This study addresses developer challenges arising from package manager lockfiles in reproducible builds, integrity verification, and routine maintenance. We conduct the first cross-ecosystem empirical investigation, systematically analyzing the design space of lockfiles across seven major package managers—including npm, pnpm, and Cargo—complemented by semi-structured interviews with 15 developers and documentary analysis of specifications. Our findings reveal critical discrepancies across ecosystems in semantic expressiveness, generation logic, and operational pain points. Based on these insights, we propose four developer-centric lockfile improvement principles—the first such human-centered guidelines in dependency management tooling—thereby bridging a gap in socio-technical research on dependency locking. The study provides an empirical foundation and actionable design guidance for next-generation lock mechanisms that are more maintainable, interpretable, and verifiable. (149 words)

Software developers reuse third-party packages that are hosted in package registries. At build time, a package manager resolves and fetches the direct and indirect dependencies of a project. Most package managers also generate a lockfile, which records the exact set of resolved dependency versions. Lockfiles are used to reduce build times; to verify the integrity of resolved packages; and to support build reproducibility across environments and time. Despite these beneficial features, developers often struggle with their maintenance, usage, and interpretation. In this study, we unveil the major challenges related to lockfiles, such that future researchers and engineers can address them. We perform the first comprehensive study of lockfiles across 7 popular package managers, npm, pnpm, Cargo, Poetry, Pipenv, Gradle, and Go. First, we highlight how the content and functions of lockfiles differ across package managers and ecosystems. Next, we conduct a qualitative analysis based on semi-structured interviews with 15 developers. We capture first-hand insights about the benefits that developers perceive in lockfiles, as well as the challenges they face to manage these files. Following these observations, we make 4 recommendations to further improve lockfiles, for a better developer experience.