TREK 3.1.0
TREK 3 — rebuilt from the inside out. A modern NestJS backend, a React 19 frontend, and an end-to-end shared Zod contract layer so the client and server can never drift. On top of that foundation: a Splitwise-style Costs rework, Passkey login, AirTrail flight sync, multi-leg flights, real road routing, a reworked dashboard, five new languages, and a comprehensive offline/PWA hardening pass.
This release also fixes 18 privately-reported security vulnerabilities — including a critical authentication bypass. Updating to 3.1.0 is strongly recommended for every self-hosted instance. See Security below.
⚠ Proxmox VE community-script users: please wait before updating to v3.1.0
v3.1.0 changes how TREK is built and run:
- the repo is now an npm workspaces monorepo (client + server + new shared package) with a single root lockfile,
- the server is now compiled (dist/) instead of run directly via tsx,
- there are new build/runtime requirements (e.g. kitinerary-extractor for booking import).
The community-scripts (https://community-scripts.org/scripts/trek) LXC helper for TREK still targets the old 3.0.x layout. If you run its Update option right now, the build will fail and may leave your container in a broken state.
What to do: stay on your current version for now. An updated script is being submitted to ProxmoxVED and will roll out to ProxmoxVE after review — we'll post here once it's live. Your data (/opt/trek/data, /opt/trek/uploads) and .env are safe in the meantime.
Docker, Unraid, Helm and manual installs are not affected.
TREK 3 — NestJS + React 19
The biggest architectural change in TREK's history. The Express backend has been migrated to NestJS, the frontend upgraded to React 19, and both halves now share a single Zod contract package as the source of truth for every request and response.
- NestJS backend — modular architecture with dependency injection, replacing the previous Express app (#1087, foundation harness #1050)
- React 19 frontend — upgraded across the whole client
- Shared Zod contracts — one typed, validated schema package consumed by both client and server, so API shapes stay in lockstep
- Monorepo build pipeline —
sharedis now a properly built package; i18n moved into it so every surface reads from one translation set (#1056, #1066) - Pilot-then-migrate — the cutover started with a single module (
/api/weather) to prove the harness before the full migration (#1053)
Migrations run automatically on startup — no manual steps.
Security — Update Strongly Recommended
This release closes 18 privately-reported vulnerabilities, disclosed through coordinated private reporting. They range from a critical authentication bypass down to low-severity hardening. All self-hosted instances should update to 3.1.0.
Critical
| Advisory | Issue |
|---|---|
| GHSA-mjh4-w6fq-54qm | MFA bypass — the pre-2FA mfa_token was accepted as a full session token (JWT purpose confusion) |
High
| Advisory | Issue |
|---|---|
| GHSA-fvgw-r58q-4cw4 | OIDC account takeover — an SSO identity could be linked to an existing local account without email_verified |
| GHSA-627x-pmfq-98qv | SQL injection via unvalidated column names in journey entry update |
Medium
| Advisory | Issue |
|---|---|
| GHSA-xmqx-m462-52qr | OIDC login CSRF / session fixation — state was not bound to the initiating browser |
| GHSA-6vv9-669j-468p | Arbitrary file deletion under /uploads via attacker-controlled trip cover_image |
| GHSA-mggj-xgv8-95fp | MCP share-link tools let a non-owner member mint a public trip share link |
| GHSA-jx25-7cj6-88hq | Cross-trip IDOR — budget member paid-flag toggle not scoped to the trip |
| GHSA-p7pv-2jpm-qjx3 | Journey share permission flags (timeline/gallery/map) enforced only client-side |
| GHSA-pfr2-fgv9-q5xv | Stored HTML injection via reservation endpoint labels rendered into map markers |
| GHSA-h66w-m5g2-cqpc | Path traversal in the public journey photo proxy (local provider) reads auth-gated uploads |
| GHSA-3frp-pcr3-w932 | Stored HTML injection via journey entry story in the PDF export |
| GHSA-24x9-fcj9-vp6w | IDOR in the journey photo proxy — a share token resolves arbitrary asset IDs |
| GHSA-6f5j-xgjg-h9q7 | MCP tools bypass the admin-configurable RBAC permission system |
| GHSA-rrrf-7cf6-8736 | A settings password change did not invalidate existing sessions / tokens |
| GHSA-f5vh-p2h5-x735 | Blind SSRF via unvalidated redirect-following in Google/Naver list import and Maps URL resolution |
| GHSA-mx6m-qxv8-w624 | IDOR — any authenticated user could read another user's journey share token (full journey leak) |
Low
| Advisory | Issue |
|---|---|
| GHSA-w6f3-fp9r-xp6p | Admin backup restore extracted archives without a decompression-size limit (zip bomb) |
| GHSA-g8rf-gqrw-4qf9 | Stored cross-user HTML injection via trip title in the Journey suggestion banner |
Reported through coordinated private disclosure by @bytejmp, @tonghuaroot, @therawdev, and @shukla304. Thank you for reporting these responsibly.
Costs — Splitwise-Style Expense Splitting
Budget has been reworked into Costs: a proper shared-expense tracker built for group trips.
