Chore: SBOM 생성 및 오픈소스 보안 취약점 개선

.github/workflows/security-scan.yml

@@ -0,0 +1,49 @@
+name: Security Scan
+
+on:
+  pull_request:
+    branches: [main, develop]
+  push:
+    branches: [main, develop]
+
+jobs:
+  sbom-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.12.0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Generate SBOM
+        run: syft dir:. -o json > sbom.json
+
+      - name: Install Grype
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Run Grype Scan
+        run: grype sbom:sbom.json --fail-on high
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom
+          path: sbom.json

.grype.yaml

@@ -0,0 +1,34 @@
+# - 특정 CVE 또는 패키지+CVE 조합을 무시하려면 아래 'ignore' 배열에 항목을 추가하세요.
+# - 무시 항목에는 reason(사유)와 until(만료일)을 남기는 것을 권장합니다.
+# - 예시 항목은 주석으로 남겨두었으니 필요 시 주석을 제거하고 수정해서 사용하세요.
+
+ignore:
+  - vulnerability: CVE-2025-47907
+    package:
+      name: stdlib
+      type: go-module
+    reason: 'Known false-positive from prebuilt esbuild binary built with go1.23.8; we rebuilt locally and validated. Temporary suppression until upstream confirms rebuild.'
+
+  - vulnerability: CVE-2025-47906
+    package:
+      name: stdlib
+      type: go-module
+    reason: 'See CVE-2025-47907 notes; suppressing noise from prebuilt binary detection.'
+
+  - vulnerability: CVE-2025-4673
+    package:
+      name: stdlib
+      type: go-module
+    reason: 'Temporary suppression for prebuilt esbuild binary detection.'
+
+  - vulnerability: CVE-2025-0913
+    package:
+      name: stdlib
+      type: go-module
+    reason: 'Temporary suppression for prebuilt esbuild binary detection.'
+
+  - vulnerability: CVE-2025-4674
+    package:
+      name: stdlib
+      type: go-module
+    reason: 'Temporary suppression for prebuilt esbuild binary detection.'

apps/admin/package.json

@@ -33,7 +33,7 @@
     "eslint": "catalog:",
     "globals": "^16.2.0",
     "typescript": "catalog:",
-    "vite": "^6.3.5",
+    "vite": "^6.3.6",
     "vite-plugin": "link:@vanilla-extract/vite-plugin",
     "vite-tsconfig-paths": "^5.1.4"
   }

apps/admin/src/shared/apis/concert-queries.ts

@@ -46,11 +46,6 @@ export const postConcert = async (concert: Concert): Promise<Concert> => {
   const response = await post<BaseResponse<ConcertDetailDTO>>(
     END_POINT.CONCERT,
     formData,
-    {
-      headers: {
-        'Content-Type': 'multipart/form-data',
-      },
-    },
   );
   return toConcert(response.data);
 };
@@ -64,11 +59,6 @@ export const patchConcert = async (
   const response = await patch<BaseResponse<ConcertDetailDTO>>(
     END_POINT.CONCERT_DETAIL(concertId),
     formData,
-    {
-      headers: {
-        'Content-Type': 'multipart/form-data',
-      },
-    },
   );
   return toConcert(response.data);
 };

apps/client/package.json

@@ -47,7 +47,7 @@
     "eslint": "catalog:",
     "globals": "^16.2.0",
     "typescript": "catalog:",
-    "vite": "^6.3.5",
+    "vite": "^6.3.6",
     "vite-tsconfig-paths": "^5.1.4"
   }
 }

apps/client/src/shared/apis/user/user-mutations.ts

@@ -20,11 +20,6 @@ export const patchUserInfo = async (formData: FormData): Promise<UserInfo> => {
   const response = await patch<BaseResponse<UserInfo>>(
     END_POINT.PATCH_USER_INFO,
     formData,
-    {
-      headers: {
-        'Content-Type': 'multipart/form-data',
-      },
-    },
   );
 
   return response.data;

package.json

@@ -32,5 +32,10 @@
   "packageManager": "[email protected]",
   "engines": {
     "node": ">=20"
+  },
+  "pnpm": {
+    "overrides": {
+      "tmp": "0.2.4"
+    }
   }
 }

packages/core/package.json

@@ -12,7 +12,7 @@
     "coverage": "vitest --coverage"
   },
   "dependencies": {
-    "axios": "^1.10.0",
+    "axios": "^1.12.2",
     "js-cookie": "^3.0.5"
   },
   "devDependencies": {
@@ -21,7 +21,7 @@
     "@vitest/coverage-v8": "3.2.4",
     "jsdom": "^26.1.0",
     "typescript": "catalog:",
-    "vite": "^6.3.5",
+    "vite": "^6.3.6",
     "vitest": "^3.2.4"
   }
 }

packages/core/src/http/instance.test.ts

@@ -27,7 +27,6 @@ describe('createInstance', () => {
     expect(mockedAxios.create).toHaveBeenCalledWith({
       baseURL,
       withCredentials: true,
-      headers: { 'Content-Type': 'application/json' },
     });
   });
 

packages/core/src/http/instance.ts

@@ -4,7 +4,6 @@ export function createInstance(baseURL: string) {
   const instance = axios.create({
     baseURL,
     withCredentials: true,
-    headers: { 'Content-Type': 'application/json' },
   });
 
   return {

packages/design-system/package.json

@@ -51,7 +51,7 @@
     "svgo": "^3.3.2",
     "tsx": "^4.20.3",
     "typescript": "catalog:",
-    "vite": "^6.3.5"
+    "vite": "^6.3.6"
   },
   "peerDependencies": {
     "@vanilla-extract/css": "^1.17.4",

packages/utils/package.json

@@ -15,7 +15,7 @@
     "@confeti/typescript": "workspace:*",
     "@vitest/coverage-v8": "3.2.4",
     "typescript": "catalog:",
-    "vite": "^6.3.5",
+    "vite": "^6.3.6",
     "vitest": "^3.2.4"
   }
 }