This release adds 1 notable feature for engineering teams evaluating rollout.
Published 1mo
Productivity & Wikis
✓ No known CVEs patched
✓ No known CVEs patched in this version
Topics
budget-tracker
collaborative
opensource
packing-list
poi
real-time
+11 more
routes
self-hosted
travel
travel-app
travel-planner
traveling
trip
trip-planner
wanderlog
wanderlust
webapplication
Affected surfaces
auth
deps
Summary
AI summaryFixed packingService returning incomplete avatar paths and added documented HSTS_INCLUDE_SUBDOMAINS env var.
Full changelog
What's Changed
- fix: hot fixes 23-04-2026 by @jubnl in https://github.com/mauriceboe/TREK/pull/856
Full detail:
- Budget: Category rename was a no-op due to using bracket notation on a `Map`. Fixed by using `Map.get()` to properly retrieve the existing entry before updating.
- Packing: `packingService` was returning raw avatar filenames from the DB instead of full `/uploads/avatars/` paths, causing broken profile images for users with uploaded avatars.
- Referrer-Policy: Helmet's default `no-referrer` replaced with `strict-origin-when-cross-origin`. Privacy-preserving (cross-origin requests receive only the origin, never path/query) while allowing services that validate by HTTP referrer (e.g. Google Maps API key restrictions) to work correctly.
- Docs: `HSTS_INCLUDE_SUBDOMAINS` was implemented but undocumented. Added to `.env.example`, `docker-compose.yml`, `README.md`, `unraid-template.xml`, Helm chart values and configmap, and wiki.
- Planner: `loadBudgetItems` was not called on trip page mount, so the Budget category dropdown in the booking/transport dialogs showed only "Auto (from booking type)" until the Budget tab was visited. Categories now prefetch alongside reservations on mount.
- Reservations: When `reservation_end_time` held a bare time string ("HH:MM"), `fmtDate()` produced "Invalid Date" on the reservation card. Modal now constructs a same-day ISO datetime using the start date when end date is blank but end time is filled (prevents time-only strings from ever being persisted). Panel derives `endDatePart` via regex so date-only end values still show the multi-day range while bare time strings are skipped correctly.
- Planner (end time display): `DayPlanSidebar` was interpolating `reservation_end_time` as a raw string in the reservation badge (no format call). `DayDetailPanel`'s `fmtTime` wrapped `formatTime12` which expects `HH:MM` and returns the raw value for ISO datetime strings, causing `2026-05-10T20:15` to appear where only `20:15` should show. Both now use `toLocaleTimeString` with an ISO-vs-time-only guard.
- Mobile Route toggle (#850): The per-booking Route icon (activates flight/train/car/cruise overlays on the map) was invisible on mobile — the mobile `DayPlanSidebar` invocation was missing `visibleConnectionIds` and `onToggleConnection` props. Mobile PWA users had to force desktop mode to access it. Props are now passed, sharing the same per-trip `localStorage`-backed state as the desktop sidebar. Also corrects `wiki/Map-Features.md`: fixes the setting name ("Booking route labels"), documents the `route_calculation` prerequisite for travel-time pills, and clarifies that overlays are off by default.
Related Issue or Discussion
- Closes #855
- Closes #854
- Closes #862
- Closes #861
- Closes #860
- Closes #859
Full Changelog: https://github.com/mauriceboe/TREK/compare/v3.0.7...v3.0.8
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]