what is the recommended way to handle lockfiles? should those be checked into the repo? or generated by the CI/CD?

I would generally recommend checking them into the repo - lockfiles shouldn’t change too often (ideally) and generating them in CI/CD can be quite slow. If you generate lockfiles in CI/CD, it’s possible that the lockfile update process will pull in dependency updates that you may not necessarily want to accept as part of another changeset.

Strongly recommend checking them in. For three reasons: 1. Reproducibility: get the same versions of all dependency every time, so the code is rarely broken by someone publishing a new version of a dependency (as in, if you depend on a package

A

, at version 1.2.3, and someone publishes version 1.2.4 that has a bug in it, without a static lockfile, your code might start using version 1.2.4 straight away, and things will be broken, outside our control). 2. Security: lockfiles include hashes, so if an artifact changes from when you computed the lockfile, you'll be told, rather than silently using a potentially compromised/corrupted version. 3. Performance: choosing dependencies requires "solving" constraints, which can be expensive. A lockfile records a solution statically making later builds much faster.