Trek_CN/server/package.json

73 lines
1.9 KiB
JSON
Raw Normal View History

{
v2.6.2 — TREK Rebrand, OSM Enrichment, File Management, Hotel Bookings & Bug Fixes Rebrand: - NOMAD → TREK branding across all UI, translations, server, PWA manifest - New TREK logos (dark/light, with/without icon) - Liquid glass toast notifications Bugs Fixed: - HTTPS redirect now opt-in only (FORCE_HTTPS=true), fixes #33 #43 #52 #54 #55 - PDF export "Tag" fallback uses i18n, fixes #15 - Vacay sharing color collision detection, fixes #25 - Backup settings import fix (PR #47) - Atlas country detection uses smallest bounding box, fixes #31 - JPY and zero-decimal currencies formatted correctly, fixes #32 - HTML lang="en" instead of hardcoded "de", fixes #34 - Duplicate translation keys removed - setSelectedAssignmentId crash fixed New Features: - OSM enrichment: Overpass API for opening hours, Wikimedia Commons for photos - Reverse geocoding on map right-click to add places - OIDC config via environment variables (OIDC_ISSUER, OIDC_CLIENT_ID, etc.), fixes #48 - Multi-arch Docker build (ARM64 + AMD64), fixes #11 - File management: star, trash/restore, upload owner, assign to places/bookings, notes - Markdown rendering in Collab Notes with expand modal, fixes #17 - Type-specific booking fields (flight: airline/number/airports, hotel: check-in/out/days, train: number/platform/seat), fixes #35 - Hotel bookings auto-create accommodations, bidirectional sync - Multiple hotels per day with check-in/check-out color coding - Ko-fi and Buy Me a Coffee support cards - GitHub releases proxy with server-side caching
2026-03-28 23:38:08 +08:00
"name": "trek-server",
"version": "3.0.17",
"main": "src/index.ts",
"scripts": {
"start": "node --import tsx src/index.ts",
"dev": "tsx watch src/index.ts",
"test": "vitest run",
"test:watch": "vitest",
"test:unit": "vitest run tests/unit",
"test:integration": "vitest run tests/integration",
"test:ws": "vitest run tests/websocket",
"test:coverage": "vitest run --coverage"
},
"dependencies": {
2026-03-30 09:53:45 +08:00
"@modelcontextprotocol/sdk": "^1.28.0",
"archiver": "^6.0.1",
"bcryptjs": "^2.4.3",
"better-sqlite3": "^12.8.0",
"cookie-parser": "^1.4.7",
"cors": "^2.8.5",
"dotenv": "^16.4.1",
"express": "^4.18.3",
"fast-xml-parser": "^5.5.10",
"helmet": "^8.1.0",
"jimp": "^1.6.1",
"jsonwebtoken": "^9.0.2",
"multer": "^2.1.1",
"node-cron": "^4.2.1",
"nodemailer": "^8.0.5",
"otplib": "^12.0.1",
"qrcode": "^1.5.4",
"semver": "^7.7.4",
"tsx": "^4.21.0",
"typescript": "^6.0.2",
"undici": "^7.0.0",
"unzipper": "^0.12.3",
"uuid": "^14.0.0",
2026-03-30 09:53:45 +08:00
"ws": "^8.19.0",
"zod": "^4.3.6"
},
"overrides": {
security: login timing enumeration fix + dep CVE patches (v3.0.18) (#984) * fix(security): equalise login response timing to prevent user enumeration (CWE-208) Always run bcrypt.compareSync regardless of whether the email exists, using a module-scope DUMMY_PASSWORD_HASH for unknown/OIDC-only accounts. Also wraps the login handler in a 350ms minimum-latency pad (matching /forgot-password) as defence-in-depth against CPU jitter and future code-path drift. Fixes: CWE-203, CWE-208 — Observable Timing Discrepancy (CVSS 5.3 Medium) * chore(deps): patch hono/picomatch/ip-address/brace-expansion CVEs, bump to node:24-alpine Extends server/package.json overrides to pin hono >=4.12.16, picomatch >=4.0.4, brace-expansion >=2.0.3, ip-address >=10.1.1. Adds matching overrides to client/. Lockfiles regenerated to resolve: hono 4.12.18, ip-address 10.2.0, picomatch 4.0.4. Also bumps base image node:22-alpine -> node:24-alpine (reduces base image CVEs) and adds .github/workflows/security.yml to gate PRs on critical/high CVEs via Docker Scout. Addresses: CVE-2026-44456, CVE-2026-44455 (hono), CVE-2026-42338 (ip-address), CVE-2026-33671, CVE-2026-33672 (picomatch), CVE-2026-33750 (brace-expansion) * chore: update emails in security.md * ci(security): use docker/login-action for Scout auth instead of env vars * chore: regenerate lock files * chore: correct secret names * chore: pr perms write * fix(docker): remove package-lock.json