chore: update @probelabs/probe to v0.6.0-rc235

[probelabs]

This PR updates @probelabs/probe to version v0.6.0-rc235.

Triggered by release: probelabs/probe@v0.6.0-rc235

Changes

• Updates @probelabs/probe dependency to v0.6.0-rc235

🤖 Auto-generated by release workflow

[probelabs]

PR Overview: Update @probelabs/probe to v0.6.0-rc235

Summary

This PR updates the @probelabs/probe dependency from version 0.6.0-rc233 to 0.6.0-rc235. This is a minor version bump within the release candidate series for the 0.6.0 release.

Files Changed

• package.json: Updated @probelabs/probe version constraint from ^0.6.0-rc233 to ^0.6.0-rc235
• package-lock.json: Updated the locked version and integrity checksum for @probelabs/probe

Key Changes in Dependency

The update includes one notable internal dependency change within @probelabs/probe:

• @nyariv/sandboxjs: Changed from npm version ^0.8.32 to GitHub reference github:probelabs/SandboxJS
  • This suggests the probe package now references a fork or specific commit of SandboxJS
  • The nested @nyariv/sandboxjs dependency entry (version 0.8.33) was removed from package-lock.json

Impact Assessment

Affected Components

The @probelabs/probe package is used in the following modules:

1. AI Review Service (src/ai-review-service.ts)

   • Imports: ProbeAgent, ProbeAgentOptions
   • Used for AI-powered code review functionality

2. Session Registry (src/session-registry.ts)

   • Imports: ProbeAgent
   • Manages session state with Probe integration

3. Diff Processor (src/utils/diff-processor.ts)

   • Imports: extract utility
   • Processes code diffs for analysis

4. Tracer Initialization (src/utils/tracer-init.ts)

   • Dynamic import of @probelabs/probe module
   • Uses SimpleTelemetry and SimpleAppTracer for debugging/tracing

5. Engine Context Builder (src/state-machine/context/build-engine-context.ts)

   • Requires @probelabs/probe dynamically

Risk Level

Low Risk - This is a dependency update within the same minor version (rc233 → rc235). The changes are:

• Internal to the probe package
• No breaking changes expected in the public API
• The SandboxJS reference change is an internal dependency shift

Testing Recommendations

1. Unit Tests: Run existing test suite to ensure compatibility
2. AI Review Tests: Verify AI review functionality works correctly
3. Tracer Tests: Confirm telemetry/tracing features function as expected
4. Integration Tests: Test session management and diff processing

Architecture Context

graph TD
    A[Visor Application] --> B["@probelabs/probe v0.6.0-rc235"]
    B --> C[ProbeAgent]
    B --> D[SimpleTelemetry]
    B --> E[SimpleAppTracer]
    B --> F[extract utility]
    B --> G["@nyariv/sandboxjs - GitHub fork"]
    
    H[AI Review Service] --> C
    I[Session Registry] --> C
    J[Diff Processor] --> F
    K[Tracer Init] --> D
    K --> E

Loading

Labels

• Type: chore - Dependency update
• Review Effort: 1 (trivial - automated dependency update with low risk)

Metadata

• Review Effort: 1 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2026-02-16T16:05:54.020Z | Triggered by: pr_opened | Commit: 33744fb

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (1)

Severity	Location	Issue
🔴 Critical	package-lock.json:6407	Critical supply chain vulnerability: @nyariv/sandboxjs dependency changed from npm registry with integrity verification to GitHub reference without integrity verification. This removes cryptographic integrity checks and version pinning for a security-critical component used to execute untrusted user JavaScript code. 💡 Suggestion Revert to npm registry version or pin GitHub reference to a specific commit hash with integrity verification. The sandboxjs package is a critical security component that executes untrusted code - any compromise could lead to remote code execution, sandbox escape, and exposure of sensitive data (source code, API keys, tokens). Recommended: 1) Use npm registry version with integrity hash, or 2) Use GitHub reference with specific commit hash: 'github:probelabs/SandboxJS#<commit-sha>', or 3) Publish the package to npm with proper integrity verification. 🔧 Suggested Fix "@nyariv/sandboxjs": "^0.8.32"

Architecture Issues (2)

