Skip to content

chore: update @probelabs/probe to v0.6.0-rc234#367

Closed
probelabs[bot] wants to merge 1 commit intomainfrom
update-probe-v0.6.0-rc234
Closed

chore: update @probelabs/probe to v0.6.0-rc234#367
probelabs[bot] wants to merge 1 commit intomainfrom
update-probe-v0.6.0-rc234

Conversation

@probelabs
Copy link
Contributor

@probelabs probelabs bot commented Feb 16, 2026

This PR updates @probelabs/probe to version v0.6.0-rc234.

Triggered by release: probelabs/probe@v0.6.0-rc234

Changes

  • Updates @probelabs/probe dependency to v0.6.0-rc234

🤖 Auto-generated by release workflow

@probelabs
Copy link
Contributor Author

probelabs bot commented Feb 16, 2026

PR Overview: Update @probelabs/probe to v0.6.0-rc234

Summary

This PR updates the @probelabs/probe dependency from version 0.6.0-rc233 to 0.6.0-rc234. This is a dependency-only update with no changes to the Visor codebase itself.

Files Changed

  • package.json: Updated @probelabs/probe version constraint from ^0.6.0-rc233 to ^0.6.0-rc234
  • package-lock.json: Updated locked version and integrity checksum for @probelabs/probe

Key Changes in Dependency

The update includes a notable internal change to the probe package's dependencies:

  • SandboxJS source change: The @nyariv/sandboxjs dependency switched from npm registry version 0.8.33 to a GitHub reference (github:probelabs/SandboxJS)
  • This removes the nested @nyariv/sandboxjs entry from package-lock.json, reducing lockfile complexity

Architecture & Impact Assessment

What This PR Accomplishes

  • Keeps Visor synchronized with the latest probe release candidate
  • Ensures access to latest bug fixes and improvements in the probe AI orchestration engine

Key Technical Changes

  • Dependency version bump: 0.6.0-rc2330.6.0-rc234
  • Integrity checksum update: New package integrity hash for verification
  • Transitive dependency change: SandboxJS now sourced directly from GitHub

Affected System Components

The @probelabs/probe package is used throughout Visor's core AI functionality:

  • AI Review Service (src/ai-review-service.ts): Uses ProbeAgent and ProbeAgentOptions for AI-powered code review
  • Session Registry (src/session-registry.ts): Extends ProbeAgent with tracing capabilities via TracedProbeAgent
  • Diff Processing (src/utils/diff-processor.ts): Uses the extract utility from probe
  • Tracer Initialization (src/utils/tracer-init.ts): Integrates with probe's telemetry classes (SimpleTelemetry, SimpleAppTracer)
  • Main Entry Point (src/index.ts): Displays probe version in startup banner

Component Relationships

graph TD
    A[Visor] --> B["@probelabs/probe v0.6.0-rc234"]
    B --> C[ProbeAgent]
    B --> D[SimpleTelemetry]
    B --> E[SimpleAppTracer]
    B --> F[extract utility]
    
    C --> G[AI Review Service]
    C --> H[Session Registry]
    D --> I[Tracer Initialization]
    F --> J[Diff Processor]
    
    B --> K["@nyariv/sandboxjs"]
    K --> L[GitHub: probelabs/SandboxJS]

Loading

Scope Discovery & Context Expansion

Direct Impact Areas

Based on the codebase analysis, this update affects:

  1. AI Orchestration Layer: All AI-powered checks and assistants depend on probe's ProbeAgent
  2. Telemetry/Debugging: Tracing functionality uses probe's telemetry classes
  3. Code Analysis: Diff processing relies on probe's extract utility

Related Files to Verify

For comprehensive validation, reviewers should ensure:

  • Tests pass: All AI-related tests in tests/ directory
  • Build succeeds: npm run build completes without errors
  • Version injection: scripts/inject-version.js correctly detects new probe version
  • Mock compatibility: __mocks__/@probelabs/probe.ts remains compatible with probe's API

Risk Assessment

Low Risk - This is a minor version bump within the release candidate series:

  • No breaking changes expected between rc233 and rc234
  • The SandboxJS source change is internal to probe and should not affect Visor's usage
  • All probe APIs used by Visor (ProbeAgent, ProbeAgentOptions, extract, telemetry classes) remain stable

Labels

  • Type: chore - Dependency maintenance update
  • Review Effort: 1 (trivial) - Straightforward version bump with no code changes required
Metadata
  • Review Effort: 1 / 5
  • Primary Label: chore

Powered by Visor from Probelabs

Last updated: 2026-02-16T12:21:01.980Z | Triggered by: pr_opened | Commit: 1deb094

💡 TIP: You can chat with Visor using /visor ask <your question>

@probelabs
Copy link
Contributor Author

probelabs bot commented Feb 16, 2026

Security Issues (1)

Severity Location Issue
🟡 Warning package.json:102
Dependency @nyariv/sandboxjs changed from npm registry (version 0.8.33) to GitHub repository (github:probelabs/SandboxJS). This removes the cryptographic integrity checksum (sha512-...) that previously validated the package's authenticity. GitHub dependencies lack npm's built-in integrity verification, making the supply chain more vulnerable to tampering or compromised repository access.
💡 SuggestionConsider pinning to a specific commit hash with integrity verification, or publish the updated version to npm registry to maintain cryptographic checksums. If using GitHub is necessary, ensure repository access is tightly controlled and consider using GitHub's provenance features.

