Skip to content

chore: update @probelabs/probe to v0.6.0-rc245#377

Closed
probelabs[bot] wants to merge 1 commit intomainfrom
update-probe-v0.6.0-rc245
Closed

chore: update @probelabs/probe to v0.6.0-rc245#377
probelabs[bot] wants to merge 1 commit intomainfrom
update-probe-v0.6.0-rc245

Conversation

@probelabs
Copy link
Contributor

@probelabs probelabs bot commented Feb 18, 2026

This PR updates @probelabs/probe to version v0.6.0-rc245.

Triggered by release: probelabs/probe@v0.6.0-rc245

Changes

  • Updates @probelabs/probe dependency to v0.6.0-rc245

🤖 Auto-generated by release workflow

@probelabs
Copy link
Contributor Author

probelabs bot commented Feb 18, 2026

PR Overview: Update @probelabs/probe to v0.6.0-rc245

Summary

This PR updates the @probelabs/probe dependency from version 0.6.0-rc233 to 0.6.0-rc245. This is a dependency version bump auto-generated by the release workflow.

Files Changed

  • package.json: Updated @probelabs/probe version constraint from ^0.6.0-rc233 to ^0.6.0-rc245
  • package-lock.json: Updated the locked version and integrity hash for @probelabs/probe

Key Changes in Dependency

The update includes a notable transitive dependency change:

  • @nyariv/sandboxjs switched from npm registry version ^0.8.32 (locked at 0.8.33) to a GitHub reference: github:probelabs/SandboxJS

This change suggests the SandboxJS dependency is now being pulled directly from the probelabs fork/repository rather than the public npm registry, which may contain unreleased fixes or modifications specific to Probe Labs' needs.

Architecture & Impact Assessment

Affected Components

The @probelabs/probe package is used throughout the codebase:

  1. AI Review Service (src/ai-review-service.ts): Imports ProbeAgent and ProbeAgentOptions for AI-powered code review functionality

  2. Session Registry (src/session-registry.ts): Uses ProbeAgent for session management

  3. Diff Processor (src/utils/diff-processor.ts): Uses the extract utility from probe

  4. Tracer Initialization (src/utils/tracer-init.ts): Dynamically imports probe for telemetry/tracing functionality, using SimpleTelemetry and SimpleAppTracer classes

  5. Test Files: Multiple test files mock @probelabs/probe for unit and E2E testing

Impact Scope

  • Low Risk: This is a version bump within the same release candidate series (0.6.0-rc)
  • No Breaking Changes Expected: The update maintains the same major/minor version
  • Transitive Dependency Change: The SandboxJS GitHub reference change should be monitored for any runtime differences

Component Relationship

graph TD
    A[Visor Application] --> B[AI Review Service]
    A --> C[Session Registry]
    A --> D[Diff Processor]
    A --> E[Tracer Initialization]
    
    B --> F["@probelabs/probe"]
    C --> F
    D --> F
    E --> F
    
    F --> G["@nyariv/sandboxjs"]
    
    style F fill:#f9f,stroke:#333,stroke-width:2px
    style G fill:#ff9,stroke:#333,stroke-width:2px

Loading

Review Notes

  • Verify that the GitHub-hosted @nyariv/sandboxjs dependency resolves correctly during installation
  • Consider running the test suite to ensure no regressions from the probe version update
  • The change from npm to GitHub for SandboxJS may affect installation behavior in air-gapped or restricted network environments

Labels

  • Type: chore - Dependency version update
  • Review Effort: 1 (trivial) - Standard dependency bump with no code changes required
Metadata
  • Review Effort: 1 / 5
  • Primary Label: chore

Powered by Visor from Probelabs

Last updated: 2026-02-18T08:34:03.947Z | Triggered by: pr_opened | Commit: 33b50b3

💡 TIP: You can chat with Visor using /visor ask <your question>

@probelabs
Copy link
Contributor Author

probelabs bot commented Feb 18, 2026

Security Issues (1)

