v3.0.21

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

What's Changed

• v3.0.21 Bug Fixes by @jubnl in #998

Details

• fix(journey): remove photo upload count limit and surface upload errors (#997)
• fix(planner): remove correct assignment when place assigned to same day multiple times
• fix(map): enable 3D terrain for Mapbox outdoors style in trip planner
• fix(maps): send Referer header on Google API calls when APP_URL is set

Full Changelog: v3.0.20...v3.0.21

v3.0.20

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

Hot fix

• fix CSP: HEIC conversion failed due to CSP config

Full Changelog: v3.0.19...v3.0.20

v3.0.19

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

What's Changed

• v3.0.19 Bug Fixes by @jubnl in #992

Detail

• fix(mcp): replace relative oauth constent redirect by absolute redirect derived from APP_URL
• feat(journey): convert HEIC/HEIF uploads to JPEG for cross-platform compatibility
• fix(journey): skip heic-to import for non-HEIC files to avoid test env failures
• fix(notifications): prevent double-escaping HTML in password reset emails

Full Changelog: v3.0.18...v3.0.19

v3.0.18

⚠️ Security release — update recommended

This release patches a security vulnerability. If you are running any version prior to v3.0.18, updating is recommended.

A security advisory will be published shortly. In the meantime, see PR #984 for technical details.

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

---

What's Changed

Security

• fix(security): equalise login response timing to prevent user enumeration via timing side-channel (CWE-203, CWE-208) — [#984](#984) by @jubnl

Bug fixes

• fix: align public share itinerary order with daily planner — [#983](#983) / [#985](#985)
• fix: shift owner vacancy entries when update_trip moves the trip window — [#983](#983)

---

Full Changelog: v3.0.17...v3.0.18

v3.0.17

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

What's Changed

• fix: prevent Invalid URL crash when APP_URL lacks a protocol by @jubnl in #972

Full Changelog: v3.0.16...v3.0.17

v3.0.16

Important

Service Worker Update Required
This release includes changes to the service worker. Before using TREK, you must either:
Unregister the existing service worker (DevTools → Application → Service Workers → Unregister)
Or hard-refresh your browser: Ctrl+F5 / Ctrl+Shift+R
If you have TREK installed as a PWA, please reinstall it after clearing the cache to ensure the updated service worker is active.

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

What's Changed

• v3.0.16 — bug fixes by @jubnl in #964

Details

• fix(mcp): MCP RFC compliant for more strict clients
• fix(mcp): serve flat /.well-known/oauth-protected-resource for ChatGPT reconnect
• fix(mcp): fix OAuth popup blank page — SW denylist and COOP header
• fix(ntfy): encode non-Latin-1 header values with RFC 2047 to prevent ByteString crash
• docs(mcp): document Cloudflare bot detection blocking ChatGPT MCP requests
• fix(pwa): detect upstream proxy auth challenges and recover gracefully
• fix(files): add bottom-nav padding to files tab wrapper on mobile
• fix(budget): expose toolbar on mobile so users can add budget categories
• chore: remove committed build artifacts from server/public
• chore: add build-from-sources script

Full Changelog: v3.0.15...v3.0.16

v3.0.15

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

What's Changed

• Wiki: add budget documentation GIFs and minor fix by @tranko1 in #948
• fix: add APP_VERSION fallback and HOST bind address env var (#952 #953) by @jubnl in #955

New Contributors

• @tranko1 made their first contribution in #948

Full Changelog: v3.0.14...v3.0.15

v3.0.14

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

What's Changed

• Bug fixes - May 2nd 2026 by @jubnl in #941

Details

• fix: collab chat input hidden by mobile bottom nav bar (#939)
• chore: prepare database for nest + typeorm
• fix(ssrf): relax internal network resolution (#947)
• docs(ssrf): update Internal-Network-Access wiki to reflect relaxed guard
• fix(ssrf): let .local/.internal hostnames pass to IP-level checks
• fix(auth): trim username and email on all write paths
• feat(notices): add v3014-whitespace-collision admin notice

Full Changelog: v3.0.13...v3.0.14

v3.0.13

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

What's Changed

• Bug fixes - April 30th 2026 by @jubnl in #936

Details:

• fix: hotel day-range clamping in ReservationModal + stale assignment_id on accommodation clear (issues #929, #934)
• fix: preserve line breaks and wrap long URLs in notes fields (#930)
• fix: delete linked budget item when accommodation or reservation is deleted (#933)
• fix: restore scroll position in mobile Plan and Places sidebars on reopen (issue #932)
• fix(map): prevent auto zoom-out when opening/closing place inspector (issue #921)
• fix: translate mobile bottom-nav tab labels (issue #931)

Full Changelog: v3.0.12...v3.0.13

v3.0.12

How to update: https://github.com/mauriceboe/TREK/wiki/Updating

What's Changed

• Bug fixes - April 28th 2026 by @jubnl in #915

Details:

• fix: replace raw day-ID range checks with position-based helper (issue #889 follow-up)
• fix: non-transport reservations no longer appear as transports in day planner (issue #914)
• feat: add file attachment support to TransportModal (issue #918)

Full Changelog: v3.0.11...v3.0.12