[BUG] SBOM omit dev too greedy

[torsten-bit]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When running npm sbom --omit dev, also packages will be omitted that are actually production-dependencies. In my example (see steps to reproduce), @angular/core and its transitive dependencies are not added to the SBOM.

The problem has to to with @angular/compiler having @angular/core as peerDependency and being a dev-dependency. Manually removing the peerDependencies and peerDependenciesMeta from the @angular/compiler-package in the package-lock.json will solve the issue.

Could you please have a look into this.

Expected Behavior

Production-dependencies and their transitive dependencies should be included into the SBOM, if not omitted.

Steps To Reproduce

1. npm init
2. npm i @angular/[email protected]
   3.1. npm sbom --sbom-format cyclonedx --omit dev --package-lock-only | grep bom-ref will include @angular/core
3. npm i -D @angular/[email protected]
   4.1. npm sbom --sbom-format cyclonedx --omit dev --package-lock-only | grep bom-ref will NOT include @angular/core

Environment

• npm: 10.9.0
• Node.js: 22.11.0
• OS Name: debian 12
• System Model Name: PC