A lockfile is tied to a named "resolve" - a universe of mutually compatible 3rd-party dependencies. You define a resolve by manually authoring a requirements.txt that contains the requirements your code directly depends on. You then generate a lockfile for that resolve, and the lockfile pins specific versions of each of those requirements and all their transitive dependencies. So a lockfile gives you secure, repeatable builds even when the state of the world changes.