Move.lock

When you build a Move package, the process creates a Move.lock file at the root of your package. The file acts as a communication layer between the Move compiler and other tools, like chain-specific command line interfaces and third-party package managers. The Move.lock file contains information about your package, including its dependencies, that aids operations like verification of source code against on-chain packages and package manager compatibility.

Like the Move.toml file, the Move.lock file is a text-based toml file. Unlike the package manifest, the Move.lock file is not intended for you to edit directly. Processes on the toolchain, like the Move compiler, access and edit the file to read and append relevant information. You also must not move the file from the root, as it needs to be at the same level as your Move.toml manifest.

If you are using source control for your package, make sure the Move.lock file is checked in to your repository. This ensures every build of your package is an exact replica of the original.

On-chain source verification

Move.lock records the toolchain version and flags passed during package compilation so the compiler can replicate the process. This provides confirmation that the package found at a given address on chain originated from a specific source package. Having this data in the lock file means you don't have to manually provide this information, which would be time consuming and prone to error.

Dependency resolution

When you build a package, the Move compiler resolves dependencies in Move.toml. After each resolution, the compiler writes the location of a dependency to the Move.lock file. If a dependency fails to resolve, the compiler stops writing to the Move.lock file and the build fails. If all dependencies resolve, the Move.lock file contains the locations (local and remote) of all your package's transitive dependencies. The Move.lock file stores the name and package details in an array similar to the following: