memory-journal-mcp 3.1.2 → 3.1.4

package/.github/workflows/docker-publish.yml

@@ -184,27 +184,33 @@ jobs:
         docker images local-scan:latest
         echo "🔍 Running Docker Scout security scan for local-scan:latest"
         
+        # Define CVEs to ignore (upstream issues with NO fix available)
+        # CVE-2026-22184: Alpine zlib - no fix version released yet
+        # CVE-2019-10790: protobufjs taffydb - unmaintained/abandoned package
+        IGNORE_CVES="CVE-2026-22184|CVE-2019-10790"
+        
         echo "⏱️ Running Docker Scout scan (max 8 minutes)..."
         if timeout 480 docker scout cves local-scan:latest > scout_output.txt 2>&1; then
           echo "📊 Scan completed successfully"
           cat scout_output.txt
           
-          # Check if critical or high vulnerabilities are present in the output
-          # Look for non-zero counts in CRITICAL or HIGH columns (format: "1C" or "2H")
-          if grep -E "^\s+[1-9][0-9]*C\s+" scout_output.txt > /dev/null; then
-            echo "❌ Critical severity vulnerabilities detected"
+          # Filter out ignored CVEs and check remaining for critical/high
+          # First, check for any critical CVEs that are NOT in our ignore list
+          if grep -E "^[A-Z]" scout_output.txt | grep -vE "$IGNORE_CVES" | grep -q "CRITICAL"; then
+            echo "❌ Critical severity vulnerability detected (not in allowlist)"
             echo "🚨 Build blocked due to unacceptable security risk"
             exit 1
           fi
           
-          if grep -E "^\s+0C\s+[1-9][0-9]*H\s+" scout_output.txt > /dev/null; then
-            echo "❌ High severity vulnerabilities detected"
+          # Check for any high CVEs that are NOT in our ignore list
+          if grep -E "^CVE-" scout_output.txt | grep -vE "$IGNORE_CVES" | grep -q "HIGH"; then
+            echo "❌ High severity vulnerability detected (not in allowlist)"
             echo "🚨 Build blocked due to unacceptable security risk"
             exit 1
-          else
-            echo "✅ Security scan passed - no critical/high severity vulnerabilities"
-            echo "ℹ️ Low/medium severity vulnerabilities are acceptable"
           fi
+          
+          echo "✅ Security scan passed"
+          echo "ℹ️ Any flagged CVEs are either allowlisted (upstream) or low/medium severity"
         else
           echo "⚠️ Docker Scout scan timed out or failed"
           echo "🔄 Continuing build - scan timeout is not a security failure"

package/.scout-ignore

@@ -0,0 +1,12 @@
+# Docker Scout CVE Ignore File
+# See: https://docs.docker.com/scout/explore/cve-ignorelist/
+#
+# Only include CVEs with NO upstream fix available
+
+# Alpine zlib - Critical severity, but NO FIX VERSION RELEASED by Alpine yet
+# We run `apk upgrade --no-cache` but there's nothing to upgrade to
+CVE-2026-22184
+
+# protobufjs bundled taffydb - 6+ year old unmaintained package
+# No fix version exists - package is abandoned
+CVE-2019-10790

package/.trivyignore

@@ -1,18 +1,19 @@
 # Trivy Ignore File
 # See: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/
 
-# CVE-2025-64756: glob command injection in npm CLI (HIGH)
-# This is in the Node.js base image's npm installation (/usr/local/lib/node_modules/npm)
-# We don't use glob CLI directly and cannot patch base image npm
-# Will be fixed when Node.js releases updated base images
-CVE-2025-64756
+# ============================================================================
+# Alpine Base Image - No upstream fix available
+# ============================================================================
 
-# CVE-2025-5889: brace-expansion ReDoS (LOW)
-# Bundled in protobufjs/cli/node_modules - can't override with npm
-# LOW severity, attack complexity is high, exploitation is difficult
-CVE-2025-5889
+# CVE-2026-22184: zlib vulnerability (CRITICAL)
+# No fix version released by Alpine yet - `apk upgrade` has nothing to update to
+CVE-2026-22184
 
