I've recently taken over an API written in Node and which runs on PM2 in production. From reading the documentation, it says that PM2 should be installed as a global package, however for this project it's listed in the dependencies in package.json AND installed as a global package on the production servers and no one who worked on this previously remembers why.
I assume it should be removed as a project dependency and left as a global package but is there a reason why it would be installed in both places?
PM2 is effectively installed globally in order to run your tasks.
But a node.js app can also use pm2 in source code, for example to register metrics.
The PM2 API also permit to manage tasks.
You can have more information consulting documentation: https://pm2.keymetrics.io/docs/usage/pm2-api/
So, if you plan to remove pm2 from package.json, please review your source code in order to verify that pm2 api is not used.