fix: remove dead @huggingface/transformers dep, add CI dependency audit

Claude · claude · CLC · commit 6ba6f0d07e61 · 2026-02-16T19:59:07.000-05:00
@huggingface/transformers was a runtime dependency never imported anywhere
in the source — embedding service uses raw fetch() to OpenAI/OpenRouter/Ollama.
This massive package (ONNX runtime + model files) bloated every install since
initial release through 15+ versions without detection.

Added depcheck to CI pipeline so unused dependencies fail the build.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -39,6 +39,9 @@ jobs:
       - name: Smoke test (free tier)
         run: npm run test:smoke:free
 
+      - name: Dependency audit (no unused deps)
+        run: npx depcheck --ignores="@types/*" --json | node -e "const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')); const unused=d.dependencies||[]; if(unused.length){console.error('Unused dependencies:',unused);process.exit(1)}"
+
   publish:
     needs: build
     runs-on: ubuntu-latest
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.1.1] - 2026-02-17
+
+### Removed
+- **Dead dependency `@huggingface/transformers`**: Massive package (ONNX runtime + model files) was declared as a runtime dependency but never imported anywhere. Embedding service uses raw `fetch()` to external APIs. Shipped unused since initial release, bloating every `npx gitmem-mcp` install.
+
+### Added
+- **CI dependency audit**: `depcheck` now runs in CI pipeline. Unused runtime dependencies will fail the build. This gap allowed the dead dependency to ship through 15+ versions undetected.
+
 ## [1.1.0] - 2026-02-17
 
 ### Added
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "gitmem-mcp",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Institutional memory for AI coding agents. Memory that compounds.",
   "type": "module",
   "main": "dist/index.js",
@@ -28,7 +28,6 @@
     "release-status": "bash scripts/release-status.sh"
   },
   "dependencies": {
-    "@huggingface/transformers": "^3.0.0",
     "@modelcontextprotocol/sdk": "^1.0.0",
     "uuid": "^9.0.0",
     "zod": "^3.22.0"
