chore: update @probelabs/probe to v0.6.0-rc240

[probelabs]

This PR updates @probelabs/probe to version v0.6.0-rc240.

Triggered by release: probelabs/probe@v0.6.0-rc240

Changes

• Updates @probelabs/probe dependency to v0.6.0-rc240

🤖 Auto-generated by release workflow

[probelabs]

PR Overview: Update @probelabs/probe to v0.6.0-rc240

Description

This PR updates the @probelabs/probe dependency from version 0.6.0-rc233 to 0.6.0-rc240. This is a dependency update triggered by the Probe Labs release workflow.

Files Changed

File	Additions	Deletions	Change
package-lock.json	+5	-11	Modified
package.json	+1	-1	Modified

Total: 2 files changed, 6 additions, 12 deletions

Key Changes

Dependency Version Update

• @probelabs/probe: 0.6.0-rc233 → 0.6.0-rc240
• Integrity hash: Updated to sha512-2yoBh22n+P92mHjwelj3bItG57y8lee35vl2II3bHPbLeBTOKj4TX5mpZDpG2iju6E1FBEbU9UvXpk6oLDwFfw==

Notable Dependency Change in Probe

The new Probe version switches its @nyariv/sandboxjs dependency:

• From: @nyariv/sandboxjs@^0.8.32 (npm registry)
• To: @nyariv/sandboxjs@github:probelabs/SandboxJS (GitHub direct reference)

This change removes the intermediate npm package version and points directly to the Probe Labs fork on GitHub. The nested node_modules/@probelabs/probe/node_modules/@nyariv/sandboxjs entry has been removed from package-lock.json as a result.

Architecture & Impact Assessment

What This PR Accomplishes

• Brings in the latest Probe SDK release candidate (rc240)
• Maintains compatibility with the Probe ecosystem

Affected System Components

The @probelabs/probe package is used throughout the Visor codebase:

graph TD
    A[Visor] --> B[AI Review Service]
    A --> C[Session Registry]
    A --> D[Diff Processor]
    A --> E[Tracer Initialization]
    A --> F[Engine Context Builder]
    
    B --> G["@probelabs/probe"]
    C --> G
    D --> G
    E --> G
    F --> G
    
    G --> H[ProbeAgent]
    G --> I[DelegationManager]
    G --> J[SimpleTelemetry]
    G --> K[extract utility]

Loading

Key integration points:

• src/ai-review-service.ts - Uses ProbeAgent for AI interactions
• src/session-registry.ts - Uses ProbeAgent for session management
• src/utils/diff-processor.ts - Uses extract utility and references probe binary paths
• src/utils/tracer-init.ts - Uses SimpleTelemetry and SimpleAppTracer
• src/state-machine/context/build-engine-context.ts - Dynamically loads DelegationManager

Technical Changes

1. No breaking changes expected - This is a minor version bump within the 0.6.0-rc series
2. SandboxJS source change - The underlying sandbox execution library now points to a GitHub repository instead of npm, which may affect:
   • Installation behavior (requires git access)
   • Version resolution (uses git commit SHA)
   • Potential offline installation scenarios

Scope Discovery & Context Expansion

Related Files (from codebase analysis)

• __mocks__/@probelabs/probe.ts - Mock implementations for testing
• jest.config.js - Module mapper configuration for mocks
• scripts/inject-version.js - Version injection logic that reads from package-lock

Testing Considerations

• Existing mocks in __mocks__/@probelabs/probe.ts should remain compatible
• The DelegationManager mock mirrors the real API and should continue working
• Test suite uses jest.config.js module mapper to redirect imports to mocks

Potential Review Areas

1. Verify CI/CD pipelines have git access for GitHub package dependencies
2. Check if any code depends on specific SandboxJS internals that may have changed
3. Confirm DelegationManager dynamic loading still works with new Probe version

Labels

• Type: chore - Dependency update
• Review Effort: 1 (trivial) - Straightforward dependency version bump with no code changes required

Metadata

• Review Effort: 1 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T13:42:42.747Z | Triggered by: pr_opened | Commit: 324705b

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (1)

Severity	Location	Issue
🟡 Warning	package-lock.json:6407	Dependency @nyariv/sandboxjs changed from npm registry version 0.8.33 to GitHub repository reference (github:probelabs/SandboxJS). This introduces supply chain security risks: (1) No integrity hash verification for GitHub dependencies, (2) Bypasses npm security auditing and vulnerability scanning, (3) Dependency can change without version bump if repository updates, (4) Harder to track security advisories for GitHub-hosted packages, (5) CI/CD builds may fetch different code if repository changes, leading to non-reproducible builds. 💡 Suggestion Consider pinning to a specific commit hash (e.g., github:probelabs/SandboxJS#commit-hash) or publishing to npm registry with proper integrity verification. If using GitHub is necessary, add a lockfile comment documenting the expected commit hash and implement CI checks to verify the dependency hasn't changed unexpectedly.

Architecture Issues (2)

Severity	Location	Issue
🟡 Warning	package-lock.json:6407	The @probelabs/probe package now depends on @nyariv/sandboxjs from GitHub without a commit hash (github:probelabs/SandboxJS). This breaks build reproducibility as it will always fetch the latest default branch. While visor has its own direct dependency pinned to a specific commit (f1c13b8eee98734a8ea024061eada4aa9a9ff2e9), this creates inconsistency and could affect downstream consumers of @probelabs/probe who don't have their own pin. 💡 Suggestion Consider reporting this to the @probelabs/probe maintainers. The GitHub dependency should include a commit hash (e.g., github:probelabs/SandboxJS#commit-hash) to ensure reproducible builds. For this project, the impact is mitigated since visor has its own pinned direct dependency.
🟡 Warning	package-lock.json:6407	Transitive dependency @nyariv/sandboxjs moved from npm registry (version 0.8.33) to GitHub repository. GitHub dependencies bypass npm's security auditing, integrity checks, and may introduce instability if the repository changes. This is a transitive dependency through @probelabs/probe. 💡 Suggestion Monitor for any runtime issues related to sandboxjs functionality. The visor package has its own pinned dependency which should take precedence, but this change could affect other projects depending on @probelabs/probe.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (3)

Severity	Location	Issue
🟢 Info	package.json:102	Direct dependency @probelabs/probe updated from rc233 to rc240. This is a release candidate version bump. Ensure that breaking changes in the new version are compatible with existing code, particularly around the SandboxJS dependency change. 💡 Suggestion Review the changelog for @probelabs/probe v0.6.0-rc240 to understand what changed between rc233 and rc240. Test all sandbox-related functionality since the underlying SandboxJS dependency source changed.
🟢 Info	package-lock.json:6398	The integrity hash for @probelabs/probe changed from sha512-1U5HAi90sfzXi7n8MjVa/HdDvtf1Zx61euBWknxXuKQqXXgXQgR1hnHkGipksyQ8LG7Falh4hbXeKlaWuV36+Q== to sha512-2yoBh22n+P92mHjwelj3bItG57y8lee35vl2II3bHPbLeBTOKj4TX5mpZDpG2iju6E1FBEbU9UvXpk6oLDwFfw==. This is expected for a version update but verify the new hash matches the published package. 💡 Suggestion Run 'npm audit' to check for known vulnerabilities in the updated package. Verify the integrity hash matches what's published on npmjs.org.
🟡 Warning	package-lock.json:6407	Nested dependency @nyariv/sandboxjs changed from npm registry version 0.8.33 to GitHub reference 'github:probelabs/SandboxJS'. Using GitHub dependencies in production reduces reproducibility and reliability compared to published npm packages. GitHub dependencies can break if the repository is deleted, moved, or commits are force-pushed. They also bypass npm's security auditing and content addressing. 💡 Suggestion Consider publishing @nyariv/sandboxjs to npm registry with proper semantic versioning. If GitHub reference is necessary, pin to a specific commit hash and document the reason. Consider adding a package-lock.json integrity check or using npm's provenance statements for better security.

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T13:42:46.260Z | Triggered by: pr_opened | Commit: 324705b

💡 TIP: You can chat with Visor using /visor ask <your question>