chore: update @probelabs/probe to v0.6.0-rc242

[probelabs]

This PR updates @probelabs/probe to version v0.6.0-rc242.

Triggered by release: probelabs/probe@v0.6.0-rc242

Changes

• Updates @probelabs/probe dependency to v0.6.0-rc242

🤖 Auto-generated by release workflow

[probelabs]

PR Overview: Update @probelabs/probe to v0.6.0-rc242

Summary

This PR updates the @probelabs/probe dependency from version 0.6.0-rc233 to 0.6.0-rc242. This is a dependency update triggered by the probelabs/probe release workflow.

Files Changed

• package.json: Updated @probelabs/probe version constraint from ^0.6.0-rc233 to ^0.6.0-rc242
• package-lock.json: Updated the locked version and integrity checksum for @probelabs/probe

Key Changes in Dependency

Version Update

• Previous: 0.6.0-rc233
• New: 0.6.0-rc242
• Integrity: New checksum sha512-MxmoauiWHLJ7A48/gAYJxRXSt1PYzqqyiaL3rkR0yJcnuxJIqwQcR8burVbinIS+nQHhU3+aulPG5Drq4utzFw==

Notable Dependency Change

The probe package now references @nyariv/sandboxjs from GitHub directly:

• Previous: @nyariv/sandboxjs: ^0.8.32 (with nested version 0.8.33)
• New: @nyariv/sandboxjs: github:probelabs/SandboxJS

This change removes the npm registry dependency in favor of a direct GitHub reference, which may provide faster access to the latest changes or resolve version conflicts.

Architecture & Impact Assessment

What This PR Accomplishes

• Bumps the core AI/analysis library (@probelabs/probe) to the latest release candidate
• Ensures compatibility with the latest probe features and bug fixes

Affected System Components

The @probelabs/probe library is used throughout the codebase:

1. AI Review Service (src/ai-review-service.ts): Uses ProbeAgent and ProbeAgentOptions for AI-powered code review
2. Diff Processing (src/utils/diff-processor.ts): Uses the extract function for parsing diffs
3. Tracer Initialization (src/utils/tracer-init.ts): Uses SimpleTelemetry and SimpleAppTracer for debugging/observability
4. Main Entry Point (src/index.ts): Displays probe version in version banner
5. Test Mocks (__mocks__/@probelabs/probe.ts): Provides mock implementations for testing

Component Relationships

graph TD
    A[Visor Main] --> B[ProbeAgent]
    A --> C[SimpleTelemetry]
    D[AI Review Service] --> B
    E[Diff Processor] --> F[extract function]
    G[Tracer Init] --> C
    G --> H[SimpleAppTracer]
    C --> I[Trace Files]
    B --> J[AI Providers]
    J --> K[OpenAI/Anthropic/Google]

Loading

Scope Discovery & Context Expansion

Direct Impact

• The update is a dependency version bump with no code changes required in visor
• All existing imports and usage patterns remain compatible

Potential Indirect Impact

• SandboxJS GitHub Reference: The change from npm to GitHub for @nyariv/sandboxjs may affect:
  • Installation behavior in CI/CD pipelines (may need git access)
  • Version resolution (commits instead of semantic versions)
  • Offline installation scenarios

Related Files to Verify

Based on the dependency usage, the following areas should be tested:

1. AI Review Checks: Verify ProbeAgent initialization and answer() method work correctly
2. Diff Extraction: Confirm the extract function processes diffs as expected
3. Telemetry/Tracing: Test that SimpleTelemetry and SimpleAppTracer produce trace files
4. CI/CD Installation: Ensure GitHub Actions can install the GitHub-referenced dependency

Testing Recommendations

• Run existing test suite to verify mock compatibility
• Test AI review functionality with real providers
• Verify trace file generation in debug mode
• Confirm installation succeeds in CI environment

Review Effort

• Complexity: Low (dependency-only change)
• Risk: Low (patch version bump in RC series)
• Testing: Standard regression testing recommended

Labels

• tags.review-effort: 1 (trivial - dependency update only)
• tags.label: chore

Metadata

• Review Effort: 1 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T19:19:02.659Z | Triggered by: pr_opened | Commit: 2f3925a

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (2)

Severity	Location	Issue
🟢 Info	package-lock.json:6407	GitHub dependency @nyariv/sandboxjs lacks an integrity checksum (sha512-...). Unlike npm packages which provide cryptographic verification, GitHub dependencies rely on Git's commit hashes but don't have the same npm-level integrity verification during installation. 💡 Suggestion This is a known limitation of GitHub dependencies. To mitigate, ensure the GitHub repository has signed commits and consider using npm's provenance features. Monitor the probelabs/SandboxJS repository for security updates.
🟡 Warning	package-lock.json:6407	Dependency @nyariv/sandboxjs changed from npm registry (version 0.8.33 with integrity checksum) to GitHub source (github:probelabs/SandboxJS) without integrity verification. GitHub dependencies bypass npm's integrity checksum validation, creating supply chain security risks. 💡 Suggestion Consider pinning the GitHub dependency to a specific commit hash (e.g., github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9 as seen in package.json) to ensure reproducible builds. Alternatively, publish the package to npm with proper integrity checksums. The current package.json already uses a commit hash, but package-lock.json shows it without the commit pin, which could lead to different versions being installed.

Architecture Issues (2)

Severity	Location	Issue
🟠 Error	package-lock.json:6407	The GitHub dependency for @nyariv/sandboxjs (github:probelabs/SandboxJS) lacks a commit SHA pin. Without a commit pin, the dependency will resolve to the latest commit on the default branch, making builds non-reproducible and introducing unpredictability. This violates dependency management best practices. 💡 Suggestion Pin the GitHub dependency to a specific commit SHA: github:probelabs/SandboxJS#<commit-sha>. This ensures reproducible builds and prevents unexpected changes from new commits.
🟡 Warning	package-lock.json:6407	The @probelabs/probe dependency now references @nyariv/sandboxjs from GitHub (github:probelabs/SandboxJS) instead of npm registry. This introduces a non-standard dependency source that bypasses npm's semantic versioning and security audit infrastructure. GitHub dependencies can break builds if the repository is moved, deleted, or has commit history changes. Consider using an npm package with proper versioning or documenting why this fork is necessary. 💡 Suggestion Either publish the fork to npm with a scoped package name (e.g., @probelabs/sandboxjs) or document why the GitHub reference is necessary and what commit SHA is being used. The current reference has no commit pin, making it unstable.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (1)

Severity	Location	Issue
🟡 Warning	package-lock.json:6401	The @probelabs/probe dependency now references @nyariv/sandboxjs from GitHub (github:probelabs/SandboxJS) instead of npm registry. GitHub-hosted dependencies bypass npm's content-addressable storage and integrity verification, can change without version updates (commits can change), may not work in all environments (firewalls, air-gapped systems), and introduce additional supply chain risk. Consider using an npm registry version or pinning to a specific commit SHA. 💡 Suggestion Consider using an npm registry version of @nyariv/sandboxjs, or if GitHub hosting is necessary, pin to a specific commit SHA (e.g., github:probelabs/SandboxJS#commit-sha) to ensure reproducibility.

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T19:19:06.002Z | Triggered by: pr_opened | Commit: 2f3925a

💡 TIP: You can chat with Visor using /visor ask <your question>