fix(agents): drop unused deps, devDeps, and peer deps

[threepointone]

Summary

Trim entries from packages/agents/package.json that were not imported by the package. Closes #1345 by removing json-schema-to-typescript (which transitively pulled in vulnerable lodash, GHSA-p6mc-m468-83gw) from the runtime dependency tree.

dependencies

• Remove json-schema — not imported anywhere.
• Remove json-schema-to-typescript — not imported anywhere. This also drops the lodash transitive from production installs, resolving json-schema-to-typescript transitive pulls vulnerable lodash into production builds (HIGH advisory) #1345.
• Remove picomatch — not imported directly; it's already a transitive dep of @rolldown/plugin-babel.

devDependencies

• Remove @ai-sdk/openai — only appeared in a commented-out line in evals/scheduling.eval.ts.
• Remove @cloudflare/workers-oauth-provider — no references anywhere in the package.

peerDependencies / peerDependenciesMeta

• Remove @ai-sdk/react — not imported directly. @cloudflare/ai-chat (an optional peer) already declares @ai-sdk/react as its own peer, so users using the chat entry points will be prompted to install it via that package.
• Remove viem — not imported anywhere (only a JSDoc mention). @x402/evm declares viem as a regular (non-peer) dependency, so it's installed transitively whenever x402 is used.

A patch changeset for agents is included.

Test plan

• npm install at the repo root succeeds and reconciles the lockfile.
• tsc -p packages/agents/tsconfig.json, packages/agents/src/tests/tsconfig.json, and packages/agents/src/react-tests/tsconfig.json all pass with the removals applied.
• CI (lint, typecheck, tests) passes.
• Confirm npm ls json-schema-to-typescript no longer shows it under agents after install in a downstream project.

Made with Cursor

---

[changeset-bot]

🦋 Changeset detected

Latest commit: ec9dcae

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
agents	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[pkg-pr-new]

Open in StackBlitz

agents

npm i https://pkg.pr.new/agents@1346

@cloudflare/ai-chat

npm i https://pkg.pr.new/@cloudflare/ai-chat@1346

@cloudflare/codemode

npm i https://pkg.pr.new/@cloudflare/codemode@1346

hono-agents

npm i https://pkg.pr.new/hono-agents@1346

@cloudflare/shell

npm i https://pkg.pr.new/@cloudflare/shell@1346

@cloudflare/think

npm i https://pkg.pr.new/@cloudflare/think@1346

@cloudflare/voice

npm i https://pkg.pr.new/@cloudflare/voice@1346

@cloudflare/worker-bundler

npm i https://pkg.pr.new/@cloudflare/worker-bundler@1346

commit: ec9dcae