Could lockfiles just be SBOMs?

https://nesbitt.io/2025/12/23/could-lockfiles-just-be-sboms.html

14•zdw•2h ago

Comments

firloop•1h ago

Another drawback could be that package manager lockfile schemas are optimized for performance[0]. I wouldn't appreciate seeing slower install times by default - especially if the lockfile could be converted with other tooling.

[0]: https://bun.com/blog/behind-the-scenes-of-bun-install#optimi...

zingar•59m ago

In hearing the SBOM term for the first time from that article and the linked Wikipedia page. For the ignorant like me: what is it that SBOM is used for that lockfiles aren’t? Everything in the article is something that I’m used to seeing automated scanners using lockfiles for.

Is it just that the two are used by different communities? What is the SBOM community?

edoceo•51m ago

In many cases the lock files are for one part of the stack. Like npm and composer and $other_lang thing. sBOM is when all are together and version-pinned. (I've over simplified).

Edit: for my domain we have Alpine, Debian, PHP, JS, Go in the stack. So our BOM has all that (and dependencies). It's a big list. Some is just necessary base (Alpine, Debian) but some are core stack and other are edge (dependency on python lib when we're mostly Rust (or something)).

Mirror/Vendor all these things for supply-chain integrity (it's what they tell me)

LoganDark•45m ago

> what is it that SBOM is used for that lockfiles aren’t?

Compliance. The article mentions "the EU’s Cyber Resilience Act will push vendors toward providing SBOMs", and having package managers generate SBOMs directly would certainly be convenient for that.

woodruffw•39m ago

This is a great summary, although I think I'm more bearish on SBOMs than Andrew is: my experience integrating them so far (in both pip-audit and uv) has been that there's much more malleability at the representation level than the presence of a standard might imply, and that consumers have adapted (a la Postel) to this reality by being very permissive with the kinds of broken stuff they permit when ingesting third-party SBOMs.

(Case in point: pip-audit's CycloneDX emission was subtly incorrect for years, and nobody noticed[1].)

[1]: https://github.com/pypa/pip-audit/pull/981

Old English Computer Glossary

Claude Code with API Key?

Microsoft wants to replace its C and C++ codebase, perhaps by 2030

Pennsylvania High Court Rules Police Can Access Google Searches Without Warrant

A new immunotherapy approach could work for many types of cancer

QWED – Deterministic Verification for AI

Gave My RGB Fans a Job: 38-Pixel Screen Mirror

Ask HN: Will SLMs be what bursts the LLM bubble cos you can run them on a phone?

They graduated from Stanford. Due to AI, they can't find a job

We interfaced single-threaded C++ with multi-threaded Rust and lived

Evaluating Context Compression for AI Agents

Zodiac Z13 Decryption

Manufactured Inevitability and the Need for Courage

Physicists found a way to make thermodynamics work in the quantum world

Don't Become the Machine

You Can Get Every AI Model for Free

Ask HN: Critique wanted — granular-physics pyramid preprint

The semantic layer is dead. Long live the wiki

Big Space Sandwich Broke a Record

China bans sharing 'obscene' material – potentially including sexting

Yendor: A Zach-like, rogue-like game and language made in 7 days

China Delays Plans for Mass Production of Self-Driving Cars After Accident

Poetiq achieves 75% at under $8 / problem using GPT-5.2 X-High on ARC-AGI-2

A semantic POP-style framework for structuring AI-assisted programs

How to Become AGI: From Capitalism to Compute-Ism

Casuistic Alignment

Show HN: Depsy – normalized SaaS dependency health in one API call (cached,fast)

Show HN: Send free letters to your future self or others

DownDownDown Come and challenge the 100th floor game

Peter Thiel's $74M Shake-Up: Slashes Tesla, Bets Big on Microsoft and Apple