Skip to content

chore(deps): Bump actions/checkout from 4 to 7#6

Closed
dependabot[bot] wants to merge 16 commits into
mainfrom
dependabot/github_actions/actions/checkout-7
Closed

chore(deps): Bump actions/checkout from 4 to 7#6
dependabot[bot] wants to merge 16 commits into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown

Bumps actions/checkout from 4 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

rsvptr and others added 16 commits May 30, 2026 01:11
Added live app link and additional badges to README.
The repo previously tracked nothing-by-luck: node_modules, .next, and the
generated public/vendor assets were only absent because of manual uploads.
Standard Next.js ignores plus the generated ffmpeg assets, local test
fixtures, and local tooling state.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…Dependabot

- Security headers: CSP (production drops 'unsafe-eval', keeps
  'wasm-unsafe-eval' for ffmpeg.wasm), nosniff, frame-ancestors 'none',
  Referrer-Policy, COOP, minimal Permissions-Policy.
- WAV/AIFF parser hardening: chunk scanners track only the chunk IDs they
  read and stop once found (kills a chunk-flood memory DoS), explicit
  fmt/COMM bounds checks, and AIFF now rejects NaN/Infinity sample rates
  from the 80-bit float (`<= 0` let them through).
- Deterministic fuzz suite (npm run test:fuzz, seeded, ~1,360 cases) over
  every untrusted-input parser, wired into npm test; parseFlacStreamInfo
  exported for direct fuzzing of the main-thread parser.
- ffmpeg.wasm assets verified against pinned SHA-256 hashes at build time;
  a substituted @ffmpeg/core fails the build with forensic output.
- Dependabot for npm + actions.
- Dependency fixes: Next.js 16.2.2 -> 16.2.9 (high-severity advisories),
  plus brace-expansion/postcss; remaining postcss-in-next moderates are
  build-time only and documented in SECURITY.md.
- SECURITY.md documents the threat model, protections, and accepted risks.
- Test-audio generators for large-batch and a-law (ffmpeg-path) fixtures.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…n store

- Session imports are rebuilt field-by-field from a whitelist (type checks,
  length/count caps, scheme-checked URLs) instead of trusting parsed JSON;
  malformed entries can no longer crash React (objects in notes), break
  exports (strings where numbers belong), or balloon memory.
- normalizeSessionJob extracted so untrusted session files and persisted
  live-session records share one hardened validation path.
- New IndexedDB live-session store: completed results auto-persist and are
  restored (view-only) after a refresh; records are re-validated on load.
- AnalysisJob gains session-local startedAtMs/finishedAtMs timing and a
  restored flag.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Replaces the single sequential decoder/analyzer pair with a pool of
independent lanes (decoder+analyzer worker pair each, one job per lane):

- Lane count adapts to the device: up to 6 on 8GB+/many-core desktops,
  1-2 on phones and low-memory devices, user-overridable (auto/1/2/4).
- Very large files run alone (256 MB desktop / 96 MB constrained) so peak
  memory stays bounded by one decoded file; idle lanes (and any lazily
  loaded ffmpeg heaps) tear down after 45s of quiet.
- Canceling or removing a job resets only its own lane, never a neighbour.
- Decoder workers read the File handle themselves, so the main thread
  never holds a copy of a large file.
- The analyzer reports real measurement progress; job progress is mapped,
  throttled, and clamped monotonic per run (decode fallback paths used to
  yank the bar from 78% to 42% or 46% to 3%).
- Completed results autosave to the live-session store and restore on
  load; a screen wake lock and a beforeunload guard protect running
  batches; sessions restore after refresh with a notice.
- Intake capped at 2000 files per add; enqueue returns the accepted count.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Native <select> popups get explicit themed option colors: Windows
  Chromium painted the option list on a light background while options
  inherited the dark theme's near-white text, making the Sort/reference/
  decode dropdowns unreadable.
- Mobile: safe-area insets, 44px touch targets and 16px form-control text
  on coarse pointers (stops iOS focus-zoom), touch-action manipulation,
  and pan-y on uPlot overlays so charts stop trapping page scroll.
- Explicit viewport (viewport-fit=cover) with cookie-matched theme-color,
  and a pre-paint inline script so OS-light first-time visitors no longer
  see a dark flash before their preference applies.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Drag & drop is owned by the always-mounted workbench: dropping a file on
  the session screen used to navigate the browser away and destroy the
  in-memory session. Drops now work on every screen with an overlay, and
  dropped folders are scanned for audio (capped traversal).
- Sticky toolbar shows live batch progress with a rough time-remaining
  estimate; per-file processing time appears in the inspector; restored
  jobs are badged.
- Parallel-files control (auto/1/2/4) in Advanced Options, persisted;
  secure flag on the theme cookie over https.
- Keyboard shortcuts: "/" focuses queue search, Ctrl/Cmd+O opens the file
  picker. Compact toolbar and 2-up summary tiles on phones; charts fit
  narrow screens.
- Timestamped export filenames so repeated exports stop overwriting;
  adding only unsupported files no longer routes to an empty session.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…posture

