A pinned-dependency manifest (yarn.lock, package-lock.json) that guarantees every install reproduces the same dependency tree.
A lockfile (yarn.lock for Yarn, package-lock.json for npm, pnpm-lock.yaml for pnpm, Cargo.lock for Rust, Pipfile.lock for Pipenv, poetry.lock for Poetry) is an auto-generated file that records the exact versions, integrity hashes, and resolved transitive dependencies for a project. Committing the lockfile to Git ensures every developer, CI run, and production deploy installs the same dependency tree, no surprise breakages from a transitive minor-version bump.
Builds without committed lockfiles are a known reproducibility bug: it builds on Tuesday, doesn't build on Wednesday because a transitive dependency shipped a breaking patch overnight. Lockfiles plus dependency-update bots (Dependabot, Renovate) give you both: locked builds for stability, and a bounded process for adopting upgrades on a deliberate cadence rather than at random.
See the part of the platform that handles yarn lockfile in production.