bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ddf30f8e49156b275782bd69a23b966cef15a8b
2nd/10_Wiki/Topics/Architecture/Dependencies (의존성).md
T
Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization 
10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 23:52:15 +09:00

163 lines
5.3 KiB
Markdown
Raw Blame History

---
id: wiki-2026-0508-dependencies-의존성
title: Dependencies (의존성)
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [npm-dependencies, package-dependencies, supply-chain]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [dependencies, npm, semver, supply-chain]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
language: javascript
framework: npm/pnpm
---
# Dependencies (의존성)
## 매 한 줄
> **"매 dependency 의 liability 가 X asset"**. 매 npm install 이 매 third-party code 를 매 production 에 inject — 매 supply chain attack (event-stream 2018, ua-parser-js 2021, xz-utils 2024 backdoor) 가 매 매년 발생. 2026 modern stack 의 매 pnpm + lockfile + minimum-deps + SBOM (CycloneDX) 가 매 standard.
## 매 핵심
### 매 Dependency 종류
- **dependencies**: 매 production runtime 의 사용 (Express, React).
- **devDependencies**: 매 build/test only (Vitest, TypeScript, ESLint).
- **peerDependencies**: 매 host 가 provide (React plugin 의 React).
- **optionalDependencies**: 매 install 실패 가 OK (platform-specific binaries).
- **bundledDependencies**: 매 package tarball 안 ship.
### 매 Semver
- `^1.2.3` — minor + patch updates (1.x.x), 매 npm default. 매 unsafe 가 0.x 에서 (^0.2.3 → 0.2.x only).
- `~1.2.3` — patch only (1.2.x).
- `1.2.3` — exact pin, 매 reproducibility 의 best.
- `*` / `latest` — 매 X. 매 절대 사용 X.
### 매 Lockfile
- **pnpm-lock.yaml** / **package-lock.json** / **yarn.lock**: 매 exact resolved versions + integrity hashes.
-`npm ci` 사용 (매 install 가 X) — 매 lockfile 강제, deterministic install.
- 매 commit 의 must.
### 매 Supply Chain Risks
- **Typosquatting**: `reqeusts`, `lodahs`.
- **Compromised maintainer**: 매 ua-parser-js 2021.
- **Malicious update**: 매 event-stream 2018, xz-utils 2024.
- **Dependency confusion**: 매 internal package name 가 public registry 에 publish 됨.
## 💻 패턴
### Pinning + lockfile
```json
{
"dependencies": {
"react": "18.3.1",
"express": "~4.21.0",
"zod": "^3.23.8"
},
"engines": { "node": ">=20.10.0", "pnpm": ">=9.0.0" }
}
```
### pnpm 의 strict install
```bash
# CI 의 deterministic install
pnpm install --frozen-lockfile
# 매 lockfile mismatch 시 error.
# 매 audit
pnpm audit --audit-level=high
```
### Renovate config
```json
// renovate.json
{
"extends": ["config:recommended"],
"lockFileMaintenance": { "enabled": true, "schedule": ["before 5am on Monday"] },
"vulnerabilityAlerts": { "enabled": true, "labels": ["security"] },
"packageRules": [
{ "matchUpdateTypes": ["minor", "patch"], "automerge": true, "matchCurrentVersion": "!/^0/" },
{ "matchPackagePatterns": ["^@types/"], "automerge": true }
]
}
```
### SBOM 생성 (CycloneDX)
```bash
npx @cyclonedx/cyclonedx-npm --output-file sbom.json
# 매 SLSA / EU CRA compliance 의 사용.
```
### Known-good integrity check
```bash
# 매 npm install 후 lockfile integrity 검증
pnpm install --frozen-lockfile --prefer-offline
# Subresource integrity 가 lockfile 에 자동 record.
```
### Allowed-dependencies guard (CI)
```ts
// scripts/check-deps.ts
import pkg from '../package.json' with { type: 'json' };
const ALLOWED_LICENSES = new Set(['MIT', 'Apache-2.0', 'BSD-3-Clause', 'ISC']);
// 매 license-checker 사용 의 production deps audit.
```
### Provenance verification
```bash
# 매 npm 9.5+ 의 sigstore provenance
npm install --foreground-scripts=false
npm audit signatures
# 매 GitHub Actions 의 publish 한 package 만 trust.
```
### Dependency removal
```bash
pnpm dlx depcheck
# 매 unused dep 찾기. 매 quarterly cleanup.
```
## 매 결정 기준
| 상황 | Approach |
|---|---|
| Library author | `peerDependencies` + minimal `dependencies` |
| Application | Pin all critical (React, framework), `^` for utilities |
| Monorepo | pnpm workspaces + catalogs (pnpm 9.5+) |
| 매 high-security (fintech, gov) | Exact pin all, Renovate manual approve, internal mirror |
| 매 prototype | `^` everywhere, 매 lockfile commit 만 |
**기본값**: pnpm + frozen lockfile + Renovate auto-merge minors + SBOM in CI.
## 🔗 Graph
- 부모: [[Software-Architecture]]
- 변형: [[Monorepo]]
- 응용: [[Dependency-Analysis]] · [[SBOM]]
- Adjacent: [[Supply-Chain-Security]] · [[Renovate]] · [[Dependabot]]
## 🤖 LLM 활용
**언제**: 매 package.json review, 매 vulnerability triage, 매 dep upgrade plan generation, 매 SBOM diff explanation.
**언제 X**: 매 actual install / build (deterministic tooling 가 better). 매 license decision (legal review 필요).
## ❌ 안티패턴
- **`*` or `latest`**: 매 reproducibility destroyed.
- **lockfile gitignore**: 매 다른 dev / CI 가 different versions install.
- **`npm install` in CI**: 매 `npm ci` / `pnpm install --frozen-lockfile` 사용.
- **0.x with `^`**: 매 ^0.2.3 가 0.3.0 으로 jump 가능 — breaking changes.
- **Untyped transitive deps**: 매 매 indirect 의 audit X. SBOM 의 review.
- **Package without provenance**: 매 2026 의 sigstore signed packages prefer.
## 🧪 검증 / 중복
- Verified (npm docs, pnpm docs, SLSA framework, CycloneDX spec).
- 신뢰도 A.
## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — npm dependency management, semver, supply chain hardening |
Reference in New Issue View Git Blame Copy Permalink