End-User Guide

Module Dependencies & Lockfiles

Declare module dependencies and pin them to exact versions with lockfiles for reproducible builds.

Edit this page on GitHub

Module Dependencies & Lockfiles

Reproducible Builds with Pinned Dependencies

A module can depend on other modules. These dependencies are recursively resolved and fetched by rescile before building the graph. To ensure reproducible builds, rescile supports a module.lock file which pins dependencies to exact commit hashes or checksums.

Declaring Dependencies

Dependencies are declared in the [dependencies] section of module.toml. Three formats are supported:

[dependencies]
# Simple string: Git URL with optional tag (colon-separated)
base-security = "https://github.com/my-org/rescile-modules/base-security:v1.0.0"

# Detailed Git dependency with explicit tag
other-module = { git = "https://github.com/my-org/rescile-modules/other.git", tag = "v1.0.0" }

# Release archive with a version template
packaged-module = { url = "https://github.com/my-org/rescile-modules/releases/download/{version}/module.zip", version = "v1.2.0" }

The mod Subcommands

The rescile-ce mod subcommand provides utilities for managing dependencies and lockfiles.

rescile-ce mod lock

Resolves the full dependency tree based on the current module.toml and generates or heals the module.lock file. Run this after adding or changing a dependency declaration.

rescile-ce mod lock

rescile-ce mod check

Compares the module.lock against remote repositories to report whether any updates are available — for example, new commits on a tracked branch or a newer semver tag matching your constraint.

rescile-ce mod check

rescile-ce mod update

Updates the module.lock file to the latest available versions according to the remote repositories. Pass an optional module name to update a single dependency rather than all of them.

rescile-ce mod update                  # update all
rescile-ce mod update base-security    # update one

rescile-ce mod fetch

Resolves the dependency tree and downloads all remote modules into the persistent local registry without starting the server. Useful for pre-seeding a CI environment or an air-gapped build cache.

rescile-ce mod fetch

For guidance on authoring and publishing your own modules, see the Module Packaging Guide.