The use of open source components in modern applications is widespread, with 92% of professional applications relying on them. However, managing these dependencies has become more complex, and traditional practices such as vendoring or bundling have fallen out of favor due to difficulties in tracking versions and updating libraries. The solution lies in using a manifest file to describe direct dependencies and generating a lockfile that includes transitive dependencies, allowing for easy sharing and deployment of the same version across different environments. This approach has been adopted by various package managers such as npm, yarn, Rubygems, pip, and packagist, enabling developers to manage their dependencies more efficiently and reduce unintended changes or security vulnerabilities.