An sbt plugin to create a dependency lockfile similar to package-lock.json for npm or Gemfile.lock for RubyGems.

Install the plugin by adding the following to project/plugins.sbt:

addSbtPlugin("software.purpledragon" % "sbt-dependency-lock" % "<version>")

Then generate a lockfile with sbt dependencyLockWrite. This will resolve dependencies and output a lockfile containing all dependencies (including transitive ones) to build.sbt.lock.

The lockfile can then be checked with sbt dependencyLockCheck:

[info] Dependency lock check passed 

A mismatch between the lockfile and current dependencies will generate an error report:

[error] (dependencyLockCheck) Dependency lock check failed: [error] 3 dependencies changed: [error] org.apache.commons:commons-lang3 (test) -> (compile,test) 3.9 [error] org.scala-lang.modules:scala-xml_2.12 (test) 1.2.0 -> 1.1.0 [error] org.scalactic:scalactic_2.12 (test) 3.0.8 -> 3.0.7 [error] org.scalatest:scalatest_2.12 (test) 3.0.8 -> 3.0.7 

See the docs for further information on how the plugin works.