2nd/10_Wiki/Topics/Architecture/Dependencies (의존성).md

---
id: wiki-2026-0508-dependencies-의존성
title: Dependencies (의존성)
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [npm-dependencies, package-dependencies, supply-chain]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [dependencies, npm, semver, supply-chain]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
  language: javascript
  framework: npm/pnpm
---

# Dependencies (의존성)

## 매 한 줄
> **"매 dependency 의 liability 가 X asset"**. 매 npm install 이 매 third-party code 를 매 production 에 inject — 매 supply chain attack (event-stream 2018, ua-parser-js 2021, xz-utils 2024 backdoor) 가 매 매년 발생. 2026 modern stack 의 매 pnpm + lockfile + minimum-deps + SBOM (CycloneDX) 가 매 standard.

## 매 핵심

### 매 Dependency 종류
- **dependencies**: 매 production runtime 의 사용 (Express, React).
- **devDependencies**: 매 build/test only (Vitest, TypeScript, ESLint).
- **peerDependencies**: 매 host 가 provide (React plugin 의 React).
- **optionalDependencies**: 매 install 실패 가 OK (platform-specific binaries).
- **bundledDependencies**: 매 package tarball 안 ship.

### 매 Semver
- `^1.2.3` — minor + patch updates (1.x.x), 매 npm default. 매 unsafe 가 0.x 에서 (^0.2.3 → 0.2.x only).
- `~1.2.3` — patch only (1.2.x).
- `1.2.3` — exact pin, 매 reproducibility 의 best.
- `*` / `latest` — 매 X. 매 절대 사용 X.

### 매 Lockfile
- **pnpm-lock.yaml** / **package-lock.json** / **yarn.lock**: 매 exact resolved versions + integrity hashes.
- 매 `npm ci` 사용 (매 install 가 X) — 매 lockfile 강제, deterministic install.
- 매 commit 의 must.

### 매 Supply Chain Risks
- **Typosquatting**: `reqeusts`, `lodahs`.
- **Compromised maintainer**: 매 ua-parser-js 2021.
- **Malicious update**: 매 event-stream 2018, xz-utils 2024.
- **Dependency confusion**: 매 internal package name 가 public registry 에 publish 됨.

## 💻 패턴

### Pinning + lockfile
```json
{
  "dependencies": {
    "react": "18.3.1",
    "express": "~4.21.0",
    "zod": "^3.23.8"
  },
  "engines": { "node": ">=20.10.0", "pnpm": ">=9.0.0" }
}
```

### pnpm 의 strict install
```bash
# CI 의 deterministic install
pnpm install --frozen-lockfile
# 매 lockfile mismatch 시 error.

# 매 audit
pnpm audit --audit-level=high
```

### Renovate config
```json
// renovate.json
{
  "extends": ["config:recommended"],
  "lockFileMaintenance": { "enabled": true, "schedule": ["before 5am on Monday"] },
  "vulnerabilityAlerts": { "enabled": true, "labels": ["security"] },
  "packageRules": [
    { "matchUpdateTypes": ["minor", "patch"], "automerge": true, "matchCurrentVersion": "!/^0/" },
    { "matchPackagePatterns": ["^@types/"], "automerge": true }
  ]
}
```

### SBOM 생성 (CycloneDX)
```bash
npx @cyclonedx/cyclonedx-npm --output-file sbom.json
# 매 SLSA / EU CRA compliance 의 사용.
```

### Known-good integrity check
```bash
# 매 npm install 후 lockfile integrity 검증
pnpm install --frozen-lockfile --prefer-offline
# Subresource integrity 가 lockfile 에 자동 record.
```

### Allowed-dependencies guard (CI)
```ts
// scripts/check-deps.ts
import pkg from '../package.json' with { type: 'json' };
const ALLOWED_LICENSES = new Set(['MIT', 'Apache-2.0', 'BSD-3-Clause', 'ISC']);
// 매 license-checker 사용 의 production deps audit.
```

### Provenance verification
```bash
# 매 npm 9.5+ 의 sigstore provenance
npm install --foreground-scripts=false
npm audit signatures
# 매 GitHub Actions 의 publish 한 package 만 trust.
```

### Dependency removal
```bash
pnpm dlx depcheck
# 매 unused dep 찾기. 매 quarterly cleanup.
```

## 매 결정 기준
| 상황 | Approach |
|---|---|
| Library author | `peerDependencies` + minimal `dependencies` |
| Application | Pin all critical (React, framework), `^` for utilities |
| Monorepo | pnpm workspaces + catalogs (pnpm 9.5+) |
| 매 high-security (fintech, gov) | Exact pin all, Renovate manual approve, internal mirror |
| 매 prototype | `^` everywhere, 매 lockfile commit 만 |

**기본값**: pnpm + frozen lockfile + Renovate auto-merge minors + SBOM in CI.

## 🔗 Graph
- 부모: [[Software-Architecture]] · [[Build-Systems]]
- 변형: [[Monorepo]] · [[npm-workspaces]] · [[pnpm-catalogs]]
- 응용: [[Dependency-Analysis]] · [[SBOM]] · [[License-Compliance]]
- Adjacent: [[Supply-Chain-Security]] · [[Renovate]] · [[Dependabot]]

## 🤖 LLM 활용
**언제**: 매 package.json review, 매 vulnerability triage, 매 dep upgrade plan generation, 매 SBOM diff explanation.
**언제 X**: 매 actual install / build (deterministic tooling 가 better). 매 license decision (legal review 필요).

## ❌ 안티패턴
- **`*` or `latest`**: 매 reproducibility destroyed.
- **lockfile gitignore**: 매 다른 dev / CI 가 different versions install.
- **`npm install` in CI**: 매 `npm ci` / `pnpm install --frozen-lockfile` 사용.
- **0.x with `^`**: 매 ^0.2.3 가 0.3.0 으로 jump 가능 — breaking changes.
- **Untyped transitive deps**: 매 매 indirect 의 audit X. SBOM 의 review.
- **Package without provenance**: 매 2026 의 sigstore signed packages prefer.

## 🧪 검증 / 중복
- Verified (npm docs, pnpm docs, SLSA framework, CycloneDX spec).
- 신뢰도 A.

## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — npm dependency management, semver, supply chain hardening |