-# CVE-2025-54798: tmp symlink vulnerability (LOW)
-# Bundled in protobufjs/cli/node_modules - can't override with npm
-# LOW severity, only affects tmp file creation in CLI context
-CVE-2025-54798
+# ============================================================================
+# protobufjs Bundled CLI - in /app/node_modules/protobufjs/cli/node_modules/
+# taffydb is 6+ years unmaintained with no fix available
+# ============================================================================
+
+# CVE-2019-10790: taffydb prototype pollution (HIGH)
+# No fix version exists - package is abandoned
+CVE-2019-10790

package/DOCKER_README.md

@@ -1,11 +1,11 @@
 # Memory Journal MCP Server
 
-Last Updated January 11, 2026 - v3.1.2
+Last Updated January 11, 2026 - v3.1.4
 
 [![GitHub](https://img.shields.io/badge/GitHub-neverinfamous/memory--journal--mcp-blue?logo=github)](https://github.com/neverinfamous/memory-journal-mcp)
 [![Docker Pulls](https://img.shields.io/docker/pulls/writenotenow/memory-journal-mcp)](https://hub.docker.com/r/writenotenow/memory-journal-mcp)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-![Version](https://img.shields.io/badge/version-v3.1.2-green)
+![Version](https://img.shields.io/badge/version-v3.1.4-green)
 ![Status](https://img.shields.io/badge/status-Production%2FStable-brightgreen)
 [![npm](https://img.shields.io/npm/v/memory-journal-mcp)](https://www.npmjs.com/package/memory-journal-mcp)
 [![Security](https://img.shields.io/badge/Security-Enhanced-green.svg)](https://github.com/neverinfamous/memory-journal-mcp/blob/main/SECURITY.md)
@@ -342,7 +342,7 @@ docker run -i --rm \
 - 📋 **SBOM Available** - Complete software bill of materials
 
 **Available Tags:**
-- `3.1.2` - Specific version (recommended for production)
+- `3.1.4` - Specific version (recommended for production)
 - `3.0` - Latest patch in 3.0.x series
 - `3` - Latest minor in 3.x series
 - `latest` - Always the newest version

package/Dockerfile

@@ -5,14 +5,28 @@ FROM node:24-alpine AS builder
 WORKDIR /app
 
 # Install build dependencies and upgrade packages for security
-RUN apk add --no-cache python3 make g++ && apk upgrade --no-cache
+# Use Alpine edge for latest security patches (curl CVE-2025-14524, etc.)
+RUN apk add --no-cache python3 make g++ && \
+    apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main curl && \
+    apk upgrade --no-cache
+
+# Upgrade npm globally to get fixed versions of bundled packages
+# Fixes CVE-2025-64756 (glob) and CVE-2025-64118 (tar)
+RUN npm install -g npm@latest
 
 # Copy package files first for better layer caching
-COPY package*.json ./
+COPY package*.json .npmrc ./
 
 # Install all dependencies (including devDependencies for build)
+# The .npmrc has legacy-peer-deps=true to handle zod peer conflicts
 RUN npm ci
 
+# Clean protobufjs bundled cli dependencies and apply overrides
+# This ensures our brace-expansion and tmp overrides take effect
+RUN rm -rf node_modules/protobufjs/cli/node_modules/brace-expansion \
+           node_modules/protobufjs/cli/node_modules/tmp && \
+    npm dedupe
+
 # Copy source code
 COPY tsconfig.json ./
 COPY src/ ./src/
@@ -25,8 +39,13 @@ FROM node:24-alpine
 
 WORKDIR /app
 
-# Install runtime dependencies
-RUN apk add --no-cache git ca-certificates && apk upgrade --no-cache
+# Install runtime dependencies with security fixes
+# Use Alpine edge for curl with CVE fixes
+# Upgrade npm globally to fix CVE-2025-64756 (glob) and CVE-2025-64118 (tar)
+RUN apk add --no-cache git ca-certificates && \
+    apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main curl && \
+    apk upgrade --no-cache && \
+    npm install -g npm@latest
 
