Download Latest Version
v2.7.2 -- Critical Security Update source code.tar.gz (10.0 MB)
Get an email when there's a new version of TREK
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-03-27 | 1.4 kB | |
| v2.6.1 -- TypeScript Migration _ Security Hardening source code.tar.gz | 2026-03-27 | 7.1 MB | |
| v2.6.1 -- TypeScript Migration _ Security Hardening source code.zip | 2026-03-27 | 7.2 MB | |
| Totals: 3 Items | 14.3 MB | 0 | |
What's Changed
TypeScript Migration
- Complete migration from JavaScript to TypeScript (131 files, 0 JS remaining)
- Zero
anytypes — fully typed codebase with shared interfaces - Typed Zustand stores, Express routes, React components, and hooks
Code Refactoring
- Monolithic tripStore (863 lines) split into 8 focused domain slices
- Custom hooks extracted from god-components (useResizablePanels, useRouteCalculation, useTripWebSocket, usePlaceSelection, useDayNotes)
- Server: service layer, shared query helpers, tripAccess middleware
- 10 dead code files removed (~2000 lines)
- Magic numbers replaced with named constants
Security Fixes (26 issues resolved)
- Critical: Uploads path traversal protection, file upload type filtering, npm install --ignore-scripts
- High: SSRF protection with DNS resolution, OIDC auth code flow (JWT no longer in URL), CSP enabled, rate limiting on password change + backup, trust proxy support
- Medium: Input length validation, API key masking in responses, HTTPS redirect, rate limiter cleanup, file upload race condition fix
- Low: Password complexity requirements, bcrypt rounds 10→12, JWT payload minimized, cache size limits
Upgrade Notes
- No breaking changes — existing Docker volumes, databases, and configurations work as-is
docker pull mauriceboe/nomad:latestand restart- Password change now requires current password (UI updated accordingly)
