chore(deps): Bump the minor-and-patch group across 1 directory with 9 updates#9
Closed
dependabot[bot] wants to merge 16 commits into
Closed
chore(deps): Bump the minor-and-patch group across 1 directory with 9 updates#9dependabot[bot] wants to merge 16 commits into
dependabot[bot] wants to merge 16 commits into
Conversation
Added live app link and additional badges to README.
The repo previously tracked nothing-by-luck: node_modules, .next, and the generated public/vendor assets were only absent because of manual uploads. Standard Next.js ignores plus the generated ffmpeg assets, local test fixtures, and local tooling state. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…Dependabot - Security headers: CSP (production drops 'unsafe-eval', keeps 'wasm-unsafe-eval' for ffmpeg.wasm), nosniff, frame-ancestors 'none', Referrer-Policy, COOP, minimal Permissions-Policy. - WAV/AIFF parser hardening: chunk scanners track only the chunk IDs they read and stop once found (kills a chunk-flood memory DoS), explicit fmt/COMM bounds checks, and AIFF now rejects NaN/Infinity sample rates from the 80-bit float (`<= 0` let them through). - Deterministic fuzz suite (npm run test:fuzz, seeded, ~1,360 cases) over every untrusted-input parser, wired into npm test; parseFlacStreamInfo exported for direct fuzzing of the main-thread parser. - ffmpeg.wasm assets verified against pinned SHA-256 hashes at build time; a substituted @ffmpeg/core fails the build with forensic output. - Dependabot for npm + actions. - Dependency fixes: Next.js 16.2.2 -> 16.2.9 (high-severity advisories), plus brace-expansion/postcss; remaining postcss-in-next moderates are build-time only and documented in SECURITY.md. - SECURITY.md documents the threat model, protections, and accepted risks. - Test-audio generators for large-batch and a-law (ffmpeg-path) fixtures. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…n store - Session imports are rebuilt field-by-field from a whitelist (type checks, length/count caps, scheme-checked URLs) instead of trusting parsed JSON; malformed entries can no longer crash React (objects in notes), break exports (strings where numbers belong), or balloon memory. - normalizeSessionJob extracted so untrusted session files and persisted live-session records share one hardened validation path. - New IndexedDB live-session store: completed results auto-persist and are restored (view-only) after a refresh; records are re-validated on load. - AnalysisJob gains session-local startedAtMs/finishedAtMs timing and a restored flag. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Replaces the single sequential decoder/analyzer pair with a pool of independent lanes (decoder+analyzer worker pair each, one job per lane): - Lane count adapts to the device: up to 6 on 8GB+/many-core desktops, 1-2 on phones and low-memory devices, user-overridable (auto/1/2/4). - Very large files run alone (256 MB desktop / 96 MB constrained) so peak memory stays bounded by one decoded file; idle lanes (and any lazily loaded ffmpeg heaps) tear down after 45s of quiet. - Canceling or removing a job resets only its own lane, never a neighbour. - Decoder workers read the File handle themselves, so the main thread never holds a copy of a large file. - The analyzer reports real measurement progress; job progress is mapped, throttled, and clamped monotonic per run (decode fallback paths used to yank the bar from 78% to 42% or 46% to 3%). - Completed results autosave to the live-session store and restore on load; a screen wake lock and a beforeunload guard protect running batches; sessions restore after refresh with a notice. - Intake capped at 2000 files per add; enqueue returns the accepted count. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Native <select> popups get explicit themed option colors: Windows Chromium painted the option list on a light background while options inherited the dark theme's near-white text, making the Sort/reference/ decode dropdowns unreadable. - Mobile: safe-area insets, 44px touch targets and 16px form-control text on coarse pointers (stops iOS focus-zoom), touch-action manipulation, and pan-y on uPlot overlays so charts stop trapping page scroll. - Explicit viewport (viewport-fit=cover) with cookie-matched theme-color, and a pre-paint inline script so OS-light first-time visitors no longer see a dark flash before their preference applies. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Drag & drop is owned by the always-mounted workbench: dropping a file on the session screen used to navigate the browser away and destroy the in-memory session. Drops now work on every screen with an overlay, and dropped folders are scanned for audio (capped traversal). - Sticky toolbar shows live batch progress with a rough time-remaining estimate; per-file processing time appears in the inspector; restored jobs are badged. - Parallel-files control (auto/1/2/4) in Advanced Options, persisted; secure flag on the theme cookie over https. - Keyboard shortcuts: "/" focuses queue search, Ctrl/Cmd+O opens the file picker. Compact toolbar and 2-up summary tiles on phones; charts fit narrow screens. - Timestamped export filenames so repeated exports stop overwriting; adding only unsupported files no longer routes to an empty session. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…posture Updates the architecture, large-library, history/session, privacy, and limitations sections for parallel lanes, automatic session restore, folder drops, and the wake-lock behavior; adds a Security section linking to SECURITY.md and documents the six-harness test suite including the fuzzer. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…the core 0.12.10 ships byte-identical UMD assets to the reviewed 0.12.9 (verified by hashing a fresh npm pack of the release), so it is pinned with the same hashes. @ffmpeg/core is excluded from Dependabot's grouped updates: any bump fails the integrity gate until a human reviews and re-pins, so automated proposals for it can only ever produce red builds. Core updates are now deliberate, manual events. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Every push and PR: install (runs the ffmpeg integrity check), lint, all six validation suites including the fuzzer, production build, and npm audit failing on high-severity advisories. Kept as a separate commit: pushing workflow files requires a credential with the GitHub `workflow` scope. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Analysis exports (CSV/JSON/Markdown) were already timestamped, but the session export still downloaded as a fixed truepeak-session.truepeak.json, silently overwriting earlier saves. Session files now follow the same truepeak-session-YYYYMMDD-HHMMSS.truepeak.json pattern via a shared fileNameTimestamp helper, the suites assert the unique-name patterns for both export kinds, and the README's stale static filenames are corrected. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…lback Findings from a final three-way adversarial review pass: - The Parallel files hint described Auto behavior while a fixed count was selected; it now states the fixed count and how to return to Auto. - README still claimed "up to 4" parallel lanes (the high-memory auto cap has been 6 since the lanes landed) and called the restore storage "local storage"; corrected to 6 and IndexedDB. - Live-session autosave marked results as persisted before the IndexedDB transaction committed, so a quota-aborted write was never retried and those results silently missed the next restore. Writes now report commit status and failed batches roll their bookkeeping back to retry on the next change. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Same conventions as the README — centered badge header, honest Note up front, contents list, sentence-case sections, tables for enumerable facts, a mermaid diagram of the untrusted-input layers, and a check-it-yourself command block. Adds the enforced input caps, the full header table with what each one prevents, a what-is-stored-where table, the supply-chain ritual, and the CI/fuzz verification story. Every number and claim verified against the source. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The README was written without dash punctuation and with open compounds (true peak, measure only, view only), and later edits drifted from that. This pass removes every em dash, rewrites hyphenated compounds in prose (view only, third party, a desktop with plenty of memory), and trades the remaining showy phrasing for plain statements, in both README.md and SECURITY.md. Hyphens now appear only inside technical names like header fields, file patterns, and command flags. No facts changed. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
… updates Bumps the minor-and-patch group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.7.0` | `1.24.0` | | [next](https://github.com/vercel/next.js) | `16.2.9` | `16.2.10` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.4` | `19.2.7` | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.14` | `19.2.17` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.4` | `19.2.7` | | [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` | | [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.2` | `4.3.2` | | [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `16.2.2` | `16.2.10` | Updates `lucide-react` from 1.7.0 to 1.24.0 - [Release notes](https://github.com/lucide-icons/lucide/releases) - [Commits](https://github.com/lucide-icons/lucide/commits/1.24.0/packages/lucide-react) Updates `next` from 16.2.9 to 16.2.10 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](vercel/next.js@v16.2.9...v16.2.10) Updates `react` from 19.2.4 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react) Updates `@types/react` from 19.2.14 to 19.2.17 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `react-dom` from 19.2.4 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom) Updates `tailwind-merge` from 3.5.0 to 3.6.0 - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](dcastil/tailwind-merge@v3.5.0...v3.6.0) Updates `@tailwindcss/postcss` from 4.2.2 to 4.3.2 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/@tailwindcss-postcss) Updates `@types/react` from 19.2.14 to 19.2.17 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `eslint-config-next` from 16.2.2 to 16.2.10 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](https://github.com/vercel/next.js/commits/v16.2.10/packages/eslint-config-next) Updates `tailwindcss` from 4.2.2 to 4.3.2 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.2/packages/tailwindcss) --- updated-dependencies: - dependency-name: lucide-react dependency-version: 1.24.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: next dependency-version: 16.2.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: react dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: "@types/react" dependency-version: 19.2.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: react-dom dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: tailwind-merge dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@tailwindcss/postcss" dependency-version: 4.3.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: "@types/react" dependency-version: 19.2.17 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: eslint-config-next dependency-version: 16.2.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: tailwindcss dependency-version: 4.3.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Author
|
This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests. To ignore these dependencies, configure ignore rules in dependabot.yml |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the minor-and-patch group with 8 updates in the / directory:
1.7.01.24.016.2.916.2.1019.2.419.2.719.2.1419.2.1719.2.419.2.73.5.03.6.04.2.24.3.216.2.216.2.10Updates
lucide-reactfrom 1.7.0 to 1.24.0Release notes
Sourced from lucide-react's releases.
