If your buf.yaml declares any dependencies in the deps field, you also need a buf.lock file that contains the dependency manifest for your workspace, representing a single, reproducible build of its external dependencies.

You can create or update a buf.lock file by running the buf dep update command at the root of the workspace (where the buf.yaml file is):

$ buf dep update

A buf.yaml file that has the deps section below results in the corresponding buf.lock file:

version: v2
# Generated by buf. DO NOT EDIT.
version: v2
  - name:
    commit: 7a6bc1e3207144b38e9066861e1de0ff
    digest: b5:6d05bde5ed4cd22531d7ca6467feb828d2dc45cc9de12ce3345fbddd64ddb1bf0db756558c32ca49e6bc7de4426ada8960d5590e8446854b81f5f36f0916dc48

As the file itself notes, buf.lock should never be hand-edited, as it's the result of actually resolving the workspace dependencies.


Buf configuration version. Valid values are v2, v1, and v1beta1.


Each entry in the deps key is a module pin, which uniquely represents a specific snapshot of the given module ( in this case), protected with a cryptographic digest of all of the files in it (see how we protect dependencies against tampering). With this, the local snapshot of the workspace and all of its dependencies are uniquely represented, reproducible, and protected against tampering.

Older versions of the Buf CLI included include branch, commit, and create_time as a part of the dependencies. Your buf.lock shouldn't include these fields if you've run buf dep update with a current version.