2nd/10_Wiki/Topics/Architecture/Dependencies (의존성).md

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

id	title	category	status	canonical_id	aliases	duplicate_of	source_trust_level	confidence_score	verification_status	tags	raw_sources	last_reinforced	github_commit	tech_stack
wiki-2026-0508-dependencies-의존성	Dependencies (의존성)	10_Wiki/Topics	verified	self	npm-dependencies package-dependencies supply-chain	none	A	0.9	applied	dependencies npm semver supply-chain		2026-05-10	pending	language framework javascript npm/pnpm

Dependencies (의존성)

매 한 줄

"매 dependency 의 liability 가 X asset". 매 npm install 이 매 third-party code 를 매 production 에 inject — 매 supply chain attack (event-stream 2018, ua-parser-js 2021, xz-utils 2024 backdoor) 가 매 매년 발생. 2026 modern stack 의 매 pnpm + lockfile + minimum-deps + SBOM (CycloneDX) 가 매 standard.

매 핵심

매 Dependency 종류

• dependencies: 매 production runtime 의 사용 (Express, React).
• devDependencies: 매 build/test only (Vitest, TypeScript, ESLint).
• peerDependencies: 매 host 가 provide (React plugin 의 React).
• optionalDependencies: 매 install 실패 가 OK (platform-specific binaries).
• bundledDependencies: 매 package tarball 안 ship.

매 Semver

• ^1.2.3 — minor + patch updates (1.x.x), 매 npm default. 매 unsafe 가 0.x 에서 (^0.2.3 → 0.2.x only).
• ~1.2.3 — patch only (1.2.x).
• 1.2.3 — exact pin, 매 reproducibility 의 best.
• * / latest — 매 X. 매 절대 사용 X.

매 Lockfile

• pnpm-lock.yaml / package-lock.json / yarn.lock: 매 exact resolved versions + integrity hashes.
• 매 npm ci 사용 (매 install 가 X) — 매 lockfile 강제, deterministic install.
• 매 commit 의 must.

매 Supply Chain Risks

• Typosquatting: reqeusts, lodahs.
• Compromised maintainer: 매 ua-parser-js 2021.
• Malicious update: 매 event-stream 2018, xz-utils 2024.
• Dependency confusion: 매 internal package name 가 public registry 에 publish 됨.

💻 패턴

Pinning + lockfile

{
  "dependencies": {
    "react": "18.3.1",
    "express": "~4.21.0",
    "zod": "^3.23.8"
  },
  "engines": { "node": ">=20.10.0", "pnpm": ">=9.0.0" }
}

pnpm 의 strict install

# CI 의 deterministic install
pnpm install --frozen-lockfile
# 매 lockfile mismatch 시 error.

# 매 audit
pnpm audit --audit-level=high

Renovate config

// renovate.json
{
  "extends": ["config:recommended"],
  "lockFileMaintenance": { "enabled": true, "schedule": ["before 5am on Monday"] },
  "vulnerabilityAlerts": { "enabled": true, "labels": ["security"] },
  "packageRules": [
    { "matchUpdateTypes": ["minor", "patch"], "automerge": true, "matchCurrentVersion": "!/^0/" },
    { "matchPackagePatterns": ["^@types/"], "automerge": true }
  ]
}

SBOM 생성 (CycloneDX)

npx @cyclonedx/cyclonedx-npm --output-file sbom.json
# 매 SLSA / EU CRA compliance 의 사용.

Known-good integrity check

# 매 npm install 후 lockfile integrity 검증
pnpm install --frozen-lockfile --prefer-offline
# Subresource integrity 가 lockfile 에 자동 record.

Allowed-dependencies guard (CI)

// scripts/check-deps.ts
import pkg from '../package.json' with { type: 'json' };
const ALLOWED_LICENSES = new Set(['MIT', 'Apache-2.0', 'BSD-3-Clause', 'ISC']);
// 매 license-checker 사용 의 production deps audit.

Provenance verification

# 매 npm 9.5+ 의 sigstore provenance
npm install --foreground-scripts=false
npm audit signatures
# 매 GitHub Actions 의 publish 한 package 만 trust.

Dependency removal

pnpm dlx depcheck
# 매 unused dep 찾기. 매 quarterly cleanup.

매 결정 기준

상황	Approach
Library author	peerDependencies + minimal dependencies
Application	Pin all critical (React, framework), ^ for utilities
Monorepo	pnpm workspaces + catalogs (pnpm 9.5+)
매 high-security (fintech, gov)	Exact pin all, Renovate manual approve, internal mirror
매 prototype	^ everywhere, 매 lockfile commit 만

기본값: pnpm + frozen lockfile + Renovate auto-merge minors + SBOM in CI.

🔗 Graph

• 부모: Software-Architecture · Build-Systems
• 변형: Monorepo · npm-workspaces · pnpm-catalogs
• 응용: Dependency-Analysis · SBOM · License-Compliance
• Adjacent: Supply-Chain-Security · Renovate · Dependabot

🤖 LLM 활용

언제: 매 package.json review, 매 vulnerability triage, 매 dep upgrade plan generation, 매 SBOM diff explanation. 언제 X: 매 actual install / build (deterministic tooling 가 better). 매 license decision (legal review 필요).

❌ 안티패턴

• * or latest: 매 reproducibility destroyed.
• lockfile gitignore: 매 다른 dev / CI 가 different versions install.
• npm install in CI: 매 npm ci / pnpm install --frozen-lockfile 사용.
• 0.x with ^: 매 ^0.2.3 가 0.3.0 으로 jump 가능 — breaking changes.
• Untyped transitive deps: 매 매 indirect 의 audit X. SBOM 의 review.
• Package without provenance: 매 2026 의 sigstore signed packages prefer.

🧪 검증 / 중복

• Verified (npm docs, pnpm docs, SLSA framework, CycloneDX spec).
• 신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — npm dependency management, semver, supply chain hardening