Skip to content

buf.lock v2 config file

If your buf.yaml declares any dependencies in the deps field, you also need a buf.lock file that contains the dependency manifest for your workspace. It represents a single, reproducible build of the workspace's external dependencies.

You can create or update a buf.lock file by running the buf dep update command at the root of the workspace (where the buf.yaml file is):

$ buf dep update

A buf.yaml file that has the deps section below results in the corresponding buf.lock file:

buf.yaml
version: v2
...
deps:
  - buf.build/google/googleapis
buf.lock
# Generated by buf. DO NOT EDIT.
version: v2
deps:
  - name: buf.build/googleapis/googleapis
    commit: 7a6bc1e3207144b38e9066861e1de0ff
    digest: b5:6d05bde5ed4cd22531d7ca6467feb828d2dc45cc9de12ce3345fbddd64ddb1bf0db756558c32ca49e6bc7de4426ada8960d5590e8446854b81f5f36f0916dc48

Warning

As the file itself notes, buf.lock should never be hand-edited, as it's the result of actually resolving the workspace dependencies.

version

Buf configuration version. Valid values are v2, v1, and v1beta1.

deps

Each entry in the deps key is a module pin, which uniquely represents a specific snapshot of the given module (buf.build/googleapis/googleapis:7a6bc1e3207144b38e9066861e1de0ff in this case). It's protected with a cryptographic digest of all of the files in it (see how we protect dependencies against tampering). With this, the local snapshot of the workspace and all of its dependencies are uniquely represented, reproducible, and protected against tampering.

Note

Older versions of the Buf CLI included include branch, commit, and create_time as a part of the dependencies. Your buf.lock shouldn't include these fields if you've run buf dep update with a current version.