buf.lock
If your buf.yaml declares any dependencies in the deps field, you also need a buf.lock file that
contains the dependency manifest for your workspace, representing a
single, reproducible build of its external dependencies.
You can create or update a buf.lock file by running the buf dep update command
at the root of the workspace (where the buf.yaml file is):
$ buf dep update
A buf.yaml file that has the deps section below results in the corresponding buf.lock file:
version: v2
...
deps:
- buf.build/google/googleapis
# Generated by buf. DO NOT EDIT.
version: v2
deps:
- name: buf.build/googleapis/googleapis
commit: 7a6bc1e3207144b38e9066861e1de0ff
digest: b5:6d05bde5ed4cd22531d7ca6467feb828d2dc45cc9de12ce3345fbddd64ddb1bf0db756558c32ca49e6bc7de4426ada8960d5590e8446854b81f5f36f0916dc48
As the file itself notes, buf.lock should never be hand-edited, as it's the result of actually resolving the workspace
dependencies.
version
Buf configuration version. Valid values are v2, v1, and v1beta1.
deps
Each entry in the deps key is a module pin, which uniquely represents a specific snapshot of the given
module (buf.build/googleapis/googleapis:7a6bc1e3207144b38e9066861e1de0ff in this case), protected with a cryptographic
digest of all of the files in it (see how we protect dependencies against tampering). With
this, the local snapshot of the workspace and all of its dependencies are uniquely represented, reproducible, and
protected against tampering.
Older versions of the Buf CLI included include branch, commit, and create_time as a part of the dependencies. Your
buf.lock shouldn't include these fields if you've run buf dep update with a current version.
Related docs
- Learn how Buf handles dependency management.