Description
In src/package.json, @schematics/angular and @angular-devkit/schematics are currently listed under dependencies. Since these packages are only utilized for build-time tasks and schematic generation (found in src/schematics and tools/), they should not be included in production bundles.
Including them in dependencies causes unnecessary bloat and, more critically, pulls in downstream vulnerabilities that wouldn't otherwise affect the production environment.
Current Configuration
"dependencies": {
"firebase": "^12.4.0",
"rxfire": "^6.1.0",
"@angular-devkit/schematics": "^21.0.0", // Move or Remove
"@schematics/angular": "^21.0.0", // Move or Remove
"tslib": "^2.3.0"
},Impact: Dependency Vulnerability
This misconfiguration currently introduces a vulnerability via picomatch, which is a sub-dependency of the Angular devkit. Running a production-only dependency check confirms these are being pulled into the prod graph:
❯ pm why picomatch --prod
Using pnpm
picomatch@4.0.3
├─┬ @angular-devkit/core@21.2.0
│ ├─┬ @angular-devkit/schematics@21.2.0
│ │ └─┬ @schematics/angular@21.2.0
│ │ └─┬ @angular/fire@21.0.0-rc.0
│ │ └── @my-project/source@0.0.0 (dependencies)
│ └── @schematics/angular@21.2.0 [deduped]
└─┬ @angular-devkit/core@21.2.2
└─┬ @angular-devkit/schematics@21.2.2
└── @angular/fire@21.0.0-rc.0 [deduped]
Found 1 version of picomatchProposed Solution
- Remove
@schematics/angular and @angular-devkit/schematics if they are only needed for generating code in local development. Any Angular project will have them.
- Alternatively, move them to
peerDependencies (marked as optional if necessary).
Description
In
src/package.json,@schematics/angularand@angular-devkit/schematicsare currently listed underdependencies. Since these packages are only utilized for build-time tasks and schematic generation (found insrc/schematicsandtools/), they should not be included in production bundles.Including them in
dependenciescauses unnecessary bloat and, more critically, pulls in downstream vulnerabilities that wouldn't otherwise affect the production environment.Current Configuration
Impact: Dependency Vulnerability
This misconfiguration currently introduces a vulnerability via
picomatch, which is a sub-dependency of the Angular devkit. Running a production-only dependency check confirms these are being pulled into the prod graph:❯ pm why picomatch --prod Using pnpm picomatch@4.0.3 ├─┬ @angular-devkit/core@21.2.0 │ ├─┬ @angular-devkit/schematics@21.2.0 │ │ └─┬ @schematics/angular@21.2.0 │ │ └─┬ @angular/fire@21.0.0-rc.0 │ │ └── @my-project/source@0.0.0 (dependencies) │ └── @schematics/angular@21.2.0 [deduped] └─┬ @angular-devkit/core@21.2.2 └─┬ @angular-devkit/schematics@21.2.2 └── @angular/fire@21.0.0-rc.0 [deduped] Found 1 version of picomatchProposed Solution
@schematics/angularand@angular-devkit/schematicsif they are only needed for generating code in local development. Any Angular project will have them.peerDependencies(marked as optional if necessary).