The build dependencies, as they are node-based reside in node_modules/ in theme directory.
Those shouldn’t be listed via SFTP though, as it is bad practice (as aforementioned) to have build dependencies on the server. But if they are listed, don’t just delete them, as there may be the rare but possible case (of even worse practice) that the theme includes files from node_modules/.
The runtime dependencies (if the Sage version uses them, Sage 8 doesn’t require runtime libraries via composer), managed by composer, reside in vendor/ in theme directory. There is an exception for Sage 10 though where the acorn runtime alternatively may also be added as a WordPress mu-plugin or a plugin instead as a composer library of the theme.
If you plan to develop on the themes, don’t do this on the production system. Download everything (including the data/uploads and database dumps) and either use something like Trellis VM feature or a Docker container or other development system locally on your workstation.
And put everything into version control (git) first. Ideally you can contact the original developers and get the repository with full history. I also encountered sites where the .git directory was also on the server (which is also bad practice, as the released app/theme should be just the workspace with as little files as possible).
If you want to update your Sage 9 theme, you may be interested in this update guide for Sage 9:
Edit: The build dependencies can be (re)installed just from the package.json; package-lock.json/yarn.lock (by npm install/yarn install), the runtime dependencies from composer.json; composer.lock (by composer install). The npm and composer dependencies are downloaded by their respective package managers.