Severity	Location	Issue
🟠 Error	package.json:102	Dependency @probelabs/probe now resolves @nyariv/sandboxjs from GitHub instead of npm registry. This changes dependency resolution from a published version (0.8.33) to a git commit reference, which introduces non-deterministic dependency resolution and breaks standard npm/pnpm/yarn installation patterns. 💡 Suggestion Either publish the required @nyariv/sandboxjs version to npm registry, or update the root package.json to explicitly declare the GitHub dependency with a specific commit hash to ensure reproducibility. The current indirect dependency through @probelabs/probe makes it difficult to audit and control this critical security sandbox dependency.
🟠 Error	package-lock.json:6407	The @nyariv/sandboxjs dependency changed from npm registry version 0.8.33 to GitHub reference 'github:probelabs/SandboxJS' without a specific commit hash. This removes version pinning and makes builds non-reproducible. 💡 Suggestion Pin the GitHub dependency to a specific commit hash (e.g., 'github:probelabs/SandboxJS#commit-hash') to ensure reproducible builds. Better yet, publish a fixed version to npm registry to maintain standard dependency resolution.

Performance Issues (1)

Severity	Location	Issue
🟡 Warning	package-lock.json:6407	Dependency @nyariv/sandboxjs changed from npm registry (^0.8.32) to GitHub-hosted (github:probelabs/SandboxJS). GitHub dependencies are slower to install (require full repository clone vs CDN download), lack npm registry caching, and have less reliable version resolution. This increases CI/CD build times and reduces installation reliability. 💡 Suggestion Consider publishing the fork to npm registry with a scoped package name (e.g., @probelabs/sandboxjs) to maintain installation performance and reliability. If GitHub dependency is required, ensure the repository is public and stable, and document the reason for this deviation in CONTRIBUTING.md.

Quality Issues (4)

Severity	Location	Issue
🟠 Error	package-lock.json:6407	GitHub dependency '@nyariv/sandboxjs' is not pinned to a specific commit SHA, branch, or tag. The dependency reference 'github:probelabs/SandboxJS' without version pinning means different installations may get different code, breaking build reproducibility and creating unpredictable behavior across environments. 💡 Suggestion Pin the GitHub dependency to a specific commit SHA, tag, or branch. Use format: 'github:probelabs/SandboxJS#commit-sha' or 'github:probelabs/SandboxJS#v1.2.3' or 'github:probelabs/SandboxJS#main'. Example: 'github:probelabs/SandboxJS#a1b2c3d4e5f6g7h8i9j0' 🔧 Suggested Fix "@nyariv/sandboxjs": "github:probelabs/SandboxJS#<commit-sha-or-tag>"
🟡 Warning	package-lock.json:6407	GitHub dependency '@nyariv/sandboxjs' requires git and network access to GitHub during installation. This can fail in CI/CD environments, air-gapped systems, or behind corporate firewalls, and introduces additional installation complexity compared to npm registry packages. 💡 Suggestion Consider publishing the package to npm registry with a proper version number. If GitHub dependency is necessary, ensure CI/CD environments have git installed and network access to GitHub. Document the installation requirements in deployment documentation.
🟡 Warning	package-lock.json:6407	GitHub dependency '@nyariv/sandboxjs' lacks an integrity hash (subresource integrity), making it impossible to verify the package's authenticity and detect tampering. The previous npm package version had an integrity hash for verification. 💡 Suggestion If using GitHub dependencies is necessary, consider implementing a verification step that checks the commit SHA after installation. Alternatively, publish to npm registry with proper integrity verification.
🟡 Warning	package-lock.json:6407	The nested node_modules/@nyariv/sandboxjs entry was removed from package-lock.json, which may indicate the GitHub dependency is not properly locked. This could lead to different installations resolving different versions of the dependency. 💡 Suggestion Run 'npm install' with the --package-lock-only flag or 'npm ci' to ensure package-lock.json properly captures the GitHub dependency resolution. Verify the lock file contains an entry for the GitHub dependency.

---

Powered by Visor from Probelabs

Last updated: 2026-02-16T16:05:57.158Z | Triggered by: pr_opened | Commit: 33744fb

💡 TIP: You can chat with Visor using /visor ask <your question>