"--omit dev" does not omit all devDependencies

[SandZn]

Please try this package memdown.

after I ran cyclonedx-npm --omit dev --output-file newbom.json, I got an extra devDependency(level-concat-iterator) that is mixed with the dependencies.

{
      "ref": "memdown@6.1.1",
      "dependsOn": [
        "abstract-leveldown@7.2.0",
        "DummyComponent.InterferedDependency.airtap-playwright",
        "DummyComponent.InterferedDependency.airtap-sauce",
        "DummyComponent.InterferedDependency.airtap",
        "DummyComponent.InterferedDependency.dependency-check",
        "DummyComponent.InterferedDependency.faucet",
        "functional-red-black-tree@1.0.1",
        "DummyComponent.InterferedDependency.hallmark",
        "inherits@2.0.4",
        "level-concat-iterator@3.1.0",
        "ltgt@2.2.1",
        "DummyComponent.InterferedDependency.nyc",
        "DummyComponent.InterferedDependency.standard",
        "DummyComponent.InterferedDependency.tape"
      ]
    }

[jkowalleck]

which OS did you use? which version of node did you use? which version of NPM did you use?

could you provide the npm lock file? Otherwise we dont have a reproducible setup, because the dependencies i would install could be different from the ones you installed. This is critical for reproduction.

[SandZn]

Sure.

OS: MacOS 12.3.1 node: v16.14.0 npm: 8.5.5

package-lock.json: https://jsonblob.com/1033364954815938560

[jkowalleck]

your lockfile states, that level-concat-iterator is required by node_modules/abstract-leveldown at around line 33.

and NPM knows that, too. npm ls --omit dev --all --long showed:

memdown@6.1.1
│
├─┬ abstract-leveldown@7.2.0
│ │ 
│ ├─┬ level-concat-iterator@3.1.0
│ │ │ 
│ │ └── catering@2.1.1 deduped

conclusion: actually the level-concat-iterator seams to be a prod dependency of abstract-leveldown.

So the SBOM result seams about right.