> ## Documentation Index
> Fetch the complete documentation index at: https://docs.meow.style/llms.txt
> Use this file to discover all available pages before exploring further.

# The lockfile

> meow.lock.jsonl — a strict, sorted, JSON-Lines lockfile designed to survive git merges.

meow records the exact resolved dependency graph in `meow.lock.jsonl`. It's the
**execution contract**: the integrity hash on every entry is what meow verifies
before running a single byte of a package. **Commit it.**

## Why JSON-Lines

Most lockfiles are one giant document, so a merge between two branches that both
touched dependencies produces a sprawling, hard-to-resolve conflict. meow's
lockfile is **one compact JSON object per line**, sorted strictly by
`(name, version)`:

* Each dependency is an independent line, so merges are line-local and usually
  conflict-free.
* The ordering is inherent — there is no code path that can emit an unsorted or
  duplicated line.
* The format is **byte-stable**: the same resolved graph always serializes to the
  exact same bytes, regardless of install order.

```jsonl meow.lock.jsonl theme={null}
{"name":"is-number","version":"6.0.0","integrity":"sha512-…","dependencies":{},"registry":{"registry":"https://registry.npmjs.org"},"meow":"^0.1"}
{"name":"is-odd","version":"3.0.1","integrity":"sha512-…","dependencies":{"is-number":"6.0.0"},"registry":{"registry":"https://registry.npmjs.org"},"meow":"^0.1"}
```

## Entry fields

Each line is a compact JSON object with keys in a fixed order:

| Field          | Meaning                                                                           |
| -------------- | --------------------------------------------------------------------------------- |
| `name`         | Package name (primary sort key).                                                  |
| `version`      | The exact resolved version (secondary sort key).                                  |
| `integrity`    | Subresource-Integrity hash (`sha512-…`) of the tarball — the verification anchor. |
| `dependencies` | Map of dependency name → exact resolved version. Always present (`{}` when none). |
| `registry`     | Provenance, e.g. `{ "registry": "https://registry.npmjs.org" }`.                  |
| `meow`         | The meow runtime-version constraint this resolution targets (e.g. `^0.1`).        |
| `capabilities` | Reserved for capability grants; omitted when empty.                               |
| `wasm`         | Wasm-artifact hashes for the package; omitted when empty.                         |

## The reader is strict

A lockfile is a contract, so meow refuses to quietly "fix" a malformed one. The
parser rejects, with a precise line number, any file that is:

* not strictly ascending by `(name, version)` (catches unsorted lines **and** duplicates),
* not byte-identical to its canonical compact form (catches reordered keys or stray whitespace),
* or has a blank line.

```text theme={null}
meow: meow.lock.jsonl is not canonical at line 2:
  line is not strictly ascending by (name, version) (unsorted or duplicate)
```

A bad integrity SRI or version is blamed on the specific field rather than
reported as generic "invalid JSON" — diagnostics point at the fix.

<Warning>
  Don't hand-edit `meow.lock.jsonl`. Add, remove, or update dependencies through
  `meow add` / `meow remove` / `meow install`, which always emit the canonical form
  atomically. Hand edits are likely to trip the strict reader.
</Warning>

## Resolving conflicts

If git does report a conflict, it's line-local: each conflicting line is a complete,
independent entry. Keep the correct versions, make sure the result stays sorted by
name then version, and run `meow install` — meow re-canonicalizes and validates the
file.

## Reproducibility

Because the lockfile pins exact versions **and** integrity hashes, an install from
a committed lockfile is reproducible: the same graph, verified against the same
hashes, materialized the same way. Combined with [deterministic
execution](/concepts/determinism), this gives you end-to-end reproducibility from
`meow install` through `meow test`.

<Card title="See how the lockfile becomes node_modules" icon="folder-tree" href="/package-manager/node-modules">
  Materialization, the .meow store, and edge links.
</Card>
