Move Schematic dependencies to peerDependencies or devDependencies #3694
Description
Description
In src/package.json, @schematics/angular and @angular-devkit/schematics are currently listed under dependencies. Since these packages are only utilized for build-time tasks and schematic generation (found in src/schematics and tools/), they should not be included in production bundles.
Including them in dependencies causes unnecessary bloat and, more critically, pulls in downstream vulnerabilities that wouldn't otherwise affect the production environment.
Current Configuration
"dependencies": {
"firebase": "^12.4.0",
"rxfire": "^6.1.0",
"@angular-devkit/schematics": "^21.0.0", // Move or Remove
"@schematics/angular": "^21.0.0", // Move or Remove
"tslib": "^2.3.0"
},Impact: Dependency Vulnerability
This misconfiguration currently introduces a vulnerability via picomatch, which is a sub-dependency of the Angular devkit. Running a production-only dependency check confirms these are being pulled into the prod graph:
❯ pm why picomatch --prod
Using pnpm
picomatch@4.0.3
├─┬ @angular-devkit/core@21.2.0
│ ├─┬ @angular-devkit/schematics@21.2.0
│ │ └─┬ @schematics/angular@21.2.0
│ │ └─┬ @angular/fire@21.0.0-rc.0
│ │ └── @my-project/source@0.0.0 (dependencies)
│ └── @schematics/angular@21.2.0 [deduped]
└─┬ @angular-devkit/core@21.2.2
└─┬ @angular-devkit/schematics@21.2.2
└── @angular/fire@21.0.0-rc.0 [deduped]
Found 1 version of picomatchProposed Solution
- Remove
@schematics/angularand@angular-devkit/schematicsif they are only needed for generating code in local development. Any Angular project will have them. - Alternatively, move them to
peerDependencies(marked as optional if necessary).