meow.lock.jsonl. It’s the
execution contract: the integrity hash on every entry is what meow verifies
before running a single byte of a package. Commit it.
Why JSON-Lines
Most lockfiles are one giant document, so a merge between two branches that both touched dependencies produces a sprawling, hard-to-resolve conflict. meow’s lockfile is one compact JSON object per line, sorted strictly by(name, version):
- Each dependency is an independent line, so merges are line-local and usually conflict-free.
- The ordering is inherent — there is no code path that can emit an unsorted or duplicated line.
- The format is byte-stable: the same resolved graph always serializes to the exact same bytes, regardless of install order.
meow.lock.jsonl
Entry fields
Each line is a compact JSON object with keys in a fixed order:| Field | Meaning |
|---|---|
name | Package name (primary sort key). |
version | The exact resolved version (secondary sort key). |
integrity | Subresource-Integrity hash (sha512-…) of the tarball — the verification anchor. |
dependencies | Map of dependency name → exact resolved version. Always present ({} when none). |
registry | Provenance, e.g. { "registry": "https://registry.npmjs.org" }. |
meow | The meow runtime-version constraint this resolution targets (e.g. ^0.1). |
capabilities | Reserved for capability grants; omitted when empty. |
wasm | Wasm-artifact hashes for the package; omitted when empty. |
The reader is strict
A lockfile is a contract, so meow refuses to quietly “fix” a malformed one. The parser rejects, with a precise line number, any file that is:- not strictly ascending by
(name, version)(catches unsorted lines and duplicates), - not byte-identical to its canonical compact form (catches reordered keys or stray whitespace),
- or has a blank line.
Resolving conflicts
If git does report a conflict, it’s line-local: each conflicting line is a complete, independent entry. Keep the correct versions, make sure the result stays sorted by name then version, and runmeow install — meow re-canonicalizes and validates the
file.
Reproducibility
Because the lockfile pins exact versions and integrity hashes, an install from a committed lockfile is reproducible: the same graph, verified against the same hashes, materialized the same way. Combined with deterministic execution, this gives you end-to-end reproducibility frommeow install through meow test.
See how the lockfile becomes node_modules
Materialization, the .meow store, and edge links.