Handle Lock Files in .gitattributes

Lock File Handling

Package manager lock files are one of the most common sources of noisy diffs and merge conflicts. They are text files that should be tracked and merged, but their diffs are rarely useful for code review.

Recommended Configuration

# JavaScript / Node.js
package-lock.json text -diff
yarn.lock         text -diff
pnpm-lock.yaml    text -diff

# Rust
Cargo.lock        text -diff

# Python
poetry.lock       text -diff
Pipfile.lock      text -diff
pdm.lock          text -diff
uv.lock           text -diff

# Ruby
Gemfile.lock      text -diff

# PHP
composer.lock     text -diff

# .NET
packages.lock.json text -diff

# Go (module checksum)
go.sum            text -diff

# Dart / Flutter
pubspec.lock      text -diff

# Elixir
mix.lock          text -diff

Why text -diff (Not binary)

Lock files must be:

1. text: Line ending normalization prevents CRLF/LF merge conflicts
2. -diff: Suppresses diffs that can be thousands of lines long
3. Not binary: They need three-way merge capability

If you mark a lock file as binary, Git cannot merge concurrent changes, and every lock file update becomes a merge conflict.

Merge Strategies for Lock Files

Some teams configure a custom merge driver for lock files that always accepts the current version and regenerates:

# In .gitconfig
[merge "npm-merge"]
  name = npm merge lock file
  driver = npx npm-merge-driver merge %A %O %B %P

# In .gitattributes
package-lock.json merge=npm-merge

Should Lock Files Be Committed?

File	Commit?	Why
package-lock.json	Yes (apps)	Reproducible builds
yarn.lock	Yes (apps)	Reproducible builds
Cargo.lock	Yes (bins), No (libs)	Rust convention
poetry.lock	Yes (apps)	Reproducible installs
go.sum	Yes	Security verification

Libraries typically don't commit lock files because consumers should resolve their own dependency tree.