An sbt plugin to create a dependency lockfile similar to package-lock.json for npm or Gemfile.lock for RubyGems.

Install the plugin by adding the following to project/plugins.sbt:

addSbtPlugin("software.purpledragon" % "sbt-dependency-lock" % "<version>")

Then generate a lockfile with sbt dependencyLockWrite. This will resolve dependencies and output a lockfile containing all dependencies (including transitive ones) to build.sbt.lock.

The lockfile can then be checked with sbt dependencyLockCheck:

[info] Dependency lock check passed

A mismatch between the lockfile and current dependencies will generate an error report:

[error] (dependencyLockCheck) Dependency lock check failed:
[error]   3 dependencies changed:
[error]     org.apache.commons:commons-lang3       (test)  -> (compile,test)  3.9 
[error]     org.scala-lang.modules:scala-xml_2.12  (test)                     1.2.0  -> 1.1.0 
[error]     org.scalactic:scalactic_2.12           (test)                     3.0.8  -> 3.0.7 
[error]     org.scalatest:scalatest_2.12           (test)                     3.0.8  -> 3.0.7 

See the docs for further information on how the plugin works.