Severity Location Issue
🟡 Warning package-lock.json:6407
Dependency @nyariv/sandboxjs changed from npm registry version 0.8.33 to GitHub reference 'github:probelabs/SandboxJS'. This introduces supply chain security risks: GitHub dependencies bypass npm's security auditing, lack immutable versioning, and can change without warning. The integrity hash is also removed, making tamper detection impossible.
💡 SuggestionPin the GitHub dependency to a specific commit SHA to ensure reproducibility and enable integrity verification. Consider using 'github:probelabs/SandboxJS#commit-sha' format or publishing to npm registry with proper integrity hashes.
🔧 Suggested Fix
"@nyariv/sandboxjs": "github:probelabs/SandboxJS#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9"

Architecture Issues (2)

Severity Location Issue
🟢 Info package-lock.json:6407
The nested @nyariv/sandboxjs dependency (version 0.8.33) has been removed from @probelabs/probe's node_modules. This changes the dependency resolution strategy from using npm registry packages to GitHub-hosted packages, which may affect downstream consumers that rely on the nested dependency structure.
💡 SuggestionVerify that all code importing @nyariv/sandboxjs (found in src/utils/sandbox.ts and multiple providers) continues to work correctly with the GitHub-hosted version. Test sandbox execution features thoroughly.
🟡 Warning package-lock.json:6398
The @probelabs/probe dependency now references @nyariv/sandboxjs from GitHub (github:probelabs/SandboxJS) instead of the npm registry. This introduces a non-standard dependency resolution that bypasses npm's semantic versioning and integrity verification. GitHub dependencies can break build reproducibility and make dependency resolution less reliable across different environments and CI/CD pipelines.
💡 SuggestionConsider publishing @nyariv/sandboxjs to npm registry with proper semantic versioning, or pin the GitHub dependency to a specific commit hash to ensure reproducibility. The current reference without a commit hash is particularly risky.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (4)

Severity Location Issue
🟡 Warning package-lock.json:6407
Transitive dependency @nyariv/sandboxjs changed from npm package (^0.8.32) to unpinned GitHub reference (github:probelabs/SandboxJS) without commit hash. This compromises build reproducibility - the dependency could change over time as the repository updates.
💡 SuggestionThe GitHub reference should include a specific commit hash (e.g., github:probelabs/SandboxJS#commit-hash) to ensure reproducible builds. This is a transitive dependency from @probelabs/probe, so the fix should be made in that package's dependencies.
🟡 Warning package.json:100
Direct dependency on @nyariv/sandboxjs uses a pinned commit hash (#f1c13b8eee98734a8ea024061eada4aa9a9ff2e9), while the transitive dependency from @probelabs/probe now points to the same repository without a commit hash. This creates potential for version conflicts and inconsistent behavior.
💡 SuggestionEnsure both the direct dependency and the transitive dependency reference the same commit hash to avoid potential version mismatches. Consider coordinating with @probelabs/probe maintainers to pin the transitive dependency to a specific commit.
🟡 Warning package-lock.json:6398
Dependency update from rc233 to rc245 lacks test coverage to verify compatibility. The existing unit tests mock @probelabs/probe, so they don't validate that the new version works correctly with the actual dependency.
💡 SuggestionAdd integration tests that verify the actual @probelabs/probe dependency works correctly after version updates. Consider adding smoke tests that call real ProbeAgent methods to catch breaking changes in dependency updates.
🟡 Warning package.json:105
No E2E tests exist to validate that the @probelabs/probe v0.6.0-rc245 update maintains compatibility with existing AI review functionality. Unit tests use mocks and won't catch runtime incompatibilities.
💡 SuggestionAdd E2E tests that exercise the full AI review flow with the actual @probelabs/probe dependency. This would catch breaking API changes, schema incompatibilities, or behavioral differences between versions.

Powered by Visor from Probelabs

Last updated: 2026-02-18T08:34:07.564Z | Triggered by: pr_opened | Commit: 33b50b3

💡 TIP: You can chat with Visor using /visor ask <your question>

@buger buger closed this Feb 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Comments