Python | PyPI |
TOML format produced by uv |
requirements.txt |
Python | PyPI |
Pinned versions only (==). Unpinned lines are skipped. |
poetry.lock |
Python | PyPI |
TOML format. Both [package] entries and extras are parsed. |
pdm.lock |
Python | PyPI |
TOML format produced by PDM |
Pipfile.lock |
Python | PyPI |
JSON format produced by Pipenv. Both default and develop sections are scanned. |
pixi.lock |
Python | PyPI |
YAML format. Only PyPI-sourced packages are scanned; conda packages are skipped. |
package-lock.json |
JavaScript | npm |
JSON format. Supports v1, v2, and v3 lockfile schemas. |
bun.lock |
JavaScript | npm |
JSONC format (JSON with comments) produced by Bun. |
yarn.lock |
JavaScript | npm |
Supports both yarn classic (v1) and yarn berry (v2+) formats. |
pnpm-lock.yaml |
JavaScript | npm |
YAML format. Supports lockfile versions 5, 6, and 9. |
Cargo.lock |
Rust | crates.io |
TOML format. Supports both v3 and v4 formats (Rust 2024 edition). |
go.sum |
Go | Go |
Line-delimited format. Module path and version are extracted from each line. |
Gemfile.lock |
Ruby | RubyGems |
Text format produced by Bundler. The GEM section is parsed. |
composer.lock |
PHP | Packagist |
JSON format. Both packages and packages-dev sections are scanned. |
packages.lock.json |
.NET | NuGet |
JSON format produced by dotnet restore --use-lock-file. |
pubspec.lock |
Dart / Flutter | Pub |
YAML format. The packages section is parsed. |
Package.resolved |
Swift | SwiftURL |
JSON format (Xcode and SwiftPM). Supports both v2 and v3 schema. |
mix.lock |
Elixir | Hex |
Elixir term format. Package name and version are extracted from each entry. |
rebar.lock |
Erlang | Hex |
Erlang term format produced by rebar3. |
cabal.project.freeze |
Haskell | Hackage |
Text format produced by cabal freeze. |
stack.yaml.lock |
Haskell | Hackage |
YAML format produced by Stack. |
renv.lock |
R | CRAN |
JSON format produced by renv. The Packages section is parsed. |
LSP manifest support
The vekt-lsp server operates on manifest files (not lockfiles). It reports diagnostics on the dependency declarations in these files:
| Manifest | Ecosystem | Parsed sections |
|---|---|---|
package.json |
npm | dependencies, devDependencies, peerDependencies, optionalDependencies |
Cargo.toml |
crates.io | [dependencies], [dev-dependencies], [build-dependencies] |
pyproject.toml |
PyPI | [project.dependencies], [tool.poetry.dependencies] |
requirements.txt |
PyPI | All pinned (==) lines |
go.mod |
Go | require blocks (single and multi-line) |
Gemfile |
RubyGems | gem declarations with explicit versions |
composer.json |
Packagist | require, require-dev |
pubspec.yaml |
Pub | dependencies, dev_dependencies |
mix.exs |
Hex | deps function |
cabal.project |
Hackage | constraints section |
rebar.config |
Hex | deps tuple list |
The LSP only reports diagnostics for dependencies with a pinned version. Range constraints (e.g., ^1.0.0, >=2.0) produce a finding based on the lower bound of the range.
Version-specific notes
package-lock.json (npm)
Three lockfile schema versions are in use:
| Version | Created by | Format notes |
|---|---|---|
| v1 | npm 5/6 | Flat dependencies object |
| v2 | npm 7/8 | Both dependencies (compat) and packages fields present |
| v3 | npm 9+ | Only packages field; no dependencies compat block |
Vekt auto-detects the version from the lockfileVersion field. All three are fully supported.
yarn.lock
Two incompatible formats exist:
| Format | Created by | Detection |
|---|---|---|
| Classic (v1) | Yarn 1.x | No __metadata key at the top of the file |
| Berry (v2+) | Yarn 2, 3, 4 | __metadata key present with version and cacheKey |
Both are fully supported.
pnpm-lock.yaml
pnpm lockfile format versions in use:
| Version | pnpm version | Notes |
|---|---|---|
| 5 | pnpm 7 | dependencies and devDependencies at the root |
| 6 | pnpm 8 | Restructured packages section |
| 9 | pnpm 9+ | Snapshot format with snapshots key |
All three versions are supported. The version is detected from the lockfileVersion field.
bun.lock
Bun uses a JSONC format (JSON with C-style comments). The file has a .lock extension but is not JSON-strict. Vekt parses it with comment-aware JSON parsing.
Cargo.lock
Two Cargo.lock formats are in use:
| Version | Rust edition | Notes |
|---|---|---|
| v3 | Pre-2024 | [[package]] tables |
| v4 | 2024 edition | Updated [[package]] schema with additional fields |
Both are supported.
Package.resolved (Swift)
Swift Package Manager uses two schema versions:
| Version | Xcode version | Notes |
|---|---|---|
| v2 | Xcode 14 | pins array with location field |
| v3 | Xcode 15+ | Updated pins schema with identity field |
Both are supported.
pixi.lock
pixi supports both PyPI and conda packages. Vekt only processes PyPI-sourced packages. Conda packages are skipped because they are not tracked in the OSV database.
go.sum
go.sum contains cryptographic hashes, not executable code. Each line is in the format module@version hash. Vekt extracts the module path and version and queries the Go ecosystem in OSV. The /go.mod suffix lines are also parsed.