Skip to main content
meow records the exact resolved dependency graph in meow.lock.jsonl. It’s the execution contract: the integrity hash on every entry is what meow verifies before running a single byte of a package. Commit it.

Why JSON-Lines

Most lockfiles are one giant document, so a merge between two branches that both touched dependencies produces a sprawling, hard-to-resolve conflict. meow’s lockfile is one compact JSON object per line, sorted strictly by (name, version):
  • Each dependency is an independent line, so merges are line-local and usually conflict-free.
  • The ordering is inherent — there is no code path that can emit an unsorted or duplicated line.
  • The format is byte-stable: the same resolved graph always serializes to the exact same bytes, regardless of install order.
meow.lock.jsonl
{"name":"is-number","version":"6.0.0","integrity":"sha512-…","dependencies":{},"registry":{"registry":"https://registry.npmjs.org"},"meow":"^0.1"}
{"name":"is-odd","version":"3.0.1","integrity":"sha512-…","dependencies":{"is-number":"6.0.0"},"registry":{"registry":"https://registry.npmjs.org"},"meow":"^0.1"}

Entry fields

Each line is a compact JSON object with keys in a fixed order:
FieldMeaning
namePackage name (primary sort key).
versionThe exact resolved version (secondary sort key).
integritySubresource-Integrity hash (sha512-…) of the tarball — the verification anchor.
dependenciesMap of dependency name → exact resolved version. Always present ({} when none).
registryProvenance, e.g. { "registry": "https://registry.npmjs.org" }.
meowThe meow runtime-version constraint this resolution targets (e.g. ^0.1).
capabilitiesReserved for capability grants; omitted when empty.
wasmWasm-artifact hashes for the package; omitted when empty.

The reader is strict

A lockfile is a contract, so meow refuses to quietly “fix” a malformed one. The parser rejects, with a precise line number, any file that is:
  • not strictly ascending by (name, version) (catches unsorted lines and duplicates),
  • not byte-identical to its canonical compact form (catches reordered keys or stray whitespace),
  • or has a blank line.
meow: meow.lock.jsonl is not canonical at line 2:
  line is not strictly ascending by (name, version) (unsorted or duplicate)
A bad integrity SRI or version is blamed on the specific field rather than reported as generic “invalid JSON” — diagnostics point at the fix.
Don’t hand-edit meow.lock.jsonl. Add, remove, or update dependencies through meow add / meow remove / meow install, which always emit the canonical form atomically. Hand edits are likely to trip the strict reader.

Resolving conflicts

If git does report a conflict, it’s line-local: each conflicting line is a complete, independent entry. Keep the correct versions, make sure the result stays sorted by name then version, and run meow install — meow re-canonicalizes and validates the file.

Reproducibility

Because the lockfile pins exact versions and integrity hashes, an install from a committed lockfile is reproducible: the same graph, verified against the same hashes, materialized the same way. Combined with deterministic execution, this gives you end-to-end reproducibility from meow install through meow test.

See how the lockfile becomes node_modules

Materialization, the .meow store, and edge links.