chore: update @probelabs/probe to v0.6.0-rc237

[probelabs]

This PR updates @probelabs/probe to version v0.6.0-rc237.

Triggered by release: probelabs/probe@v0.6.0-rc237

Changes

• Updates @probelabs/probe dependency to v0.6.0-rc237

🤖 Auto-generated by release workflow

[probelabs]

PR Overview: Update @probelabs/probe to v0.6.0-rc237

Summary

This PR updates the @probelabs/probe dependency from version 0.6.0-rc233 to 0.6.0-rc237. This is a dependency update PR auto-generated by the release workflow.

Files Changed

• package.json: Updated @probelabs/probe version constraint from ^0.6.0-rc233 to ^0.6.0-rc237
• package-lock.json: Updated the locked version and integrity checksum for @probelabs/probe

Key Changes in Dependency

The update includes a notable internal dependency change within @probelabs/probe:

• @nyariv/sandboxjs: Changed from npm registry version 0.8.33 to GitHub source github:probelabs/SandboxJS

This change removes the nested node_modules/@probelabs/probe/node_modules/@nyariv/sandboxjs entry from package-lock.json, as the dependency is now resolved directly from GitHub.

Impact Assessment

Affected Components

The @probelabs/probe package is used throughout the Visor codebase:

• Core AI/Agent functionality: ProbeAgent class is imported and used for AI-powered code review and analysis
• DelegationManager: Dynamically imported in src/state-machine/context/build-engine-context.ts for concurrency control
• MCP Provider: Used as transport for Model Context Protocol integrations
• Version Detection: src/index.ts and scripts/inject-version.js read probe version for logging

Risk Level: Low

• This is a minor version bump within the 0.6.0-rc release candidate series
• The change to @nyariv/sandboxjs from npm to GitHub source is internal to the probe package
• No breaking changes are expected in the public API surface
• All existing imports and usage patterns remain compatible

Testing Recommendations

• Verify AI review checks still function correctly with the new probe version
• Confirm MCP provider integrations work as expected
• Check that version logging displays correctly in GitHub Action runs

Architecture Context

graph TD
    A[Visor] --> B["@probelabs/probe"]
    B --> C[ProbeAgent]
    B --> D[DelegationManager]
    B --> E[MCP SDK Integration]
    B --> F["@nyariv/sandboxjs"]
    
    C --> G[AI Review Service]
    D --> H[Concurrency Control]
    E --> I[Tool Providers]
    
    style B fill:#f9f,stroke:#333,stroke-width:2px
    style F fill:#ff9,stroke:#333,stroke-width:2px

Loading

The @probelabs/probe package serves as the core AI/agent orchestration layer within Visor. The update to @nyariv/sandboxjs (now sourced from GitHub) is an internal dependency change that should not affect Visor's public API or behavior.

Metadata

• Review Effort: 1 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T05:27:26.340Z | Triggered by: pr_opened | Commit: e7828a2

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (2)

Severity	Location	Issue
🟢 Info	package-lock.json:6401	The integrity hash for @probelabs/probe changed from sha512-1U5HAi90sfzXi7n8MjVa/HdDvtf1Zx61euBWknxXuKQqXXgXQgR1hnHkGipksyQ8LG7Falh4hbXeKlaWuV36+Q== to sha512-E7VMN00MXni3R95Xo6O9OjX16Ws707664lJAyRPtKaTcZzFcUsC2LhFin6rY3wna1lLMFkhK0YZ+RihBplUVQg==. While this is expected for a version update, the change should be verified to ensure the new hash matches the official release. 💡 Suggestion Verify the new integrity hash against the official @probelabs/probe v0.6.0-rc237 release on npm registry. Run: npm view @probelabs/probe@0.6.0-rc237 dist.integrity
🟡 Warning	package-lock.json:6398	Dependency @nyariv/sandboxjs changed from npm registry version to GitHub reference (github:probelabs/SandboxJS). GitHub dependencies bypass npm's integrity verification and content-addressable storage, introducing supply chain security risks. The integrity hash is no longer verified against the npm registry, and the dependency can be changed without updating the hash. 💡 Suggestion Pin the GitHub dependency to a specific commit hash or tag, and consider implementing a dependency pinning workflow. Alternatively, publish the package to npm registry to maintain integrity verification. Example: github:probelabs/SandboxJS#commit-hash or github:probelabs/SandboxJS#v1.0.0

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

Performance Issues (3)

Severity	Location	Issue
🟡 Warning	package-lock.json:6407	Transitive dependency @nyariv/sandboxjs changed from npm registry (^0.8.32) to GitHub direct reference (github:probelabs/SandboxJS). GitHub dependencies are slower to install than npm packages due to lack of CDN caching, requiring GitHub API access or git clone operations, and increased network latency. This impacts CI/CD pipeline performance and deployment times. 💡 Suggestion Consider using a specific npm version or GitHub reference with commit hash for deterministic installs. Example: 'github:probelabs/SandboxJS#commit-hash' or revert to npm registry version with explicit version pinning.
🟡 Warning	package-lock.json:6407	GitHub dependency reference lacks version specification (branch, tag, or commit hash). This causes non-deterministic installations where different builds may get different versions, leading to unpredictable performance characteristics and potential bugs. 💡 Suggestion Pin to a specific commit hash, tag, or release version. Example: 'github:probelabs/SandboxJS#v1.2.3' or 'github:probelabs/SandboxJS#abc123def456' to ensure deterministic installations and consistent performance.
🟡 Warning	package-lock.json:6407	Integrity hash removed when switching to GitHub dependency. Without integrity verification, npm cannot cache the package effectively, forcing re-downloads on every install and significantly increasing installation time. 💡 Suggestion Use npm registry packages with integrity hashes for optimal caching. If GitHub dependency is required, consider publishing to npm registry or using a package manager that supports GitHub dependency caching.

Quality Issues (3)

Severity	Location	Issue
🔴 Critical	package-lock.json:6407	Critical security dependency @nyariv/sandboxjs changed from versioned npm package to unversioned GitHub reference. This breaks build reproducibility and supply chain security for a security-critical component used to execute untrusted user code. 💡 Suggestion Pin the GitHub dependency to a specific commit SHA using the format: github:probelabs/SandboxJS#commit-sha, or preferably publish a specific version to npm and use that. The sandbox is used across multiple providers (ai-check-provider, command-check-provider, custom-tool-executor, github-ops-provider, http-client-provider, mcp-check-provider, memory-check-provider, script-check-provider) to execute untrusted code, making reproducibility essential for security auditing. 🔧 Suggested Fix "@nyariv/sandboxjs": "github:probelabs/SandboxJS#<specific-commit-sha>"
🔴 Critical	package-lock.json:6407	The sandbox dependency used for executing untrusted user code is now mutable (unversioned GitHub reference). Different builds may pull different versions, making it impossible to audit or guarantee which sandbox code is running in production. 💡 Suggestion Use a versioned dependency with commit SHA pinning: github:probelabs/SandboxJS#abc123def or publish to npm registry with semantic versioning. Document the specific commit/version in security documentation for audit trails.
🟠 Error	package-lock.json:6407	GitHub dependency bypasses npm security audit features (npm audit, Dependabot) for a critical security component. This reduces visibility into vulnerabilities and makes automated security scanning ineffective. 💡 Suggestion Prefer npm registry packages with semantic versioning for security-critical dependencies. If GitHub dependency is necessary, implement alternative security scanning (e.g., dependabot for GitHub dependencies, manual security reviews on commits).

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T05:27:29.277Z | Triggered by: pr_opened | Commit: e7828a2

💡 TIP: You can chat with Visor using /visor ask <your question>