github mauriceboe/TREK v2.5.1
v2.5.1 — Security & Backup Fix
on GitHub

latest releases: v3.0.20, v3.0.19, v3.0.18...
one month ago

Security Hardening

  • JWT Secret: Empty default in docker-compose so auto-generation kicks in (prevents predictable secrets)
  • OIDC: Token passed via URL fragment instead of query param (no longer in server logs/browser history)
  • SVG Upload blocked: Photos, files and covers now reject SVG uploads (stored XSS prevention)
  • Helmet: Added security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
  • Body limit: Explicit 100kb JSON body size limit
  • XSS fix: Escaped image_url in Leaflet map marker HTML
  • WebSocket: Removed verbose debug logging from client

Backup Restore Fix

  • Critical: Fixed permanent server crash after backup restore — DB connection now always reopens via try/finally
  • EBUSY fix: Uploads restored in-place instead of rmSync (which failed because express.static held the directory)
  • DB proxy: Added null guard for clearer error messages during restore window

Restore Warning Modal

  • Red warning popup before restoring a backup (replaces browser confirm())
  • Explains that all data will be permanently replaced
  • Tip to create a backup before restoring
  • Supports DE/EN and dark mode

Demo Banner

  • Fixed i18n for demo login button (was hardcoded German)
  • Fixed icon alignment in addon list
  • Added addon management & OIDC to full version features
Check out latest releases or
releases around mauriceboe/TREK v2.5.1

Don't miss a new TREK release

NewReleases is sending notifications on new releases.

Get notifications