Snyk will add itself either to your project's dependencies or it's devDependencies, depending on how you use Snyk.
snyk wizard to patch your project with Snyk’s CLI, you are prompted with:
? Add `snyk test` to package.json file to fail test on newly disclosed vulnerabilities?
This will require authentication via `snyk auth` when running tests. (y/N)
If you select y (yes), snyk will be added as a devDependency.
However, if you choose to run
snyk protect upon installation of your package, Snyk will need to be bundled as a production dependency.
This will also happen when you have 'Automatic pull requests' and 'Include patches to vulnerable dependencies' enabled in Github integrations.
Please see here for more information: