--- id: wiki-2026-0508-dependencies-의존성 title: Dependencies (의존성) category: 10_Wiki/Topics status: verified canonical_id: self aliases: [npm-dependencies, package-dependencies, supply-chain] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [dependencies, npm, semver, supply-chain] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: javascript framework: npm/pnpm --- # Dependencies (의존성) ## 매 한 줄 > **"매 dependency 의 liability 가 X asset"**. 매 npm install 이 매 third-party code 를 매 production 에 inject — 매 supply chain attack (event-stream 2018, ua-parser-js 2021, xz-utils 2024 backdoor) 가 매 매년 발생. 2026 modern stack 의 매 pnpm + lockfile + minimum-deps + SBOM (CycloneDX) 가 매 standard. ## 매 핵심 ### 매 Dependency 종류 - **dependencies**: 매 production runtime 의 사용 (Express, React). - **devDependencies**: 매 build/test only (Vitest, TypeScript, ESLint). - **peerDependencies**: 매 host 가 provide (React plugin 의 React). - **optionalDependencies**: 매 install 실패 가 OK (platform-specific binaries). - **bundledDependencies**: 매 package tarball 안 ship. ### 매 Semver - `^1.2.3` — minor + patch updates (1.x.x), 매 npm default. 매 unsafe 가 0.x 에서 (^0.2.3 → 0.2.x only). - `~1.2.3` — patch only (1.2.x). - `1.2.3` — exact pin, 매 reproducibility 의 best. - `*` / `latest` — 매 X. 매 절대 사용 X. ### 매 Lockfile - **pnpm-lock.yaml** / **package-lock.json** / **yarn.lock**: 매 exact resolved versions + integrity hashes. - 매 `npm ci` 사용 (매 install 가 X) — 매 lockfile 강제, deterministic install. - 매 commit 의 must. ### 매 Supply Chain Risks - **Typosquatting**: `reqeusts`, `lodahs`. - **Compromised maintainer**: 매 ua-parser-js 2021. - **Malicious update**: 매 event-stream 2018, xz-utils 2024. - **Dependency confusion**: 매 internal package name 가 public registry 에 publish 됨. ## 💻 패턴 ### Pinning + lockfile ```json { "dependencies": { "react": "18.3.1", "express": "~4.21.0", "zod": "^3.23.8" }, "engines": { "node": ">=20.10.0", "pnpm": ">=9.0.0" } } ``` ### pnpm 의 strict install ```bash # CI 의 deterministic install pnpm install --frozen-lockfile # 매 lockfile mismatch 시 error. # 매 audit pnpm audit --audit-level=high ``` ### Renovate config ```json // renovate.json { "extends": ["config:recommended"], "lockFileMaintenance": { "enabled": true, "schedule": ["before 5am on Monday"] }, "vulnerabilityAlerts": { "enabled": true, "labels": ["security"] }, "packageRules": [ { "matchUpdateTypes": ["minor", "patch"], "automerge": true, "matchCurrentVersion": "!/^0/" }, { "matchPackagePatterns": ["^@types/"], "automerge": true } ] } ``` ### SBOM 생성 (CycloneDX) ```bash npx @cyclonedx/cyclonedx-npm --output-file sbom.json # 매 SLSA / EU CRA compliance 의 사용. ``` ### Known-good integrity check ```bash # 매 npm install 후 lockfile integrity 검증 pnpm install --frozen-lockfile --prefer-offline # Subresource integrity 가 lockfile 에 자동 record. ``` ### Allowed-dependencies guard (CI) ```ts // scripts/check-deps.ts import pkg from '../package.json' with { type: 'json' }; const ALLOWED_LICENSES = new Set(['MIT', 'Apache-2.0', 'BSD-3-Clause', 'ISC']); // 매 license-checker 사용 의 production deps audit. ``` ### Provenance verification ```bash # 매 npm 9.5+ 의 sigstore provenance npm install --foreground-scripts=false npm audit signatures # 매 GitHub Actions 의 publish 한 package 만 trust. ``` ### Dependency removal ```bash pnpm dlx depcheck # 매 unused dep 찾기. 매 quarterly cleanup. ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | Library author | `peerDependencies` + minimal `dependencies` | | Application | Pin all critical (React, framework), `^` for utilities | | Monorepo | pnpm workspaces + catalogs (pnpm 9.5+) | | 매 high-security (fintech, gov) | Exact pin all, Renovate manual approve, internal mirror | | 매 prototype | `^` everywhere, 매 lockfile commit 만 | **기본값**: pnpm + frozen lockfile + Renovate auto-merge minors + SBOM in CI. ## 🔗 Graph - 부모: [[Software-Architecture]] · [[Build-Systems]] - 변형: [[Monorepo]] · [[npm-workspaces]] · [[pnpm-catalogs]] - 응용: [[Dependency-Analysis]] · [[SBOM]] · [[License-Compliance]] - Adjacent: [[Supply-Chain-Security]] · [[Renovate]] · [[Dependabot]] ## 🤖 LLM 활용 **언제**: 매 package.json review, 매 vulnerability triage, 매 dep upgrade plan generation, 매 SBOM diff explanation. **언제 X**: 매 actual install / build (deterministic tooling 가 better). 매 license decision (legal review 필요). ## ❌ 안티패턴 - **`*` or `latest`**: 매 reproducibility destroyed. - **lockfile gitignore**: 매 다른 dev / CI 가 different versions install. - **`npm install` in CI**: 매 `npm ci` / `pnpm install --frozen-lockfile` 사용. - **0.x with `^`**: 매 ^0.2.3 가 0.3.0 으로 jump 가능 — breaking changes. - **Untyped transitive deps**: 매 매 indirect 의 audit X. SBOM 의 review. - **Package without provenance**: 매 2026 의 sigstore signed packages prefer. ## 🧪 검증 / 중복 - Verified (npm docs, pnpm docs, SLSA framework, CycloneDX spec). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — npm dependency management, semver, supply chain hardening |