Skip to content

TREK

v3.0.11 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 1mo Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

budget-tracker collaborative opensource packing-list poi real-time
+11 more
routes self-hosted travel travel-app travel-planner traveling trip trip-planner wanderlog wanderlust webapplication

Summary

AI summary

Fixes user deletion foreign‑key errors and preserves URL hash during OIDC login.

Full changelog

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

What's Changed

  • Bug fixes - April 27th 2026 by @jubnl in https://github.com/mauriceboe/TREK/pull/907

Full changes:

  • fix: clean up dangling FK references before deleting a user

Resolves FOREIGN KEY constraint failed (500) on DELETE /api/admin/users/:id
and DELETE /api/auth/me when the target user had rows in trip_members.invited_by,
share_tokens.created_by, budget_items.paid_by_user_id, journeys.user_id,
journey_entries.author_id, journey_contributors.user_id, or
journey_share_tokens.created_by — none of which had ON DELETE clauses.

Introduces deleteUserCompletely() in userCleanupService.ts which wraps all
cleanup and the final DELETE FROM users in a single transaction. Both
adminService.deleteUser and authService.deleteAccount now call it instead of
the bare DELETE. Tests ADMIN-005b and AUTH-040 cover all reference types
including notification sender/recipient and notice dismissals.

  • test: extend FK deletion tests to cover journeys, files, and photos

ADMIN-005b and AUTH-040 now also seed and assert:

  • owned journey with entries (cascade-deleted via journeys.user_id cleanup)
  • trip_files.uploaded_by (SET NULL — file survives, attribution cleared)
  • trek_photos.owner_id (SET NULL — photo record survives, owner cleared)
  • trip_photos.user_id (CASCADE — photo association removed)
  • test: extend user deletion tests to cover all FK relationships

ADMIN-005b and AUTH-040 now seed and assert every user FK relationship:

CASCADE (row deleted): trips, trip_members, tags, mcp_tokens, oauth_tokens,
oauth_consents, vacay_plans, vacay_plan_members, bucket_list,
visited_countries, visited_regions, packing_templates, invite_tokens,
collab_notes, settings, password_reset_tokens, notification_channel_preferences

SET NULL (row survives, column nulled): categories, todo_items.assigned_user_id,
packing_bags, audit_log

Caught and fixed: notification_preferences was dropped in migration 72;
correct table is notification_channel_preferences.

  • fix: preserve URL hash and OIDC redirect target through login flow
  • Include location.hash in redirect param at all three producer sites
    (ProtectedRoute, axios 401 interceptor, OAuthAuthorizePage) so
    hash fragments survive the login bounce
  • Stash redirectTarget in sessionStorage before any OIDC provider
    redirect and restore it after the code exchange, since the IdP
    strips the original ?redirect= param during the roundtrip
  • Clear sessionStorage on OIDC error to avoid stale state
  • Add tests covering sessionStorage stash on mount, navigate to saved
    redirect after OIDC exchange, fallback to /dashboard, and cleanup
    on error
  • fix: use day position instead of ID for accommodation date range clamping

Math.min/Math.max over raw day IDs breaks the start/end picker when a
trip's day IDs are non-monotonic relative to day_number (normal after
repeated generateDays extend/shrink cycles). Replaced with findIndex
lookups so clamping is always based on positional order.

Closes #889

  • fix: normalize env var comparisons to be case-insensitive

All NODE_ENV, DEMO_MODE, OIDC_ONLY, FORCE_HTTPS, COOKIE_SECURE, and
ALLOW_INTERNAL_NETWORK checks now use .toLowerCase() so values like
'Production' or 'True' behave identically to their lowercase forms.
Also adds APP_VERSION to the startup banner.

  • fix: delete surplus days when shortening a trip

When shrinking a trip's date range, surplus days are now deleted along
with their assignments, notes, and accommodations (cascade). Places
remain in the trip pool; reservations keep their day reference nulled
by the existing ON DELETE SET NULL constraint (issue #909).

Updates TRIP-SVC-011 to reflect the new behaviour; adds TRIP-SVC-016
as a regression test for the empty-day case.

  • fix: auto-backup retention deletes itself and manual backups on Docker

Two bugs in cleanupOldBackups:

  1. Filter was .endsWith('.zip') — swept manual backup-.zip files too.
    Now restricted to auto-backup-     prefix.
  2. Age was derived from stat.birthtimeMs, which is 0 on overlayfs
    (Docker default), making every backup appear epoch-old and get
    deleted immediately. Age is now parsed from the filename timestamp
    and falls back to mtimeMs (reliable on overlayfs).

Also converts inline require('./services/auditLog') calls to a static
import throughout scheduler.ts, and adds 8 unit tests covering the
fixed retention logic including the overlayfs regression case.

  • test: update TRIP-024 to match delete behavior on trip shrink

  • feat: add bypass-branch-check label to skip branch enforcement

Full Changelog: https://github.com/mauriceboe/TREK/compare/v3.0.10...v3.0.11

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track TREK

Get notified when new releases ship.

Sign up free

About TREK

Real-time collaborative travel planner

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]