ํ”ผ๋“œ๋กœ ๋Œ์•„๊ฐ€๊ธฐ
๐Ÿ›ก๏ธ NPM Safety Guard โ€” All 23 Security Layers Explained
Dev.toDev.to
Security

23๊ฐœ ๋‹ค์ธต ๋ฐฉ์–ด ์ฒด๊ณ„ ๊ธฐ๋ฐ˜ npm ๊ณต๊ธ‰๋ง ๋ณด์•ˆ ์œ„ํ˜‘ ์‹ค์‹œ๊ฐ„ ํƒ์ง€ ์—”์ง„

๐Ÿ›ก๏ธ NPM Safety Guard โ€” All 23 Security Layers Explained

jomynn2026๋…„ 6์›” 29์ผ10๋ถ„intermediate

Context

๋‹จ์ผ CVE ์Šค์บ” ์ค‘์‹ฌ์˜ ๊ธฐ์กด npm audit ๋ฐฉ์‹์€ ๋Ÿฐํƒ€์ž„ ํŽ˜์ด๋กœ๋“œ๋‚˜ ์ •๊ตํ•œ ์‚ฌํšŒ๊ณตํ•™์  ๊ณต๊ฒฉ ํƒ์ง€์— ํ•œ๊ณ„ ๋…ธ์ถœ. ํŠนํžˆ transitive dependency์˜ ๊นŠ์€ ๋‹จ๊ณ„์—์„œ ๋ฐœ์ƒํ•˜๋Š” ์•…์„ฑ ์ฝ”๋“œ ์‚ฝ์ž… ๋ฐ Dependency Confusion ๊ณต๊ฒฉ์— ์ทจ์•ฝํ•œ ๊ตฌ์กฐ์  ๊ฒฐํ•จ ์กด์žฌ.

Technical Solution

  • Damerau-Levenshtein ๊ฑฐ๋ฆฌ ์•Œ๊ณ ๋ฆฌ์ฆ˜ ๊ธฐ๋ฐ˜์˜ Typosquatting ๋ฐ Homoglyph ๊ณต๊ฒฉ ์˜คํ”„๋ผ์ธ ํƒ์ง€ ๋กœ์ง ๊ตฌํ˜„
  • AST(Abstract Syntax Tree) ์ •์  ๋ถ„์„์„ ํ†ตํ•œ eval(), child_process ๋“ฑ 14๊ฐ€์ง€ ์•…์„ฑ ํŒจํ„ด์˜ ํƒ€๋ฅด๋ณผ(Tarball) ๋‚ด๋ถ€ ์ •๋ฐ€ ์Šค์บ”
  • Semver ์šฐ์„ ์ˆœ์œ„๋ฅผ ์•…์šฉํ•œ Public Registry์˜ ๊ฐ€์งœ ํŒจํ‚ค์ง€ ์ฃผ์ž…์„ ๋ง‰๊ธฐ ์œ„ํ•œ Dependency Confusion ํƒ์ง€ ๋ฉ”์ปค๋‹ˆ์ฆ˜ ์ ์šฉ
  • ํŒจํ‚ค์ง€ ์—ฐ๋ น, ๋ฉ”์ธํ…Œ์ด๋„ˆ ์ˆ˜, ๋‹ค์šด๋กœ๋“œ ์†๋„ ๋“ฑ ํ–‰๋™ ์ง€ํ‘œ ๊ธฐ๋ฐ˜์˜ Registry Risk Heuristics ์Šค์ฝ”์–ด๋ง ์‹œ์Šคํ…œ ๊ตฌ์ถ•
  • Lockfile Full-Tree ๋ถ„์„์„ ํ†ตํ•ด ์ „์ด ์˜์กด์„ฑ ๋‚ด์˜ ๋ชจ๋“  URL ๊ฒ€์ฆ ๋ฐ ํ‘œ์ค€ ๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ์ผ์น˜ ์—ฌ๋ถ€ ํ™•์ธ
  • Native Node.js Addons(.node)์˜ ๋ถˆํˆฌ๋ช…์„ฑ์„ ๊ณ ๋ คํ•œ ๋ณ„๋„์˜ ๋ฐ”์ด๋„ˆ๋ฆฌ ์œ„ํ—˜๋„ ๋ถ„๋ฅ˜ ๋ฐ ๊ฐ์‚ฌ ๊ฐ€์ด๋“œ ์ œ๊ณต

- package.json์˜ overrides/resolutions ํ•„๋“œ ๋‚ด ํ•€ ๊ณ ์ •๋œ ๋ฒ„์ „์˜ CVE ์ตœ์‹  ์ƒํƒœ ๊ฒ€ํ†  - preinstall, postinstall ๋“ฑ install script hook์„ ์‚ฌ์šฉํ•˜๋Š” ํŒจํ‚ค์ง€์˜ ํ™”์ดํŠธ๋ฆฌ์ŠคํŠธ ๊ด€๋ฆฌ ๋ฐ ์‹คํ–‰ ๊ถŒํ•œ ์ œ์–ด - ๋‚ด๋ถ€ ์ „์šฉ ํŒจํ‚ค์ง€ ๋ช…์นญ์ด public npm registry์— ๋“ฑ๋ก๋˜์–ด ์žˆ๋Š”์ง€ ์ฃผ๊ธฐ์  ๋ชจ๋‹ˆํ„ฐ๋ง - ๋Ÿฐํƒ€์ž„์— ๋™์  require() ๋˜๋Š” Base64 ๋””์ฝ”๋”ฉ ํŽ˜์ด๋กœ๋“œ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ์˜์กด์„ฑ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ์˜ AST ๋ถ„์„ ์ˆ˜ํ–‰

์›๋ฌธ ์ฝ๊ธฐ