chore: update @probelabs/probe to v0.6.0-rc245

[probelabs]

This PR updates @probelabs/probe to version v0.6.0-rc245.

Triggered by release: probelabs/probe@v0.6.0-rc245

Changes

• Updates @probelabs/probe dependency to v0.6.0-rc245

🤖 Auto-generated by release workflow

[probelabs]

PR Overview: Update @probelabs/probe to v0.6.0-rc245

Summary

This PR updates the @probelabs/probe dependency from version 0.6.0-rc233 to 0.6.0-rc245. This is a dependency version bump auto-generated by the release workflow.

Files Changed

• package.json: Updated @probelabs/probe version constraint from ^0.6.0-rc233 to ^0.6.0-rc245
• package-lock.json: Updated the locked version and integrity hash for @probelabs/probe

Key Changes in Dependency

The update includes a notable transitive dependency change:

• @nyariv/sandboxjs switched from npm registry version ^0.8.32 (locked at 0.8.33) to a GitHub reference: github:probelabs/SandboxJS

This change suggests the SandboxJS dependency is now being pulled directly from the probelabs fork/repository rather than the public npm registry, which may contain unreleased fixes or modifications specific to Probe Labs' needs.

Architecture & Impact Assessment

Affected Components

The @probelabs/probe package is used throughout the codebase:

1. AI Review Service (src/ai-review-service.ts): Imports ProbeAgent and ProbeAgentOptions for AI-powered code review functionality

2. Session Registry (src/session-registry.ts): Uses ProbeAgent for session management

3. Diff Processor (src/utils/diff-processor.ts): Uses the extract utility from probe

4. Tracer Initialization (src/utils/tracer-init.ts): Dynamically imports probe for telemetry/tracing functionality, using SimpleTelemetry and SimpleAppTracer classes

5. Test Files: Multiple test files mock @probelabs/probe for unit and E2E testing

Impact Scope

• Low Risk: This is a version bump within the same release candidate series (0.6.0-rc)
• No Breaking Changes Expected: The update maintains the same major/minor version
• Transitive Dependency Change: The SandboxJS GitHub reference change should be monitored for any runtime differences

Component Relationship

graph TD
    A[Visor Application] --> B[AI Review Service]
    A --> C[Session Registry]
    A --> D[Diff Processor]
    A --> E[Tracer Initialization]
    
    B --> F["@probelabs/probe"]
    C --> F
    D --> F
    E --> F
    
    F --> G["@nyariv/sandboxjs"]
    
    style F fill:#f9f,stroke:#333,stroke-width:2px
    style G fill:#ff9,stroke:#333,stroke-width:2px

Loading

Review Notes

• Verify that the GitHub-hosted @nyariv/sandboxjs dependency resolves correctly during installation
• Consider running the test suite to ensure no regressions from the probe version update
• The change from npm to GitHub for SandboxJS may affect installation behavior in air-gapped or restricted network environments

Labels

• Type: chore - Dependency version update
• Review Effort: 1 (trivial) - Standard dependency bump with no code changes required

Metadata

• Review Effort: 1 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2026-02-18T08:34:03.947Z | Triggered by: pr_opened | Commit: 33b50b3

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (1)

Severity	Location	Issue
🟡 Warning	package-lock.json:6407	Dependency @nyariv/sandboxjs changed from npm registry version 0.8.33 to GitHub reference 'github:probelabs/SandboxJS'. This introduces supply chain security risks: GitHub dependencies bypass npm's security auditing, lack immutable versioning, and can change without warning. The integrity hash is also removed, making tamper detection impossible. 💡 Suggestion Pin the GitHub dependency to a specific commit SHA to ensure reproducibility and enable integrity verification. Consider using 'github:probelabs/SandboxJS#commit-sha' format or publishing to npm registry with proper integrity hashes. 🔧 Suggested Fix "@nyariv/sandboxjs": "github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9"

Architecture Issues (2)

Severity	Location	Issue
🟢 Info	package-lock.json:6407	The nested @nyariv/sandboxjs dependency (version 0.8.33) has been removed from @probelabs/probe's node_modules. This changes the dependency resolution strategy from using npm registry packages to GitHub-hosted packages, which may affect downstream consumers that rely on the nested dependency structure. 💡 Suggestion Verify that all code importing @nyariv/sandboxjs (found in src/utils/sandbox.ts and multiple providers) continues to work correctly with the GitHub-hosted version. Test sandbox execution features thoroughly.
🟡 Warning	package-lock.json:6398	The @probelabs/probe dependency now references @nyariv/sandboxjs from GitHub (github:probelabs/SandboxJS) instead of the npm registry. This introduces a non-standard dependency resolution that bypasses npm's semantic versioning and integrity verification. GitHub dependencies can break build reproducibility and make dependency resolution less reliable across different environments and CI/CD pipelines. 💡 Suggestion Consider publishing @nyariv/sandboxjs to npm registry with proper semantic versioning, or pin the GitHub dependency to a specific commit hash to ensure reproducibility. The current reference without a commit hash is particularly risky.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (4)

Severity	Location	Issue
🟡 Warning	package-lock.json:6407	Transitive dependency @nyariv/sandboxjs changed from npm package (^0.8.32) to unpinned GitHub reference (github:probelabs/SandboxJS) without commit hash. This compromises build reproducibility - the dependency could change over time as the repository updates. 💡 Suggestion The GitHub reference should include a specific commit hash (e.g., github:probelabs/SandboxJS#commit-hash) to ensure reproducible builds. This is a transitive dependency from @probelabs/probe, so the fix should be made in that package's dependencies.
🟡 Warning	package.json:100	Direct dependency on @nyariv/sandboxjs uses a pinned commit hash (#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9), while the transitive dependency from @probelabs/probe now points to the same repository without a commit hash. This creates potential for version conflicts and inconsistent behavior. 💡 Suggestion Ensure both the direct dependency and the transitive dependency reference the same commit hash to avoid potential version mismatches. Consider coordinating with @probelabs/probe maintainers to pin the transitive dependency to a specific commit.
🟡 Warning	package-lock.json:6398	Dependency update from rc233 to rc245 lacks test coverage to verify compatibility. The existing unit tests mock @probelabs/probe, so they don't validate that the new version works correctly with the actual dependency. 💡 Suggestion Add integration tests that verify the actual @probelabs/probe dependency works correctly after version updates. Consider adding smoke tests that call real ProbeAgent methods to catch breaking changes in dependency updates.
🟡 Warning	package.json:105	No E2E tests exist to validate that the @probelabs/probe v0.6.0-rc245 update maintains compatibility with existing AI review functionality. Unit tests use mocks and won't catch runtime incompatibilities. 💡 Suggestion Add E2E tests that exercise the full AI review flow with the actual @probelabs/probe dependency. This would catch breaking API changes, schema incompatibilities, or behavioral differences between versions.

---

Powered by Visor from Probelabs

Last updated: 2026-02-18T08:34:07.564Z | Triggered by: pr_opened | Commit: 33b50b3

💡 TIP: You can chat with Visor using /visor ask <your question>