 # Copy built artifacts and production dependencies
 COPY --from=builder /app/dist ./dist
@@ -59,6 +78,6 @@ CMD ["node", "dist/cli.js"]
 # Labels for Docker Hub
 LABEL maintainer="Adamic.tech"
 LABEL description="Memory Journal MCP Server - Project context management for AI-assisted development"
-LABEL version="3.1.2"
+LABEL version="3.1.4"
 LABEL org.opencontainers.image.source="https://github.com/neverinfamous/memory-journal-mcp"
 LABEL io.modelcontextprotocol.server.name="io.github.neverinfamous/memory-journal-mcp"

package/README.md

@@ -1,6 +1,6 @@
 # Memory Journal MCP Server
 
-Last Updated January 11, 2026 - v3.1.2
+Last Updated January 11, 2026 - v3.1.4
 
 <!-- mcp-name: io.github.neverinfamous/memory-journal-mcp -->
 
@@ -8,7 +8,7 @@ Last Updated January 11, 2026 - v3.1.2
 [![npm](https://img.shields.io/npm/v/memory-journal-mcp)](https://www.npmjs.com/package/memory-journal-mcp)
 [![Docker Pulls](https://img.shields.io/docker/pulls/writenotenow/memory-journal-mcp)](https://hub.docker.com/r/writenotenow/memory-journal-mcp)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-![Version](https://img.shields.io/badge/version-v3.1.2-green)
+![Version](https://img.shields.io/badge/version-v3.1.4-green)
 ![Status](https://img.shields.io/badge/status-Production%2FStable-brightgreen)
 [![MCP Registry](https://img.shields.io/badge/MCP_Registry-Published-green)](https://registry.modelcontextprotocol.io/v0/servers?search=io.github.neverinfamous/memory-journal-mcp)
 [![Security](https://img.shields.io/badge/Security-Enhanced-green.svg)](SECURITY.md)

package/VERSION

@@ -1 +1 @@
-3.1.2
+3.1.4

package/dist/cli.js

@@ -8,7 +8,7 @@ const program = new Command();
 program
     .name('memory-journal-mcp')
     .description('Project context management for AI-assisted development')
-    .version('3.1.2')
+    .version('3.1.4')
     .option('--transport <type>', 'Transport type: stdio or http', 'stdio')
     .option('--port <number>', 'HTTP port (for http transport)', '3000')
     .option('--db <path>', 'Database path', './memory_journal.db')

package/dist/server/McpServer.js

@@ -62,7 +62,7 @@ export async function createServer(options) {
     // Create MCP server with capabilities and instructions
     const server = new McpServer({
         name: 'memory-journal-mcp',
-        version: '3.1.2',
+        version: '3.1.4',
     }, {
         capabilities: {
             logging: {}

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "memory-journal-mcp",
-    "version": "3.1.2",
+    "version": "3.1.4",
     "description": "Project context management for AI-assisted development - Persistent knowledge graphs and intelligent context recall across fragmented AI threads",
     "type": "module",
     "main": "dist/index.js",

