When you work in the Package Manager window, you can install packages from several sources (a registry, a local folder or tarball, and a Git URL). However, while the Package Manager installs packages from these sources seamlessly, it first has to make a series of calculations to decide which version to install, and which other packages and versions to install to support it.
When you select a package version to install through the Package Manager window, you are adding a dependency to your project manifest. This is a declaration that you need a specific version of a particular package in order for the project to work. Dependencies that appear in your project manifest are called “direct” dependencies.
Packages can also require other packages in order to work. These are called “indirect”, or transitive, dependencies. The package developer adds these dependencies to the package’s manifest during development. For example, there are several 2D packages that share functionality: both the 2D Animation and 2D Sprite Shape packages depend on the 2D Common package.
When you add a package version as a dependency, that version is not necessarily the version that the Package Manager installs, because it has to consider all of the dependencies in your project, whether direct or indirect. In order to decide which packages to install, the Package Manager constructs a list of every direct and indirect dependency.
The Package Manager can only install one package version at a time, so it has to construct a dependency graph in order to determine which version of each package to install. When the Package Manager successfully resolves all version conflicts, it saves the resolution in a lock file to ensure determinism (so that the same packages are reliably installed every time), and to reduce the amount of time and resources it takes to compute the dependency graph again.