chore: update @probelabs/probe to v0.6.0-rc241

[probelabs]

This PR updates @probelabs/probe to version v0.6.0-rc241.

Triggered by release: probelabs/probe@v0.6.0-rc241

Changes

• Updates @probelabs/probe dependency to v0.6.0-rc241

🤖 Auto-generated by release workflow

[probelabs]

PR Overview: Update @probelabs/probe to v0.6.0-rc241

Summary

This PR updates the @probelabs/probe dependency from version 0.6.0-rc233 to 0.6.0-rc241. This is a dependency update triggered by the probelabs/probe release workflow.

Files Changed

• package.json: Updated @probelabs/probe version constraint
• package-lock.json: Updated lockfile with new dependency resolution

Key Changes in Dependency

Version Update

• @probelabs/probe: 0.6.0-rc233 → 0.6.0-rc241
• New integrity hash: sha512-ZFkZK/Wh2hf8ASWDNfTDxPBGqNQfNveD8Z+JCv/4url7+/z9h/EPlAzmwC0gYtIu1HshVQdoXxZyurdIbWYkoQ==

Notable Dependency Change

The @nyariv/sandboxjs transitive dependency has changed:

• From: @nyariv/sandboxjs@^0.8.32 (resolved to 0.8.33 from npm registry)
• To: @nyariv/sandboxjs@github:probelabs/SandboxJS (direct GitHub reference)

This change suggests the probe package now references a fork or specific version of SandboxJS hosted on GitHub rather than the npm registry version.

Architecture & Impact Assessment

Affected Components

The @probelabs/probe package is used in several core modules:

1. AI Review Service (src/ai-review-service.ts)

   • Imports ProbeAgent and ProbeAgentOptions
   • Used for AI-powered code review functionality

2. Session Registry (src/session-registry.ts)

   • Imports ProbeAgent
   • Manages AI session state

3. Diff Processor (src/utils/diff-processor.ts)

   • Imports extract function
   • Processes code diffs for analysis

4. Engine Context Builder (src/state-machine/context/build-engine-context.ts)

   • Dynamically requires probe package
   • Used in state machine initialization

5. Tracer Initialization (src/utils/tracer-init.ts)

   • Uses SimpleTelemetry and SimpleAppTracer
   • Provides debugging/tracing capabilities

6. Version Injection Script (scripts/inject-version.js)

   • Reads probe version for build metadata

Impact Scope

• Risk Level: Low to Medium
• Breaking Changes: None visible in the diff
• Behavioral Changes: The SandboxJS dependency shift may affect sandbox execution behavior

graph TD
    A[visord] --> B["@probelabs/probe v0.6.0-rc241"]
    B --> C[AI Review Service]
    B --> D[Session Registry]
    B --> E[Diff Processor]
    B --> F[Tracer Init]
    B --> G[Engine Context]
    B --> H["@nyariv/sandboxjs GitHub fork"]
    
    C --> I[ProbeAgent]
    D --> I
    E --> J[extract function]
    F --> K[SimpleTelemetry/AppTracer]
    G --> L[Dynamic require]
    
    style H fill:#f9f,stroke:#333,stroke-width:2px
    style B fill:#bbf,stroke:#333,stroke-width:2px

Loading

Testing Recommendations

1. AI Review Functionality: Verify code review features work correctly
2. Session Management: Test session creation and lifecycle
3. Diff Processing: Ensure code diff analysis functions properly
4. Tracing/Debugging: Validate trace file generation and telemetry
5. Sandbox Execution: Test any code sandbox features (affected by SandboxJS change)

Review Notes

• This is an automated dependency update
• The SandboxJS GitHub reference change warrants attention during review
• No code changes required in the visor codebase itself
• Consider running the full test suite to ensure compatibility

Metadata

• Review Effort: 2 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T14:46:40.475Z | Triggered by: pr_opened | Commit: d7493d5

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (3)

Severity	Location	Issue
🟡 Warning	package.json:102	Dependency @probelabs/probe updated from v0.6.0-rc233 to v0.6.0-rc241. The new version changes @nyariv/sandboxjs from npm registry (^0.8.32) to a GitHub dependency (github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9). GitHub dependencies bypass npm's security audit and integrity verification, reducing supply chain security. The integrity hash changed from sha512-1U5HAi90sfzXi7n8MjVa/HdDvtf1Zx61euBWknxXuKQqXXgXQgR1hnHkGipksyQ8LG7Falh4hbXeKlaWuV36+Q== to sha512-ZFkZK/Wh2hf8ASWDNfTDxPBGqNQfNveD8Z+JCv/4url7+/z9h/EPlAzmwC0gYtIu1HshVQdoXxZyurdIbWYkoQ==. 💡 Suggestion Consider pinning to a specific npm-registered version instead of a GitHub dependency to maintain supply chain security. If using the GitHub dependency is necessary, ensure the commit SHA is pinned and regularly review the repository for security updates. Verify that the GitHub repository has appropriate security controls (code review, CI/CD security checks, signed commits).
🟡 Warning	package-lock.json:6398	The @nyariv/sandboxjs dependency now resolves to github:probelabs/SandboxJS instead of npm registry. This removes the npm integrity hash verification (subresource integrity) that was previously in place. The new integrity hash only covers the @probelabs/probe package tarball, not the transitive GitHub dependency. 💡 Suggestion Implement additional verification for GitHub-sourced dependencies, such as: 1) Pinning to a specific commit SHA (already done with #f1c13b8eee98734a8ea024061eada4aa9a9ff2e9), 2) Verifying commit signatures if available, 3) Setting up dependabot or similar tools to monitor the GitHub repository for security advisories, 4) Considering vendoring the dependency if it's critical to security.
🟡 Warning	package-lock.json:6407	The @nyariv/sandboxjs library is used for secure JavaScript sandboxing in Visor (see src/utils/sandbox.ts, src/failure-condition-evaluator.ts). Moving this dependency from npm to a GitHub repository increases the risk of supply chain attacks. The sandbox is used to evaluate user-provided JavaScript expressions in fail_if conditions, transform_js, and other contexts - a critical security boundary. 💡 Suggestion Given the security-critical nature of sandboxjs (used to sandbox untrusted code), consider: 1) Maintaining a fork in your own organization with security review, 2) Implementing additional runtime validation of sandbox behavior, 3) Adding integration tests that verify sandbox isolation properties, 4) Monitoring for unexpected behavior in sandbox execution.

Architecture Issues (3)

Severity	Location	Issue
🟠 Error	package.json:105	Direct GitHub dependency reference (@nyariv/sandboxjs) introduces supply chain risk and breaks reproducible builds. GitHub dependencies bypass npm's semantic versioning, integrity verification, and registry caching. This makes builds non-deterministic and vulnerable to repository changes or deletions. 💡 Suggestion Use a published npm package version instead. If the required version doesn't exist on npm, consider publishing it to a private registry or using a git commit hash with locked integrity checksum. For GitHub dependencies, always pin to a specific commit hash (not just branch) and document the reason for bypassing npm registry.
🟡 Warning	package-lock.json:6407	The @probelabs/probe dependency now references @nyariv/sandboxjs via GitHub (github:probelabs/SandboxJS) instead of npm registry. This indirect GitHub dependency through a transitive dependency creates hidden supply chain risks and complicates dependency auditing. 💡 Suggestion Verify that @probelabs/probe has a legitimate reason for using GitHub dependency. If this is intentional, ensure your CI/CD has proper git dependency caching. Consider requesting that @probelabs/probe publish or vendor this dependency properly.
🟡 Warning	package.json:105	Inconsistent dependency resolution: package.json pins @nyariv/sandboxjs to a specific GitHub commit (f1c13b8...), while @probelabs/probe's transitive dependency references the repository without commit pinning. This creates potential for version mismatches and unpredictable behavior. 💡 Suggestion Ensure both direct and transitive dependencies resolve to the same version. Consider using npm overrides or resolutions to force a single version, or coordinate with @probelabs/probe to align dependency versions.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (1)

Severity	Location	Issue
🟡 Warning	package-lock.json:6407	The @probelabs/probe dependency now references @nyariv/sandboxjs from GitHub (github:probelabs/SandboxJS) instead of npm registry. This bypasses npm's integrity verification and versioning system, which may impact reproducibility and security auditing in production environments. 💡 Suggestion Consider pinning to a specific commit hash or tag in the GitHub URL to ensure reproducibility. Alternatively, verify if this dependency should be published to npm registry instead.

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T14:46:43.598Z | Triggered by: pr_opened | Commit: d7493d5

💡 TIP: You can chat with Visor using /visor ask <your question>