TREK

v2.6.1 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2mo Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

budget-tracker collaborative opensource packing-list poi real-time

+11 more

routes self-hosted travel travel-app travel-planner traveling trip trip-planner wanderlog wanderlust webapplication

Affected surfaces

auth rce_ssrf deps

Summary

AI summary

Security fixes addressing path traversal, SSRF, OIDC JWT handling, CSP, rate limiting, and bcrypt round increase.

Full changelog

What's Changed

TypeScript Migration

Complete migration from JavaScript to TypeScript (131 files, 0 JS remaining)
Zero any types — fully typed codebase with shared interfaces
Typed Zustand stores, Express routes, React components, and hooks

Code Refactoring

Monolithic tripStore (863 lines) split into 8 focused domain slices
Custom hooks extracted from god-components (useResizablePanels, useRouteCalculation, useTripWebSocket, usePlaceSelection, useDayNotes)
Server: service layer, shared query helpers, tripAccess middleware
10 dead code files removed (~2000 lines)
Magic numbers replaced with named constants

Security Fixes (26 issues resolved)

Critical: Uploads path traversal protection, file upload type filtering, npm install --ignore-scripts
High: SSRF protection with DNS resolution, OIDC auth code flow (JWT no longer in URL), CSP enabled, rate limiting on password change + backup, trust proxy support
Medium: Input length validation, API key masking in responses, HTTPS redirect, rate limiter cleanup, file upload race condition fix
Low: Password complexity requirements, bcrypt rounds 10→12, JWT payload minimized, cache size limits

Upgrade Notes

No breaking changes — existing Docker volumes, databases, and configurations work as-is
docker pull mauriceboe/nomad:latest and restart
Password change now requires current password (UI updated accordingly)

Security Fixes

Critical: Added path traversal protection, file upload type filtering, and npm install --ignore-scripts enforcement.
High: Implemented SSRF protection via DNS resolution checks, removed JWT from OIDC auth code URL, enabled CSP, added rate limiting on password change/backup, and supported trust proxy settings.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track TREK

Get notified when new releases ship.

About TREK

Real-time collaborative travel planner

All releases →