from production image after npm ci Docker Scout reads package-lock.json as an SBOM source and reports all lockfile entries including devDependencies (e.g. picomatch via vitest/vite) even when they are not physically installed. The lockfile has no runtime purpose after npm ci completes, so delete it to ensure Scout only reports packages actually present in node_modules. * fix(docker): remove npm CLI from production image to eliminate bundled CVEs picomatch@4.0.3, brace-expansion@5.0.4, and ip-address@10.1.0 were all coming from /usr/local/lib/node_modules/npm — npm's own bundled packages shipped with node:24-alpine. The production container only needs the node binary to run the server; npm is unused at runtime. Removing npm + npx after npm ci drops the package count from 500 to 365 and eliminates all npm-ecosystem CVEs (0H 0M remaining from npm packages). Only busybox CVE-2025-60876 remains, which has no fix in Alpine 3.23. * fix(deps): remove client overrides and brace-expansion server override; audit fix brace-expansion ^2.0.3 in the client forced all installations to v2, breaking minimatch in CI (test:coverage path via @vitest/coverage-v8 -> test-exclude) which expects the named-export API of brace-expansion v5. The CVE it targeted (>=4.0.0,<5.0.5) was only in npm's own bundled packages, already eliminated by removing npm from the Docker image. Also removes picomatch and ip-address client overrides for the same reason: all three CVEs sourced from /usr/local/lib/node_modules/npm/, not app deps. Drops brace-expansion from server overrides (server uses v2.1.0, outside the affected range >=4.0.0). * fix(#981): align public share itinerary order with daily planner (#985) The public share page rendered daily items in a different order than the authenticated planner because it used a simplified, divergent merge algorithm. Five specific bugs: 1. shareService never loaded reservation_day_positions, so per-day transport positions were lost on the share page (fell back to day_plan_position ?? 999, pushing transports to the bottom). 2. Multi-day transports (overnight trains/flights) only appeared on their start day due to date-string filtering instead of day_id span logic. 3. Assignment-linked transports appeared twice (once as place, once as transport card) because the assignment_id exclusion was missing. 4. Time-based transport insertion was absent; missing positions used 999 instead of a computed fractional position from the place timeline. 5. created_at tiebreaker was missing for assignments and notes with equal order_index/sort_order, making order non-deterministic on the share page. Fix: extract the authoritative merge logic (parseTimeToMinutes, getSpanPhase, getDisplayTimeForDay, getTransportForDay, getMergedItems) from DayPlanSidebar into client/src/utils/dayMerge.ts and use it in both the planner and SharedTripPage. Enrich the shareService payload with day_positions from reservation_day_positions and add created_at tiebreakers to the assignment and day_notes ORDER BY clauses. * fix(#983): shift owner vacay entries when update_trip moves trip window updateTrip() now calls shiftOwnerEntriesForTripWindow() which looks up the owner's own vacay plan (not the active plan) and shifts all entries in the old date window by the same offset as the trip start date.
2026-05-10 22:03:15 +08:00
"hono": "^4.12.16",
"@hono/node-server": "^1.19.13",
"picomatch": "^4.0.4",
"ip-address": "^10.1.1"
},
"devDependencies": {
"@types/archiver": "^7.0.0",
"@types/bcryptjs": "^2.4.6",
"@types/better-sqlite3": "^7.6.13",
"@types/cookie-parser": "^1.4.10",
"@types/cors": "^2.8.19",
"@types/express": "^4.17.25",
"@types/jsonwebtoken": "^9.0.10",
"@types/multer": "^2.1.0",
"@types/node": "^25.5.0",
"@types/node-cron": "^3.0.11",
"@types/nodemailer": "^7.0.11",
"@types/qrcode": "^1.5.5",
"@types/semver": "^7.7.1",
"@types/supertest": "^6.0.3",
"@types/unzipper": "^0.10.11",
"@types/uuid": "^10.0.0",
"@types/ws": "^8.18.1",
"@vitest/coverage-v8": "^3.2.4",
"nodemon": "^3.1.0",
"supertest": "^7.2.2",
"tz-lookup": "^6.1.25",
"vitest": "^3.2.4"
}
}