- Splitwise-style splitting — record who paid and split a cost across trip members, with running per-person balances
- Settle up — one-tap minimal-transfer settlement with persisted history and undo
- Multi-currency — log expenses in any currency (#551)
- Multi-payer support — costs aren't tied to a single payer
- Fixed categories — a consistent category set for cleaner reporting
- Mobile-first — redesigned for phone use end to end
Passkey (WebAuthn) Login
- Passwordless sign-in — register a passkey and log in with Face ID / Touch ID / a security key (#297, #1111)
- WebAuthn standard — platform and roaming authenticators supported
- Coexists with existing auth — passkeys sit alongside password, SSO, and MFA
Authentication
- Remember me option — Add a Remember me checkbox on login screen to extend session expiry (#1189)
AirTrail Integration
Two-way flight sync with AirTrail (#214, #1158).
- Import flights — pull your flight history from AirTrail into TREK
- Two-way sync — flights flow in both directions and stay aligned
- Reservation-aware — imported flights land as transport reservations
Planner & Maps
- Real road routes (OSRM) — when route display is enabled, day routes follow actual roads with travel-time connectors instead of straight-line estimates; the hidden route-calculation setting is gone, so enabled routes always use real road geometry (#1060, #1064)
- Multi-leg (layover) flights — model connecting flights with layovers as a single booking (#872, #1146)
- Reorder whole days + insert a day — drag entire days around and insert a new day into a trip (#589, #1148)
- Explore places on the map — discover and add points of interest (OpenStreetMap / Overpass) directly from the planner map; instance-wide Mapbox token support (#1147)
- More transport types — bus, taxi, bicycle, ferry and others (#1105)
- Richer imported places — list-imported places are enriched via the Places API (#886, #1161)
- Route optimization around accommodation + confirm-before-delete on notes (#1123)
- Category-coloured markers — map marker borders reflect the place's category colour (#1062)
- Mobile route tools — planner route tools are reachable from the mobile day-plan sheet (#1142)
Reservations
- Native booking-confirmation import — drop in a booking confirmation and TREK extracts the details via KDE KItinerary (#1102)
Dashboard Rework
- Boarding-pass hero — the next trip rendered as a boarding-pass-style hero card (#1079)
- Atlas row & live widgets — visited-countries row, upcoming reservations, and travel stats (country / distance) on the dashboard
- Mobile glass UI — frosted-glass styling and a context-aware bottom navigation
- OIDC PKCE — PKCE on the OIDC login flow
Packing
- Weight × quantity — bag and total weight calculations multiply item weight by quantity (#898)
- More bag colours — sub-bags stop repeating colours (#1156)
- Per-item quantity on bulk import — bulk import respects each item's quantity (#1157)
Internationalization
- Five new languages — Japanese, Korean, Turkish, Ukrainian, and Greek (#829, #977, #1029, #1055, #1061, #1075)
- i18n in the shared package — all locales now live in
sharedand are consumed by every surface (#1066)
Offline & PWA Overhaul
A focused hardening pass on the offline-first PWA, closing a series of sync, cache, and data-isolation issues.
- Hardened sync — temporary IDs are remapped on flush, ID collisions are prevented, and failed mutations are surfaced instead of lost (#1175)
- Reconnect re-hydration — the active trip store re-hydrates on reconnect / coming back online, and trip-scoped slices reset and hydrate uniformly in
loadTrip(#1180, #1181, #1184) - Offline tiles for real trips — offline map tiles now cover the actual trip area with a coherent cap and zoom-clamp (#1177)
- Bounded blob cache — the offline blob cache is scoped, evicted, and capped; place-photo caches no longer grow unbounded; Dexie is used as a fallback when a network read fails (#1178, #1179, #1174, H2/H3)
- Idempotency for multi-day offline — idempotency-key TTL lengthened so it survives being offline for days (#1182)
- Realtime dedup — corrected
assignment:createdecho de-duplication (#1183) - Persistent storage — offline storage is persisted and the Mapbox offline policy is honoured (#1184, #1058)
- Security: cross-user offline data leak — fixed an offline data leak between users on a shared device (#1176)
Fixes & Hardening
- Batched bug fixes — Atlas regions, planner overlays, imports, Safari modals, and more across several rounds (#1094, #1139, #1145, #1155)
- Backend/frontend hardening & consistency cleanups (#1113)
- Journey — PhotoLightbox z-index above the mobile entry view (#1101)
- Various — 2FA autofocus, viewer-timezone times on shared views, duplicate-place guard (#1159)
- Map/planner/dashboard polish plus small community-requested features (#1155)
- Self-hosted fonts — app fonts switched to self-hosted Poppins / Geist, dropping the Google Fonts CDN dependency (#1106)
Contributors
Thanks to everyone who contributed to 3.1.0:
- @mauriceboe
- @jubnl
- @Dkafetzis
- @Larinel
- @SkyLostTR
- @gzor
- @jufy111
- @ppuassi
- @rossanorbr
- @sharkpaw
- @soma3978
And to the security researchers who reported responsibly: @bytejmp, @tonghuaroot, @therawdev, @shukla304.
Stats
| Metric | Value |
|---|---|
| Commits | 58 |
| Merged PRs | 45+ |
| Files changed | 1,750 |
| Lines added | 138,000+ |
| Contributors | 11 |
Upgrading
docker pull mauriceboe/trek:3.1.0
docker compose up -dMigrations run automatically on startup. No manual steps required.
Security: because 3.1.0 fixes a critical authentication bypass and 17 other vulnerabilities, updating promptly is strongly recommended.
