TypeScript `@types/*` deps pollute production deps

[bickelj]

Description

When adding a dependency on express-jwt, I expected all TypeScript @types dependencies to remain in the devDependencies. Instead, I see several @types dependencies showing up in production dependences. The @types should typically be used at compile-time only.

Reproduction

1. Add express-jwt to an existing TypeScript project's project.json as a (production/non-dev) dependency and @types/jsonwebtoken as a dev dependency.
2. npm install
3. git diff will show that several @types, including @types/jsonwebtoken have their "dev": true flags removed and therefore these packages show up in the production distribution.

Environment

Please provide the following:

• Version of this library used: "express-jwt": 8.4.1
• Version of the platform or framework used, if applicable:: npm 8.19.3
• Other relevant versions (language, server software, OS, browser): node v18.13.0 GNU/Linux
• Other modules/plugins/libraries that might be involved: jwks-rsa 3.0.1

[bickelj]

Relevant comment. I do not fully understand the comment, all I know is that the types should only need to be be present at compile time.