chore: update @probelabs/probe to v0.6.0-rc238

[probelabs]

This PR updates @probelabs/probe to version v0.6.0-rc238.

Triggered by release: probelabs/probe@v0.6.0-rc238

Changes

• Updates @probelabs/probe dependency to v0.6.0-rc238

🤖 Auto-generated by release workflow

[probelabs]

PR Overview: Update @probelabs/probe to v0.6.0-rc238

Summary

This PR updates the @probelabs/probe dependency from version 0.6.0-rc233 to 0.6.0-rc238. This is a dependency update triggered by the probelabs/probe release workflow.

Files Changed

• package.json: Updated @probelabs/probe version constraint from ^0.6.0-rc233 to ^0.6.0-rc238
• package-lock.json: Updated the locked version and integrity hash for @probelabs/probe

Key Changes in Dependency

The diff shows a notable change in the probe package's dependency tree:

• @nyariv/sandboxjs: Changed from npm package version 0.8.33 to a GitHub reference github:probelabs/SandboxJS

This change suggests the probe package has migrated from the npm-registered version of @nyariv/sandboxjs to a direct GitHub dependency, likely for faster iteration or to incorporate changes not yet published to npm.

Architecture & Impact Assessment

What This PR Accomplishes

• Updates the core AI agent library (@probelabs/probe) to the latest release candidate
• Brings in bug fixes, performance improvements, and new features from the probe library

Key Technical Changes

1. Dependency Substitution: The probe package now references @nyariv/sandboxjs from GitHub instead of npm registry
2. Version Bump: Incremental update from rc233 to rc238 (5 release candidates worth of changes)

Affected System Components

Based on code analysis, @probelabs/probe is used extensively throughout the codebase:

• src/ai-review-service.ts: Main consumer - uses ProbeAgent and ProbeAgentOptions for AI-powered code review
• src/session-registry.ts: Manages ProbeAgent session lifecycle
• src/utils/tracer-init.ts: Initializes telemetry/tracing from probe
• src/state-machine/context/build-engine-context.ts: Dynamically loads DelegationManager from probe
• src/utils/diff-processor.ts: References probe binary path
• src/index.ts: Displays probe version in CLI output
• scripts/inject-version.js: Extracts probe version for display

Component Relationships

graph TD
    A[Visor] --> B["@probelabs/probe"]
    B --> C[ProbeAgent]
    B --> D[DelegationManager]
    B --> E[SimpleTelemetry]
    B --> F["@nyariv/sandboxjs"]
    
    C --> G[AI Review Service]
    C --> H[Session Registry]
    E --> I[Tracer Initialization]
    
    style F fill:#f9f,stroke:#333,stroke-width:2px
    style F stroke-dasharray: 5 5

Loading

The dashed border on @nyariv/sandboxjs indicates the change in dependency source (npm → GitHub).

Scope Discovery & Context Expansion

Immediate Impact

• AI Review Functionality: The ProbeAgent class is central to AI-powered code review; any behavioral changes in probe could affect review quality, performance, or output format
• Session Management: Session cloning and reuse features depend on probe's internal state management
• Telemetry/Tracing: Debug artifact generation relies on probe's SimpleTelemetry and SimpleAppTracer classes

Related Files to Verify

For comprehensive validation, reviewers should check:

1. Tests: tests/unit/concurrency-limiter.test.ts (imports DelegationManager from probe)
2. Mocks: __mocks__/@probelabs/probe.ts (may need updates if probe API changed)
3. Configuration: Jest config maps probe imports to mocks

Potential Risks

• API Compatibility: If probe introduced breaking changes between rc233 and rc238, the ProbeAgentOptions interface or method signatures may have changed
• SandboxJS GitHub Dependency: Using a GitHub dependency instead of npm can introduce instability (commits can be force-pushed, tags can change)
• Mock Compatibility: The mock implementation in __mocks__/@probelabs/probe.ts may not reflect new probe features

Recommendations for Reviewers

1. Check probe changelog: Review the release notes between rc233 and rc238 for breaking changes
2. Verify SandboxJS change: Understand why the dependency moved to GitHub and assess stability implications
3. Test AI review flows: Run code review checks to ensure ProbeAgent integration still works correctly
4. Verify session reuse: Test session cloning functionality if used in your workflows
5. Check telemetry: Confirm debug artifacts are still generated correctly

Review Effort & Labels

• Review Effort: 2/5 - Low to moderate. This is a dependency update with minimal code changes, but requires verification of integration points.
• Label: chore - This is a routine dependency maintenance update.