... (truncated)
Commits
5ff536eci(release.yml): Fix workflow and removeversionscripts in package scripts...07c885efix(docs): fix zephyr-cloud URL in readmes50d8af5docs(readme): Update readme files (#4320)653e44bfeat(packages): use .mjs for ESM bundles (#4285)7623e23feat(docs): add Zephyr Cloud to Hero Backers tier & rework updateSponsors scr...Updates
nextfrom 16.2.9 to 16.2.10Release notes
Sourced from next's releases.
Commits
9dadfd6v16.2.10534d9c1[16.2.x] Release pipeline updates (#95160)98941fcbackport: docs fixes 16.2.x (#94935)6e1a94d[16.2.x][ci]: fix release script to not strip newlines (#94640)Updates
reactfrom 19.2.4 to 19.2.7Release notes
Sourced from react's releases.
Changelog
Sourced from react's changelog.
Commits
6117d7cVersion 19.2.7 (#36591)eaf3e95Version 19.2.623f4f9f19.2.5Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for react since your current version.
Updates
@types/reactfrom 19.2.14 to 19.2.17Commits
Updates
react-domfrom 19.2.4 to 19.2.7Release notes
Sourced from react-dom's releases.
Changelog
Sourced from react-dom's changelog.
Commits
6117d7cVersion 19.2.7 (#36591)eaf3e95Version 19.2.623f4f9f19.2.5Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for react-dom since your current version.
Updates
tailwind-mergefrom 3.5.0 to 3.6.0Release notes
Sourced from tailwind-merge's releases.
Commits
d54f7e5v3.6.0638871aUpdate README to add info about Tailwind CSS v4.3 support39fc7b5Revert "v3.6.0"bd8390fv3.6.0802877cadd v3.6.0 changeloga35fedaMerge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x940389cMerge pull request #667 from dcastil/renovate/release-drafter-release-drafter...005af6dpin to specific version5816cedimplement breaking changes17041e1Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...Updates
@tailwindcss/postcssfrom 4.2.2 to 4.3.2Release notes
Sourced from @tailwindcss/postcss's releases.
... (truncated)
Changelog
Sourced from @tailwindcss/postcss's changelog.
... (truncated)
Commits
056a1554.3.2 (#20281)8a14a714.3.1 (#20226)522288cServe ESM type declarations to ESM importers of@tailwindcss/postcss(#20228)8dcdb66Bump dependencies (#20095)588bd734.3.0 (#20023)12eb5aeCleanup noisy test output (#20015)4255671Improve snapshot tests (#20013)52f94c7Improve codebase quality (#19999)d194d4cdocs: fix various typos in comments and documentation (#19878)bfb5732Fall back to the pluginbasewhen PostCSS has nofromoption (#19980)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for
@tailwindcss/postcsssince your current version.Updates
@types/reactfrom 19.2.14 to 19.2.17Commits
Updates
eslint-config-nextfrom 16.2.2 to 16.2.10Release notes
Sourced from eslint-config-next's releases.
... (truncated)
Commits
9dadfd6v16.2.10534d9c1[16.2.x] Release pipeline updates (#95160)6e1a94d[16.2.x][ci]: fix release script to not strip newlines (#94640)f37fad9v16.2.96f16804v16.2.8411c455v16.2.7ee6e79bv16.2.6766148fv16.2.52275bd8v16.2.4d5f649bv16.2.3Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for eslint-config-next since your current version.
Updates
tailwindcssfrom 4.2.2 to 4.3.2Release notes
Sourced from tailwindcss's releases.
... (truncated)
Changelog
Sourced from tailwindcss's changelog.