[BUG] SBOM omit dev too greedy

[torsten-bit]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When running npm sbom --omit dev, also packages will be omitted that are actually production-dependencies. In my example (see steps to reproduce), @angular/core and its transitive dependencies are not added to the SBOM.

The problem has to to with @angular/compiler having @angular/core as peerDependency and being a dev-dependency. Manually removing the peerDependencies and peerDependenciesMeta from the @angular/compiler-package in the package-lock.json will solve the issue.

Could you please have a look into this.

Expected Behavior

Production-dependencies and their transitive dependencies should be included into the SBOM, if not omitted.

Steps To Reproduce

1. npm init
2. npm i @angular/core@18.2.11
3. npm sbom --sbom-format cyclonedx --omit dev --package-lock-only | grep bom-ref will include @angular/core
4. npm i -D @angular/compiler@18.2.11
5. npm sbom --sbom-format cyclonedx --omit dev --package-lock-only | grep bom-ref will NOT include @angular/core

Environment

• npm: 10.9.0
• Node.js: 22.11.0
• OS Name: debian 12
• System Model Name: PC

[kchindam-infy]

@torsten-bit Step 4.0 is missing, Please provide the complete steps to reproduce to better troubleshoot further.

[torsten-bit]

Hi @kchindam-infy, sorry I got the numbering wrong. But it has been fixed now.

[chriskarlsson]

We have also encountered this when omitting optional dependencies.