chore(brain): ASTRA 성장 자산 동기화 — 기능 인벤토리·growth(약점프로필/학습큐)·일화기억·장기기억·회의록 원문

2026-06-12 16:37:41 +09:00
parent a97fc7be07
commit 89fb05a28a
781 changed files with 138546 additions and 47 deletions
@@ -0,0 +1,162 @@
+---
+id: wiki-2026-0508-dependencies-의존성
+title: Dependencies (의존성)
+category: 10_Wiki/Topics
+status: verified
+canonical_id: self
+aliases: [npm-dependencies, package-dependencies, supply-chain]
+duplicate_of: none
+source_trust_level: A
+confidence_score: 0.9
+verification_status: applied
+tags: [dependencies, npm, semver, supply-chain]
+raw_sources: []
+last_reinforced: 2026-05-10
+github_commit: pending
+tech_stack:
+  language: javascript
+  framework: npm/pnpm
+---
+
+# Dependencies (의존성)
+
+## 매 한 줄
+> **"매 dependency 의 liability 가 X asset"**. 매 npm install 이 매 third-party code 를 매 production 에 inject — 매 supply chain attack (event-stream 2018, ua-parser-js 2021, xz-utils 2024 backdoor) 가 매 매년 발생. 2026 modern stack 의 매 pnpm + lockfile + minimum-deps + SBOM (CycloneDX) 가 매 standard.
+
+## 매 핵심
+
+### 매 Dependency 종류
+- **dependencies**: 매 production runtime 의 사용 (Express, React).
+- **devDependencies**: 매 build/test only (Vitest, TypeScript, ESLint).
+- **peerDependencies**: 매 host 가 provide (React plugin 의 React).
+- **optionalDependencies**: 매 install 실패 가 OK (platform-specific binaries).
+- **bundledDependencies**: 매 package tarball 안 ship.
+
+### 매 Semver
+- `^1.2.3` — minor + patch updates (1.x.x), 매 npm default. 매 unsafe 가 0.x 에서 (^0.2.3 → 0.2.x only).
+- `~1.2.3` — patch only (1.2.x).
+- `1.2.3` — exact pin, 매 reproducibility 의 best.
+- `*` / `latest` — 매 X. 매 절대 사용 X.
+
+### 매 Lockfile
+- **pnpm-lock.yaml** / **package-lock.json** / **yarn.lock**: 매 exact resolved versions + integrity hashes.
+- 매 `npm ci` 사용 (매 install 가 X) — 매 lockfile 강제, deterministic install.
+- 매 commit 의 must.
+
+### 매 Supply Chain Risks
+- **Typosquatting**: `reqeusts`, `lodahs`.
+- **Compromised maintainer**: 매 ua-parser-js 2021.
+- **Malicious update**: 매 event-stream 2018, xz-utils 2024.
+- **Dependency confusion**: 매 internal package name 가 public registry 에 publish 됨.
+
+## 💻 패턴
+
+### Pinning + lockfile
+```json
+{
+  "dependencies": {
+    "react": "18.3.1",
+    "express": "~4.21.0",
+    "zod": "^3.23.8"
+  },
+  "engines": { "node": ">=20.10.0", "pnpm": ">=9.0.0" }
+}
+```
+
+### pnpm 의 strict install
+```bash
+# CI 의 deterministic install
+pnpm install --frozen-lockfile
+# 매 lockfile mismatch 시 error.
+
+# 매 audit
+pnpm audit --audit-level=high
+```
+
+### Renovate config
+```json
+// renovate.json
+{
+  "extends": ["config:recommended"],
+  "lockFileMaintenance": { "enabled": true, "schedule": ["before 5am on Monday"] },
+  "vulnerabilityAlerts": { "enabled": true, "labels": ["security"] },
+  "packageRules": [
+    { "matchUpdateTypes": ["minor", "patch"], "automerge": true, "matchCurrentVersion": "!/^0/" },
+    { "matchPackagePatterns": ["^@types/"], "automerge": true }
+  ]
+}
+```
+
+### SBOM 생성 (CycloneDX)
+```bash
+npx @cyclonedx/cyclonedx-npm --output-file sbom.json
+# 매 SLSA / EU CRA compliance 의 사용.
+```
+
+### Known-good integrity check
+```bash
+# 매 npm install 후 lockfile integrity 검증
+pnpm install --frozen-lockfile --prefer-offline
+# Subresource integrity 가 lockfile 에 자동 record.
+```
+
+### Allowed-dependencies guard (CI)
+```ts
+// scripts/check-deps.ts
+import pkg from '../package.json' with { type: 'json' };
+const ALLOWED_LICENSES = new Set(['MIT', 'Apache-2.0', 'BSD-3-Clause', 'ISC']);
+// 매 license-checker 사용 의 production deps audit.
+```
+
+### Provenance verification
+```bash
+# 매 npm 9.5+ 의 sigstore provenance
+npm install --foreground-scripts=false
+npm audit signatures
+# 매 GitHub Actions 의 publish 한 package 만 trust.
+```
+
+### Dependency removal
+```bash
+pnpm dlx depcheck
+# 매 unused dep 찾기. 매 quarterly cleanup.
+```
+
+## 매 결정 기준
+| 상황 | Approach |
+|---|---|
+| Library author | `peerDependencies` + minimal `dependencies` |
+| Application | Pin all critical (React, framework), `^` for utilities |
+| Monorepo | pnpm workspaces + catalogs (pnpm 9.5+) |
+| 매 high-security (fintech, gov) | Exact pin all, Renovate manual approve, internal mirror |
+| 매 prototype | `^` everywhere, 매 lockfile commit 만 |
+
+**기본값**: pnpm + frozen lockfile + Renovate auto-merge minors + SBOM in CI.
+
+## 🔗 Graph
+- 부모: [[Software-Architecture]]
+- 변형: [[Monorepo]]
+- 응용: [[Dependency-Analysis]] · [[SBOM]]
+- Adjacent: [[Supply-Chain-Security]] · [[Renovate]] · [[Dependabot]]
+
+## 🤖 LLM 활용
+**언제**: 매 package.json review, 매 vulnerability triage, 매 dep upgrade plan generation, 매 SBOM diff explanation.
+**언제 X**: 매 actual install / build (deterministic tooling 가 better). 매 license decision (legal review 필요).
+
+## ❌ 안티패턴
+- **`*` or `latest`**: 매 reproducibility destroyed.
+- **lockfile gitignore**: 매 다른 dev / CI 가 different versions install.
+- **`npm install` in CI**: 매 `npm ci` / `pnpm install --frozen-lockfile` 사용.
+- **0.x with `^`**: 매 ^0.2.3 가 0.3.0 으로 jump 가능 — breaking changes.
+- **Untyped transitive deps**: 매 매 indirect 의 audit X. SBOM 의 review.
+- **Package without provenance**: 매 2026 의 sigstore signed packages prefer.
+
+## 🧪 검증 / 중복
+- Verified (npm docs, pnpm docs, SLSA framework, CycloneDX spec).
+- 신뢰도 A.
+
+## 🕓 Changelog
+| 날짜 | 변경 |
+|---|---|
+| 2026-05-08 | Phase 1 |
+| 2026-05-10 | Manual cleanup — npm dependency management, semver, supply chain hardening |