Metadata

• Review Effort: 2 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T06:46:52.497Z | Triggered by: pr_opened | Commit: 4d88ce7

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (2)

Severity	Location	Issue
🟡 Warning	package-lock.json:6398	The @probelabs/probe dependency has changed its @nyariv/sandboxjs subdependency from the official npm registry package (version 0.8.33) to a GitHub repository reference (github:probelabs/SandboxJS). This change bypasses npm's integrity verification mechanism, as GitHub dependencies don't support the same cryptographic verification as registry packages. The new integrity hash (sha512-nVgWG0Tuft6Oy5aWwcWrREuWmGgoRl1shR7bGyoRekH1d+ty+kmu8PL4d0MCkgJpergK2is5yRLYBYKedf9tUA==) cannot be verified against a published npm release. 💡 Suggestion 1. Verify that probelabs/SandboxJS is a trusted repository owned by the probe team. 2. Check if there's a specific commit hash or tag being referenced (the diff shows no commit pinning). 3. Consider pinning to a specific commit hash rather than a branch for reproducibility. 4. Review the SandboxJS repository for security practices before deploying to production. 5. Monitor for any official npm release that replaces this GitHub dependency.
🟡 Warning	package.json:105	The @probelabs/probe dependency update from v0.6.0-rc233 to v0.6.0-rc238 includes a subdependency change where @nyariv/sandboxjs now references a GitHub repository instead of npm registry. This affects the supply chain security posture as GitHub dependencies lack npm's integrity verification and may introduce different code than what was previously vetted. 💡 Suggestion Review the security implications of using GitHub-hosted dependencies. Ensure the probelabs/SandboxJS repository is actively maintained and has proper security controls. Consider implementing additional CI/CD checks to verify the integrity of GitHub-sourced dependencies.

Architecture Issues (1)

Severity	Location	Issue
🟠 Error	package-lock.json:6407	@probelabs/probe nested dependency changed @nyariv/sandboxjs from pinned npm version (^0.8.32) to unpinned GitHub URL (github:probelabs/SandboxJS). This creates version inconsistency with the direct dependency in package.json which uses a pinned commit (github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9). Unpinned GitHub URLs compromise build reproducibility and could resolve to different versions over time. 💡 Suggestion The @probelabs/probe package should pin the @nyariv/sandboxjs GitHub dependency to a specific commit hash (e.g., github:probelabs/SandboxJS#<commit-hash>) to ensure reproducible builds and avoid version mismatches with the direct dependency. Alternatively, consider using an npm registry version if available.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (5)

Severity	Location	Issue
🟠 Error	package-lock.json:6398	The @probelabs/probe dependency update changes @nyariv/sandboxjs from a pinned npm version (^0.8.32) to an unpinned GitHub reference (github:probelabs/SandboxJS). This breaks reproducible builds and can cause unexpected breaking changes as the dependency will always install the latest commit on the default branch. 💡 Suggestion Pin the GitHub dependency to a specific commit hash to ensure reproducible builds. For example: github:probelabs/SandboxJS#commit-hash. The current package.json already uses a pinned commit (f1c13b8eee98734a8ea024061eada4aa9a9ff2e9), so ensure the transitive dependency from @probelabs/probe is also pinned.
🟢 Info	package-lock.json:6434	The nested node_modules/@probelabs/probe/node_modules/@nyariv/sandboxjs entry was removed. This changes the dependency resolution strategy and could affect how the sandboxjs module is resolved at runtime. 💡 Suggestion Test all sandbox-dependent functionality to ensure the module resolution still works correctly. Pay special attention to tests in tests/unit/sandbox-js-syntax.test.ts which validate sandbox execution features.
🟡 Warning	package-lock.json:6410	GitHub dependencies are less reliable than npm registry packages. They can fail due to network issues, rate limiting, or repository unavailability. This is especially problematic for CI/CD pipelines and production deployments. 💡 Suggestion Consider publishing @nyariv/sandboxjs to npm registry with proper semantic versioning, or ensure the GitHub reference includes a specific commit hash and implement fallback mechanisms for installation failures.
🟡 Warning	package-lock.json:6398	The integrity hash changed from sha512-1U5HAi90sfzXi7n8MjVa/HdDvtf1Zx61euBWknxXuKQqXXgXQgR1hnHkGipksyQ8LG7Falh4hbXeKlaWuV36+Q== to sha512-nVgWG0Tuft6Oy5aWwcWrREuWmGgoRl1shR7bGyoRekH1d+ty+kmu8PL4d0MCkgJpergK2is5yRLYBYKedf9tUA==. While this is expected for a version update, the change from npm to GitHub dependency means the integrity verification mechanism may not work as expected. 💡 Suggestion Verify that the new integrity hash is correct and that npm's integrity verification works with GitHub dependencies. Consider using npm package lock features like 'lockfileVersion' 3 for better security.
🟡 Warning	package.json:105	The @probelabs/probe dependency now includes @nyariv/sandboxjs as a GitHub dependency. This transitive dependency change affects multiple providers (ai-check-provider, command-check-provider, custom-tool-executor, mcp-check-provider, memory-check-provider, script-check-provider) that rely on sandboxjs for secure JavaScript execution. 💡 Suggestion Review the sandboxjs usage across all providers to ensure compatibility with the GitHub version. Add integration tests to verify sandbox functionality works correctly with the new dependency source.

---

Powered by Visor from Probelabs

Last updated: 2026-02-17T06:46:55.153Z | Triggered by: pr_opened | Commit: 4d88ce7

💡 TIP: You can chat with Visor using /visor ask <your question>