chore: update @probelabs/probe to v0.6.0-rc239

[probelabs]

This PR updates @probelabs/probe to version v0.6.0-rc239.

Triggered by release: probelabs/probe@v0.6.0-rc239

Changes

• Updates @probelabs/probe dependency to v0.6.0-rc239

🤖 Auto-generated by release workflow

[probelabs]

PR Overview: Update @probelabs/probe to v0.6.0-rc239

Summary

This PR updates the @probelabs/probe dependency from version 0.6.0-rc233 to 0.6.0-rc239. This is a routine dependency update within the 0.6.0 release candidate series.

Files Changed

• package.json: Updated dependency version constraint
• package-lock.json: Updated locked version and integrity checksums

Key Changes

Dependency Version Update

• @probelabs/probe: 0.6.0-rc233 → 0.6.0-rc239

Notable Internal Dependency Change

The new probe version includes a change to its internal dependency @nyariv/sandboxjs:

• Previous: @nyariv/sandboxjs@^0.8.32 (resolved to 0.8.33 from npm registry)
• New: @nyariv/sandboxjs pointing to github:probelabs/SandboxJS (GitHub repository reference)

This change suggests the probe package now consumes a forked or development version of SandboxJS directly from GitHub rather than the published npm package.

Architecture & Impact Assessment

What This PR Accomplishes

• Brings in the latest probe release candidate with potential bug fixes and improvements
• Updates the SandboxJS dependency to use a GitHub-hosted version

Affected System Components

The @probelabs/probe package is used throughout the codebase:

1. AI Review Service (src/ai-review-service.ts): Core integration point for ProbeAgent
2. Session Registry (src/session-registry.ts): Manages AI session lifecycle
3. Tracer Initialization (src/utils/tracer-init.ts): Uses probe's telemetry classes
4. Diff Processing (src/utils/diff-processor.ts): Uses probe's extract function
5. Engine Context (src/state-machine/context/build-engine-context.ts): Dynamically loads DelegationManager
6. Version Injection (scripts/inject-version.js): Reads probe version for display

Component Relationship Diagram

graph TD
    A[Visor Application] --> B[ProbeAgent]
    A --> C[DelegationManager]
    A --> D[SimpleTelemetry/SimpleAppTracer]
    A --> E[extract function]
    
    B --> F["@probelabs/probe v0.6.0-rc239"]
    C --> F
    D --> F
    E --> F
    
    F --> G["@nyariv/sandboxjs"]
    G --> H[github:probelabs/SandboxJS]
    
    style F fill:#e1f5ff
    style H fill:#fff4e1

Loading

Scope Discovery & Context Expansion

Direct Impact Areas

• Core AI functionality: ProbeAgent is the primary AI abstraction layer
• Session management: DelegationManager controls concurrency limits
• Telemetry/tracing: SimpleTelemetry provides debugging capabilities
• Code analysis: Extract function used for diff processing

Testing Considerations

The codebase includes comprehensive mocking of @probelabs/probe:

• __mocks__/@probelabs/probe.ts: Full mock implementation
• Multiple test files mock ProbeAgent for unit testing
• E2E tests use actual probe via MCP transport

Recommended verification:

1. Run E2E tests that use MCP probe integration
2. Verify session reuse tests pass
3. Check that telemetry/tracing features work correctly
4. Confirm DelegationManager concurrency limits still function

Potential Breaking Areas

Given the SandboxJS dependency change from npm to GitHub:

• Installation behavior: GitHub dependencies may behave differently in CI/CD
• Version resolution: No longer pinned to a specific npm version
• Network dependency: Installation now requires GitHub access

Review Notes

• Review Effort: Low - this is a dependency-only change
• Risk Level: Low - within same RC version series (rc233 → rc239)
• Testing Focus: E2E tests using actual probe, CI installation process

The change to use GitHub-hosted SandboxJS is the most significant aspect to monitor, as it affects how dependencies are resolved during installation.

Metadata

• Review Effort: 2 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T12:17:37.263Z | Triggered by: pr_opened | Commit: 65ce322

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (2)

Severity	Location	Issue
🟡 Warning	package-lock.json:6407	Dependency @nyariv/sandboxjs changed from npm registry (v0.8.33) to GitHub repository (github:probelabs/SandboxJS). GitHub dependencies bypass npm's integrity checksum verification, creating supply chain security risks. The integrity hash is no longer verified against the npm registry, and the dependency could be modified without detection. 💡 Suggestion Consider pinning the GitHub dependency to a specific commit hash (e.g., github:probelabs/SandboxJS#commit-sha) to ensure reproducibility. Alternatively, publish the package to npm with proper integrity checksums. If using GitHub dependencies is necessary, implement a dependency verification process in CI/CD to detect unauthorized changes.
🟡 Warning	package.json:105	The package.json already uses a pinned GitHub dependency (@nyariv/sandboxjs with commit hash f1c13b8), but the @probelabs/probe update now references the unpinned GitHub repository. This inconsistency could lead to different versions being installed in different environments. 💡 Suggestion Ensure both package.json and the @probelabs/probe dependency use consistent, pinned GitHub references with commit hashes to maintain reproducible builds across environments.

Architecture Issues (1)

Severity	Location	Issue
🟡 Warning	package-lock.json:6407	The @probelabs/probe dependency update changes @nyariv/sandboxjs from a published npm package (^0.8.32) to a GitHub reference without a commit SHA (github:probelabs/SandboxJS). This creates an inconsistency with the visor package.json which uses github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9 with a pinned commit. Git-based dependencies without commit SHAs are not reproducible and could change unexpectedly if the default branch is updated. 💡 Suggestion The @probelabs/probe package should pin the sandboxjs dependency to a specific commit SHA (e.g., github:probelabs/SandboxJS#<commit-sha>) to ensure reproducibility. This change should be made in the @probelabs/probe package's package.json, not in visor. Alternatively, consider publishing the forked sandboxjs to npm with a scoped package name for better stability.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (1)

Severity	Location	Issue
🟠 Error	package-lock.json:6407	The @probelabs/probe package's dependency on @nyariv/sandboxjs uses a GitHub reference without a commit hash, tag, or branch specifier (github:probelabs/SandboxJS). This creates non-reproducible builds and security risks since the dependency could change at any time. The main visor package.json already uses this dependency with a specific commit hash (github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9). Consider reporting this issue upstream to @probelabs/probe maintainers or pinning to a specific commit. 💡 Suggestion The @probelabs/probe maintainers should pin the GitHub dependency to a specific commit hash, tag, or branch (e.g., github:probelabs/SandboxJS#commit-hash). This ensures reproducible builds and allows verification of the exact code being used. Alternatively, consider publishing @nyariv/sandboxjs to npm with proper semantic versioning.

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T12:17:40.589Z | Triggered by: pr_opened | Commit: 65ce322

💡 TIP: You can chat with Visor using /visor ask <your question>