Skip to content

chore: update @probelabs/probe to v0.6.0-rc235#368

Open
probelabs[bot] wants to merge 1 commit intomainfrom
update-probe-v0.6.0-rc235
Open

chore: update @probelabs/probe to v0.6.0-rc235#368
probelabs[bot] wants to merge 1 commit intomainfrom
update-probe-v0.6.0-rc235

Conversation

@probelabs
Copy link
Contributor

@probelabs probelabs bot commented Feb 16, 2026

This PR updates @probelabs/probe to version v0.6.0-rc235.

Triggered by release: probelabs/probe@v0.6.0-rc235

Changes

  • Updates @probelabs/probe dependency to v0.6.0-rc235

🤖 Auto-generated by release workflow

@probelabs
Copy link
Contributor Author

probelabs bot commented Feb 16, 2026

PR Overview: Update @probelabs/probe to v0.6.0-rc235

Summary

This PR updates the @probelabs/probe dependency from version 0.6.0-rc233 to 0.6.0-rc235. This is a minor version bump within the release candidate series for the 0.6.0 release.

Files Changed

  • package.json: Updated @probelabs/probe version constraint from ^0.6.0-rc233 to ^0.6.0-rc235
  • package-lock.json: Updated the locked version and integrity checksum for @probelabs/probe

Key Changes in Dependency

The update includes one notable internal dependency change within @probelabs/probe:

  • @nyariv/sandboxjs: Changed from npm version ^0.8.32 to GitHub reference github:probelabs/SandboxJS
    • This suggests the probe package now references a fork or specific commit of SandboxJS
    • The nested @nyariv/sandboxjs dependency entry (version 0.8.33) was removed from package-lock.json

Impact Assessment

Affected Components

The @probelabs/probe package is used in the following modules:

  1. AI Review Service (src/ai-review-service.ts)

    • Imports: ProbeAgent, ProbeAgentOptions
    • Used for AI-powered code review functionality
  2. Session Registry (src/session-registry.ts)

    • Imports: ProbeAgent
    • Manages session state with Probe integration
  3. Diff Processor (src/utils/diff-processor.ts)

    • Imports: extract utility
    • Processes code diffs for analysis
  4. Tracer Initialization (src/utils/tracer-init.ts)

    • Dynamic import of @probelabs/probe module
    • Uses SimpleTelemetry and SimpleAppTracer for debugging/tracing
  5. Engine Context Builder (src/state-machine/context/build-engine-context.ts)

    • Requires @probelabs/probe dynamically

Risk Level

Low Risk - This is a dependency update within the same minor version (rc233 → rc235). The changes are:

  • Internal to the probe package
  • No breaking changes expected in the public API
  • The SandboxJS reference change is an internal dependency shift

Testing Recommendations

  1. Unit Tests: Run existing test suite to ensure compatibility
  2. AI Review Tests: Verify AI review functionality works correctly
  3. Tracer Tests: Confirm telemetry/tracing features function as expected
  4. Integration Tests: Test session management and diff processing

Architecture Context

graph TD
    A[Visor Application] --> B["@probelabs/probe v0.6.0-rc235"]
    B --> C[ProbeAgent]
    B --> D[SimpleTelemetry]
    B --> E[SimpleAppTracer]
    B --> F[extract utility]
    B --> G["@nyariv/sandboxjs - GitHub fork"]
    
    H[AI Review Service] --> C
    I[Session Registry] --> C
    J[Diff Processor] --> F
    K[Tracer Init] --> D
    K --> E

Loading

Labels

  • Type: chore - Dependency update
  • Review Effort: 1 (trivial - automated dependency update with low risk)
Metadata
  • Review Effort: 1 / 5
  • Primary Label: chore

Powered by Visor from Probelabs

Last updated: 2026-02-16T16:05:54.020Z | Triggered by: pr_opened | Commit: 33744fb

💡 TIP: You can chat with Visor using /visor ask <your question>

@probelabs
Copy link
Contributor Author

probelabs bot commented Feb 16, 2026

Security Issues (1)

Severity Location Issue
🔴 Critical package-lock.json:6407
Critical supply chain vulnerability: @nyariv/sandboxjs dependency changed from npm registry with integrity verification to GitHub reference without integrity verification. This removes cryptographic integrity checks and version pinning for a security-critical component used to execute untrusted user JavaScript code.
💡 SuggestionRevert to npm registry version or pin GitHub reference to a specific commit hash with integrity verification. The sandboxjs package is a critical security component that executes untrusted code - any compromise could lead to remote code execution, sandbox escape, and exposure of sensitive data (source code, API keys, tokens). Recommended: 1) Use npm registry version with integrity hash, or 2) Use GitHub reference with specific commit hash: 'github:probelabs/SandboxJS#<commit-sha>', or 3) Publish the package to npm with proper integrity verification.
🔧 Suggested Fix
"@nyariv/sandboxjs": "^0.8.32"

