esbuild found in production (peer)dependencies in sveltekit app

Environment

  System:
    OS: Linux 6.10 CachyOS Linux
    CPU: (16) x64 AMD Ryzen 7 8845HS w/ Radeon 780M Graphics
    Memory: 7.65 GB / 14.92 GB
    Container: Yes
    Shell: 5.9 - /usr/bin/zsh
  Binaries:
    Node: 20.18.0 - ~/.local/share/nvm/versions/node/v20.18.0/bin/node
    npm: 10.8.2 - ~/.local/share/nvm/versions/node/v20.18.0/bin/npm
    pnpm: 8.15.5 - ~/.local/share/pnpm/pnpm

package.json

    "dependencies": {
        "@auth/core": "^0.36.0",
        "@auth/sveltekit": "1.6.0",

Reproduction URL

https://github.com/LoricAndre/next-auth-example

Describe the issue

After using pnpm --filter <filter> --prod --no-optional deploy app to create an app bundle, we found that esbuild is included in the packages that were pulled into the bundle.

After tracing the dependencies, we found that @auth/sveltekit "pulls" vite as a peer dependency, which in turn pulls esbuild as a dependency.

This seems like unwanted behavior, as vite and esbuild should not be needed after the package is built, and it flagged the package in a vulnerability scanner.

How to reproduce

Create a prod bundle of a package requiring @auth/sveltekit :

pnpm deploy /tmp/app --filter app
find /tmp/app/node_modules -name '*esbuild*'

Result :

/tmp/app/node_modules/.pnpm/@sveltejs+vite-plugin-svelte@4.0.0_svelte@5.0.3_vite@5.4.9/node_modules/@sveltejs/vite-plugin-svelte/src/utils/esbuild.js                                                                                                                                                                                                                                                                             
/tmp/app/node_modules/.pnpm/vite@5.4.9/node_modules/esbuild                                                                                                                                                                                                                                                                                                                                                                       
/tmp/app/node_modules/.pnpm/vite@5.4.9/node_modules/vite/node_modules/.bin/esbuild                                                                                                                                                                                                                                                                                                                                                
/tmp/app/node_modules/.pnpm/@esbuild+linux-x64@0.21.5                                                                                                                                                                                                                                                                                                                                                                             
/tmp/app/node_modules/.pnpm/@esbuild+linux-x64@0.21.5/node_modules/@esbuild                                                                                                                                                                                                                                                                                                                                                       
/tmp/app/node_modules/.pnpm/@esbuild+linux-x64@0.21.5/node_modules/@esbuild/linux-x64/bin/esbuild
/tmp/app/node_modules/.pnpm/esbuild@0.21.5
/tmp/app/node_modules/.pnpm/esbuild@0.21.5/node_modules/@esbuild
/tmp/app/node_modules/.pnpm/esbuild@0.21.5/node_modules/esbuild
/tmp/app/node_modules/.pnpm/esbuild@0.21.5/node_modules/esbuild/bin/esbuild
/tmp/app/node_modules/.pnpm/esbuild@0.21.5/node_modules/esbuild/node_modules/.bin/esbuild
/tmp/app/node_modules/.pnpm/node_modules/@esbuild
/tmp/app/node_modules/.pnpm/node_modules/esbuild
/tmp/app/node_modules/.pnpm/node_modules/.bin/esbuild

Expected behavior

This should not include vite or esbuild

nextauthjs / next-auth