package/releases/v3.1.3.md

@@ -0,0 +1,58 @@
+# v3.1.3 - Security Fixes for Docker Scout CVEs
+
+**Release Date:** January 11, 2026
+
+## Security Fixes
+
+### Docker Image CVE Remediation
+
+This release actively fixes several CVEs that Docker Scout flagged:
+
+#### npm Global Upgrade
+- **CVE-2025-64756** (glob, HIGH) — Fixed by upgrading npm globally in Docker build
+- **CVE-2025-64118** (tar, MEDIUM) — Fixed by upgrading npm globally in Docker build
+
+#### Alpine Edge Repository
+- **CVE-2025-14524** (curl, MEDIUM) — Fixed via Alpine edge: curl 8.18.0-r0
+- **CVE-2025-14819** (curl, MEDIUM) — Fixed via Alpine edge: curl 8.18.0-r0
+- **CVE-2025-14017** (curl, N/A) — Fixed via Alpine edge: curl 8.18.0-r0
+
+#### protobufjs CLI Cleanup
+- **CVE-2025-54798** (tmp, LOW) — Fixed by removing bundled protobufjs/cli deps and applying npm overrides
+- **CVE-2025-5889** (brace-expansion, LOW) — Fixed by removing bundled protobufjs/cli deps and applying npm overrides
+
+### Remaining Allowlisted CVEs (No Upstream Fix)
+
+These CVEs have **no fix available** from upstream:
+- **CVE-2026-22184** (zlib, CRITICAL) — Alpine has not released a fix version
+- **CVE-2019-10790** (taffydb, HIGH) — Package is 6+ years unmaintained/abandoned
+
+---
+
+## Dockerfile Changes
+
+- Added `npm install -g npm@latest` to upgrade bundled npm
+- Added Alpine edge repository for curl security patches
+- Added protobufjs cli cleanup to force npm overrides
+- Copying `.npmrc` into build for consistent dependency resolution
+
+---
+
+## Installation
+
+**npm:**
+```bash
+npm install -g memory-journal-mcp@3.1.3
+```
+
+**Docker:**
+```bash
+docker pull writenotenow/memory-journal-mcp:3.1.3
+```
+
+---
+
+## Links
+
+- [Full Changelog](https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG)
+- [v3.1.0 Release Notes](https://github.com/neverinfamous/memory-journal-mcp/releases/tag/v3.1.0)

package/releases/v3.1.4.md

@@ -0,0 +1,29 @@
+# v3.1.4 - npm Global Upgrade in Production Stage
+
+**Release Date:** January 11, 2026
+
+## Fixed
+
+### Docker Scout CVE-2025-64756 and CVE-2025-64118
+
+The v3.1.3 release added `npm install -g npm@latest` to the **builder stage** only, but the production stage uses a fresh `node:24-alpine` base image with its own bundled npm.
+
+**Fix:** Added `npm install -g npm@latest` to the **production stage** as well.
+
+This ensures the final Docker image has the latest npm with fixed versions of:
+- **glob** (fixes CVE-2025-64756, HIGH)
+- **tar** (fixes CVE-2025-64118, MEDIUM)
+
+---
+
+## Installation
+
+**npm:**
+```bash
+npm install -g memory-journal-mcp@3.1.4
+```
+
+**Docker:**
+```bash
+docker pull writenotenow/memory-journal-mcp:3.1.4
+```

package/server.json

@@ -3,12 +3,12 @@
   "name": "io.github.neverinfamous/memory-journal-mcp",
   "title": "Memory Journal MCP",
   "description": "MCP server– Project memory system with GitHub-aware context, knowledge graphs, and CI/PR timelines",
-  "version": "3.1.2",
+  "version": "3.1.4",
   "packages": [
     {
       "registryType": "oci",
-      "identifier": "docker.io/writenotenow/memory-journal-mcp:v3.1.2",
-      "version": "3.1.2",
+      "identifier": "docker.io/writenotenow/memory-journal-mcp:v3.1.4",
+      "version": "3.1.4",
       "transport": {
         "type": "stdio"
       }

package/src/cli.ts

@@ -11,7 +11,7 @@ const program = new Command();
 program
     .name('memory-journal-mcp')
     .description('Project context management for AI-assisted development')
-    .version('3.1.2')
+    .version('3.1.4')
     .option('--transport <type>', 'Transport type: stdio or http', 'stdio')
     .option('--port <number>', 'HTTP port (for http transport)', '3000')
     .option('--db <path>', 'Database path', './memory_journal.db')

package/src/server/McpServer.ts

@@ -89,7 +89,7 @@ export async function createServer(options: ServerOptions): Promise<void> {
     const server = new McpServer(
         {
             name: 'memory-journal-mcp',
-            version: '3.1.2',
+            version: '3.1.4',
         },
         {
             capabilities: {