Snyk will add itself either to your project's dependencies or it's devDependencies, depending on how you use Snyk.
Snyk wizard
While running snyk wizard
to patch your project with Snyk’s CLI, you are prompted with:
? Add `snyk test` to package.json file to fail test on newly disclosed vulnerabilities?
This will require authentication via `snyk auth` when running tests. (y/N)
If you select y (yes), snyk will be added as a devDependency.
Snyk protect
However, if you choose to run snyk protect
upon installation of your package, Snyk will need to be bundled as a production dependency.
Website
This will also happen when you have 'Automatic pull requests' and 'Include patches to vulnerable dependencies' enabled in Github integrations.
Please see here for more information: