dependency management in public packages

[stefanofa]

while looking at the source code of the monorepo, I noticed something interesting, eg. some dependencies aren’t listed in the packages itself but are marked as external in the tsup config.

for example, the agents-sdk package doesn’t declare ai, @ai-sdk/react, or react as dependencies, even though they’re used in the code. instead, the built ES modules keep them as external imports instead of bundling them. that makes sense, but I’m wondering if it’s the best approach.

I assume the idea is to let users install only the dependencies they actually need, for example, skipping react if they don’t use it. but doesn’t this make it harder to control dependency versions and compatibility? wouldn’t it be better to list them as peerDependencies instead? and if that’s the case, it would probably be safe to just remove them from external in tsup config, since by default tsup automatically excludes packages specified in the dependencies and peerDependencies.

also, in the hono-agents package, agents-sdk and hono are both listed as peerDependencies and devDependencies. wouldn’t it make more sense to pick just one? or maybe even declare them as regular dependencies?

[agcty]

Hey @stefanofa, I agree with your assessment, peerDependencies is definitely the safer and more correct choice imo (unless i'm missing some important detail about this monorepo). It's also currently a bit cumbersome to get the agents sdk working with different package versions other than the hardcoded ones (e.g ai sdk 6, mcp server 1.24, zod 4). @threepointone @whoiskatrin are we missing something here or would you be fine with us creating a PR?

[agcty]

@whoiskatrin Thanks for the update! That's good to know about the MCP migration.

Regarding the AI SDK - the issue isn't so much about breaking changes, but about how the dependency is declared. Right
now ai is pinned as a direct dependency ("ai": "5.0.103"), which means if someone's project uses AI SDK 6, they end up
with two copies installed - one for their code and one for the agents package. This causes bundle bloat and potential
type mismatches when passing messages between their code and AIChatAgent.

Since the agents package expects consumers to bring their own models anyway (via streamText, generateObject, etc.), would
it make sense to move ai to peerDependencies with a range like >=5.0.0? That way users control the version and avoid
duplicates. Same story for @ai-sdk/openai (which could be optional, only needed for codemode).

I get that just installing agents and having everything work feels nice for casual users, but professional users need
more control over their dependency versions. And in practice, anyone using the AI features is already installing ai
separately anyway.

Happy to put together a PR if that approach works for you.

[whoiskatrin]

Yes, I see your point and it's valid. Will discuss with the team soon. Thanks

[whoiskatrin]

@agcty if you are up for it, please open a PR :)

[agcty]

@whoiskatrin Here's the PR for the AI SDK deps :) #722

While I was at it, I noticed the React peer dependency was set to * but the code uses the use() hook which requires React 19. Created a separate fix for that: #723

I'll follow up with another PR for the MCP deps.

Also fixed the same AI SDK issue in the ai-gateway package: cloudflare/ai#315 (not sure who owns that one)

[agcty]

MCP deps: #724