TREK

v3.0.18 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 24d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

budget-tracker collaborative opensource packing-list poi real-time

+11 more

routes self-hosted travel travel-app travel-planner traveling trip trip-planner wanderlog wanderlust webapplication

Affected surfaces

auth

Summary

AI summary

Patches a timing‑side‑channel vulnerability that enabled user enumeration during login.

Full changelog

⚠️ Security release — update recommended

This release patches a security vulnerability. If you are running any version prior to v3.0.18, updating is recommended.

A security advisory will be published shortly. In the meantime, see PR #984 for technical details.

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

What's Changed

Security

fix(security): equalise login response timing to prevent user enumeration via timing side-channel (CWE-203, CWE-208) — [#984](https://github.com/mauriceboe/TREK/pull/984) by @jubnl

Bug fixes

fix: align public share itinerary order with daily planner — [#983](https://github.com/mauriceboe/TREK/issues/983) / [#985](https://github.com/mauriceboe/TREK/pull/985)
fix: shift owner vacancy entries when update_trip moves the trip window — [#983](https://github.com/mauriceboe/TREK/issues/983)

Full Changelog: https://github.com/mauriceboe/TREK/compare/v3.0.17...v3.0.18

Security Fixes

fix(security): equalise login response timing to prevent user enumeration via timing side-channel (CWE-203, CWE-208)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track TREK

Get notified when new releases ship.

About TREK

Real-time collaborative travel planner

All releases →