Architecture Issues (3)

Severity Location Issue
🟠 Error package-lock.json:6407
The @probelabs/probe dependency now references @nyariv/sandboxjs via GitHub without a specific commit SHA (github:probelabs/SandboxJS), while visor's direct dependency uses a pinned commit (github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9). This creates version instability where the transitive dependency could resolve to different versions over time, potentially causing runtime inconsistencies or duplicate installations in node_modules.
💡 SuggestionEnsure @probelabs/probe pins its @nyariv/sandboxjs dependency to a specific commit SHA matching visor's direct dependency, or coordinate with the probe package maintainers to use the same version. This ensures reproducible builds and prevents potential conflicts between two different sandboxjs versions.
🟡 Warning package-lock.json:6407
Moving @nyariv/sandboxjs from npm registry (v0.8.33) to a GitHub reference reduces build reprocibility and auditability. GitHub dependencies lack semantic versioning, depend on GitHub availability, and are harder to track for security vulnerabilities compared to npm registry packages.
💡 SuggestionConsider publishing @nyariv/sandboxjs to npm registry with proper semantic versions. If GitHub references are necessary, ensure they use specific commit SHAs and document the rationale. Implement CI checks to verify GitHub dependency availability and integrity.
🟡 Warning package.json:105
Visor directly depends on @nyariv/sandboxjs via GitHub with a specific commit SHA, while @probelabs/probe (a transitive dependency) now also depends on it via GitHub without a commit pin. This inconsistency could lead to npm installing two different versions of sandboxjs, increasing bundle size and potentially causing runtime behavior differences.
💡 SuggestionCoordinate with @probelabs/probe maintainers to align on the same @nyariv/sandboxjs version and commit SHA. Alternatively, consider using npm resolutions (package.json 'overrides' field) to force a single version across all dependencies.

Performance Issues (1)

Severity Location Issue
🟡 Warning package-lock.json:6407
Dependency changed from npm registry version to GitHub URL for @nyariv/sandboxjs. GitHub dependencies bypass npm's caching mechanism and version resolution, causing slower installs and potential build instability. The dependency now resolves to 'github:probelabs/SandboxJS' instead of a pinned npm version.
💡 SuggestionConsider publishing the required version to npm registry instead of using GitHub direct dependency. If GitHub dependency is necessary, pin to a specific commit hash to ensure reproducibility and consider the performance impact on CI/CD pipelines where this dependency will be cloned on every install.

Quality Issues (3)

Severity Location Issue
🟠 Error package-lock.json:6407
Dependency @nyariv/sandboxjs changed from npm registry version (^0.8.32) to GitHub reference (github:probelabs/SandboxJS). GitHub references without commit SHAs or tags are not reproducible and may resolve to different code over time. This introduces build instability and makes it difficult to audit which version is actually being used.
💡 SuggestionUse a specific GitHub tag or commit SHA (e.g., github:probelabs/SandboxJS#v1.2.3 or github:probelabs/SandboxJS#abc123def) to ensure reproducible builds, or revert to npm registry version if available.
🔧 Suggested Fix
"@nyariv/sandboxjs": "github:probelabs/SandboxJS#<commit-sha-or-tag>"
🟢 Info package.json:105
Dependency @probelabs/probe updated from 0.6.0-rc233 to 0.6.0-rc234. This is a release candidate version bump. Ensure the changelog is reviewed for any breaking changes that could affect the codebase.
💡 SuggestionReview the release notes for @probelabs/probe v0.6.0-rc234 to identify any breaking changes, new features, or bug fixes that might impact the application.
🟡 Warning package-lock.json:6407
The @nyariv/sandboxjs dependency is a transitive dependency of @probelabs/probe. Changes to transitive dependencies should be reviewed for breaking changes, especially since sandboxjs is used extensively throughout the codebase for secure JavaScript execution in 15+ files including failure-condition-evaluator.ts, workflow-executor.ts, and multiple providers.
💡 SuggestionReview the changelog or commit history of probelabs/SandboxJS to identify any breaking changes. Run the full test suite to ensure compatibility with the new version.

Powered by Visor from Probelabs

Last updated: 2026-02-16T12:21:05.305Z | Triggered by: pr_opened | Commit: 1deb094

💡 TIP: You can chat with Visor using /visor ask <your question>

@buger buger closed this Feb 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Comments