Updates the architecture, large-library, history/session, privacy, and
limitations sections for parallel lanes, automatic session restore, folder
drops, and the wake-lock behavior; adds a Security section linking to
SECURITY.md and documents the six-harness test suite including the fuzzer.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…the core

0.12.10 ships byte-identical UMD assets to the reviewed 0.12.9 (verified by
hashing a fresh npm pack of the release), so it is pinned with the same
hashes. @ffmpeg/core is excluded from Dependabot's grouped updates: any bump
fails the integrity gate until a human reviews and re-pins, so automated
proposals for it can only ever produce red builds. Core updates are now
deliberate, manual events.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Every push and PR: install (runs the ffmpeg integrity check), lint, all
six validation suites including the fuzzer, production build, and
npm audit failing on high-severity advisories.

Kept as a separate commit: pushing workflow files requires a credential
with the GitHub `workflow` scope.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Analysis exports (CSV/JSON/Markdown) were already timestamped, but the
session export still downloaded as a fixed truepeak-session.truepeak.json,
silently overwriting earlier saves. Session files now follow the same
truepeak-session-YYYYMMDD-HHMMSS.truepeak.json pattern via a shared
fileNameTimestamp helper, the suites assert the unique-name patterns for
both export kinds, and the README's stale static filenames are corrected.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…lback

Findings from a final three-way adversarial review pass:

- The Parallel files hint described Auto behavior while a fixed count was
  selected; it now states the fixed count and how to return to Auto.
- README still claimed "up to 4" parallel lanes (the high-memory auto cap
  has been 6 since the lanes landed) and called the restore storage
  "local storage"; corrected to 6 and IndexedDB.
- Live-session autosave marked results as persisted before the IndexedDB
  transaction committed, so a quota-aborted write was never retried and
  those results silently missed the next restore. Writes now report
  commit status and failed batches roll their bookkeeping back to retry
  on the next change.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Same conventions as the README — centered badge header, honest Note up
front, contents list, sentence-case sections, tables for enumerable facts,
a mermaid diagram of the untrusted-input layers, and a check-it-yourself
command block. Adds the enforced input caps, the full header table with
what each one prevents, a what-is-stored-where table, the supply-chain
ritual, and the CI/fuzz verification story. Every number and claim
verified against the source.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The README was written without dash punctuation and with open compounds
(true peak, measure only, view only), and later edits drifted from that.
This pass removes every em dash, rewrites hyphenated compounds in prose
(view only, third party, a desktop with plenty of memory), and trades the
remaining showy phrasing for plain statements, in both README.md and
SECURITY.md. Hyphens now appear only inside technical names like header
fields, file patterns, and command flags. No facts changed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 19, 2026
@vercel

vercel Bot commented Jun 19, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
truepeak Ready Ready Preview, Comment Jun 19, 2026 2:35pm

@dependabot @github

dependabot Bot commented on behalf of github Jul 11, 2026

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/github_actions/actions/checkout-7 branch July 11, 2026 16:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant