When you work in the Package Manager window, you can install packages from several sources (a registry, a local folder or tarball, and a Git URL). However, while the Package Manager installs packages from these sources seamlessly, there is a lot more going on under the hood.
When you select a package version to install through the Package Manager window, you are really adding a dependency to your project manifest. This is a declaration that you need a specific version of a particular package in order for the project to work. Dependencies that appear in your project manifest are called direct dependencies.
Packages can also require other packages in order to work. These are called indirect, or transitive, dependencies. The package developer adds these dependencies to the package’s manifest during development. For example, there are several 2D packages that share functionality: both the 2D Animation and 2D Sprite Shape packages depend on the 2D Common package.
When you add a package version as a dependency, that version is not necessarily the same version that the Package Manager installs, because it has to consider all of the dependencies in your project, whether direct or indirect. In order to decide which packages to install, the Package Manager constructs a list of every direct and indirect dependency.
The Package Manager can only install one package version at a time, so it has to construct a dependency graph in order to determine which version of each package to install. When the Package Manager successfully resolves all version conflicts, it saves the resolution in a lock file to ensure determinism (so that the same packages are reliably installed every time), and to reduce the amount of time and resources it takes to compute the dependency graph again.