Author here. The idea for this post came about after a HN reply (https://news.ycombinator.com/item?id=28965469) to one of my comments about the ua-parser-js issue. And the most recent trigger was a conversation with some Ruby developers about whether or not Gemfile.lock provided any security benefits (as you can see from the chart, bundler is an outlier compared to pip/npm/yarn). I wanted to collect the arguments for and against lockfiles and examine how widely supported the most critical features; would love feedback on the arguments as well as whether I’ve gotten the details write on which package manager supports what.