Architecture Issues (2)

Severity Location Issue
🟠 Error package.json:102
Dependency @probelabs/probe now resolves @nyariv/sandboxjs from GitHub instead of npm registry. This changes dependency resolution from a published version (0.8.33) to a git commit reference, which introduces non-deterministic dependency resolution and breaks standard npm/pnpm/yarn installation patterns.
💡 SuggestionEither publish the required @nyariv/sandboxjs version to npm registry, or update the root package.json to explicitly declare the GitHub dependency with a specific commit hash to ensure reproducibility. The current indirect dependency through @probelabs/probe makes it difficult to audit and control this critical security sandbox dependency.
🟠 Error package-lock.json:6407
The @nyariv/sandboxjs dependency changed from npm registry version 0.8.33 to GitHub reference 'github:probelabs/SandboxJS' without a specific commit hash. This removes version pinning and makes builds non-reproducible.
💡 SuggestionPin the GitHub dependency to a specific commit hash (e.g., 'github:probelabs/SandboxJS#commit-hash') to ensure reproducible builds. Better yet, publish a fixed version to npm registry to maintain standard dependency resolution.

Performance Issues (1)

Severity Location Issue
🟡 Warning package-lock.json:6407
Dependency @nyariv/sandboxjs changed from npm registry (^0.8.32) to GitHub-hosted (github:probelabs/SandboxJS). GitHub dependencies are slower to install (require full repository clone vs CDN download), lack npm registry caching, and have less reliable version resolution. This increases CI/CD build times and reduces installation reliability.
💡 SuggestionConsider publishing the fork to npm registry with a scoped package name (e.g., @probelabs/sandboxjs) to maintain installation performance and reliability. If GitHub dependency is required, ensure the repository is public and stable, and document the reason for this deviation in CONTRIBUTING.md.

Quality Issues (4)

Severity Location Issue
🟠 Error package-lock.json:6407
GitHub dependency '@nyariv/sandboxjs' is not pinned to a specific commit SHA, branch, or tag. The dependency reference 'github:probelabs/SandboxJS' without version pinning means different installations may get different code, breaking build reproducibility and creating unpredictable behavior across environments.
💡 SuggestionPin the GitHub dependency to a specific commit SHA, tag, or branch. Use format: 'github:probelabs/SandboxJS#commit-sha' or 'github:probelabs/SandboxJS#v1.2.3' or 'github:probelabs/SandboxJS#main'. Example: 'github:probelabs/SandboxJS#a1b2c3d4e5f6g7h8i9j0'
🔧 Suggested Fix
"@nyariv/sandboxjs": "github:probelabs/SandboxJS#<commit-sha-or-tag>"
🟡 Warning package-lock.json:6407
GitHub dependency '@nyariv/sandboxjs' requires git and network access to GitHub during installation. This can fail in CI/CD environments, air-gapped systems, or behind corporate firewalls, and introduces additional installation complexity compared to npm registry packages.
💡 SuggestionConsider publishing the package to npm registry with a proper version number. If GitHub dependency is necessary, ensure CI/CD environments have git installed and network access to GitHub. Document the installation requirements in deployment documentation.
🟡 Warning package-lock.json:6407
GitHub dependency '@nyariv/sandboxjs' lacks an integrity hash (subresource integrity), making it impossible to verify the package's authenticity and detect tampering. The previous npm package version had an integrity hash for verification.
💡 SuggestionIf using GitHub dependencies is necessary, consider implementing a verification step that checks the commit SHA after installation. Alternatively, publish to npm registry with proper integrity verification.
🟡 Warning package-lock.json:6407
The nested node_modules/@nyariv/sandboxjs entry was removed from package-lock.json, which may indicate the GitHub dependency is not properly locked. This could lead to different installations resolving different versions of the dependency.
💡 SuggestionRun 'npm install' with the --package-lock-only flag or 'npm ci' to ensure package-lock.json properly captures the GitHub dependency resolution. Verify the lock file contains an entry for the GitHub dependency.

Powered by Visor from Probelabs

Last updated: 2026-02-16T16:05:57.158Z | Triggered by: pr_opened | Commit: 33744fb

💡 TIP: You can chat with Visor using /visor ask <your question>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant