memory-journal-mcp 3.1.4 → 3.1.5

package/.github/workflows/docker-publish.yml

@@ -186,8 +186,8 @@ jobs:
         
         # Define CVEs to ignore (upstream issues with NO fix available)
         # CVE-2026-22184: Alpine zlib - no fix version released yet
-        # CVE-2019-10790: protobufjs taffydb - unmaintained/abandoned package
-        IGNORE_CVES="CVE-2026-22184|CVE-2019-10790"
+        # CVE-2025-60876: Alpine busybox wget - patch not in release yet
+        IGNORE_CVES="CVE-2026-22184|CVE-2025-60876"
         
         echo "⏱️ Running Docker Scout scan (max 8 minutes)..."
         if timeout 480 docker scout cves local-scan:latest > scout_output.txt 2>&1; then

package/.scout-ignore

@@ -4,9 +4,9 @@
 # Only include CVEs with NO upstream fix available
 
 # Alpine zlib - Critical severity, but NO FIX VERSION RELEASED by Alpine yet
-# We run `apk upgrade --no-cache` but there's nothing to upgrade to
+# zlib 1.3.1.3 contains the fix but Alpine hasn't packaged it
 CVE-2026-22184
 
-# protobufjs bundled taffydb - 6+ year old unmaintained package
-# No fix version exists - package is abandoned
-CVE-2019-10790
+# Alpine busybox - wget CRLF injection (MEDIUM)
+# Patch submitted to busybox upstream but not in a release yet
+CVE-2025-60876

package/.trivyignore

@@ -6,14 +6,9 @@
 # ============================================================================
 
 # CVE-2026-22184: zlib vulnerability (CRITICAL)
-# No fix version released by Alpine yet - `apk upgrade` has nothing to update to
+# No fix version released by Alpine yet - zlib 1.3.1.3 not packaged
 CVE-2026-22184
 
-# ============================================================================
-# protobufjs Bundled CLI - in /app/node_modules/protobufjs/cli/node_modules/
-# taffydb is 6+ years unmaintained with no fix available
-# ============================================================================
-
-# CVE-2019-10790: taffydb prototype pollution (HIGH)
-# No fix version exists - package is abandoned
-CVE-2019-10790
+# CVE-2025-60876: busybox wget CRLF injection (MEDIUM)
+# Patch submitted to busybox upstream but not in a release yet
+CVE-2025-60876

package/DOCKER_README.md

@@ -1,11 +1,11 @@
 # Memory Journal MCP Server
 
-Last Updated January 11, 2026 - v3.1.4
+Last Updated January 11, 2026 - v3.1.5
 
 [![GitHub](https://img.shields.io/badge/GitHub-neverinfamous/memory--journal--mcp-blue?logo=github)](https://github.com/neverinfamous/memory-journal-mcp)
 [![Docker Pulls](https://img.shields.io/docker/pulls/writenotenow/memory-journal-mcp)](https://hub.docker.com/r/writenotenow/memory-journal-mcp)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-![Version](https://img.shields.io/badge/version-v3.1.4-green)
+![Version](https://img.shields.io/badge/version-v3.1.5-green)
 ![Status](https://img.shields.io/badge/status-Production%2FStable-brightgreen)
 [![npm](https://img.shields.io/npm/v/memory-journal-mcp)](https://www.npmjs.com/package/memory-journal-mcp)
 [![Security](https://img.shields.io/badge/Security-Enhanced-green.svg)](https://github.com/neverinfamous/memory-journal-mcp/blob/main/SECURITY.md)
@@ -342,7 +342,7 @@ docker run -i --rm \
 - 📋 **SBOM Available** - Complete software bill of materials
 
 **Available Tags:**
-- `3.1.4` - Specific version (recommended for production)
+- `3.1.5` - Specific version (recommended for production)
 - `3.0` - Latest patch in 3.0.x series
 - `3` - Latest minor in 3.x series
 - `latest` - Always the newest version

package/Dockerfile

@@ -21,11 +21,9 @@ COPY package*.json .npmrc ./
 # The .npmrc has legacy-peer-deps=true to handle zod peer conflicts
 RUN npm ci
 
-# Clean protobufjs bundled cli dependencies and apply overrides
-# This ensures our brace-expansion and tmp overrides take effect
-RUN rm -rf node_modules/protobufjs/cli/node_modules/brace-expansion \
-           node_modules/protobufjs/cli/node_modules/tmp && \
-    npm dedupe
+# Remove protobufjs CLI entirely - not needed at runtime
+# Eliminates CVE-2019-10790 (taffydb), CVE-2025-54798 (tmp), CVE-2025-5889 (brace-expansion)
+RUN rm -rf node_modules/protobufjs/cli
 
 # Copy source code
 COPY tsconfig.json ./
@@ -78,6 +76,6 @@ CMD ["node", "dist/cli.js"]
 # Labels for Docker Hub
 LABEL maintainer="Adamic.tech"
 LABEL description="Memory Journal MCP Server - Project context management for AI-assisted development"
-LABEL version="3.1.4"
+LABEL version="3.1.5"
 LABEL org.opencontainers.image.source="https://github.com/neverinfamous/memory-journal-mcp"
 LABEL io.modelcontextprotocol.server.name="io.github.neverinfamous/memory-journal-mcp"

package/README.md

@@ -1,6 +1,6 @@
 # Memory Journal MCP Server
 
-Last Updated January 11, 2026 - v3.1.4
+Last Updated January 11, 2026 - v3.1.5
 
 <!-- mcp-name: io.github.neverinfamous/memory-journal-mcp -->
 
@@ -8,7 +8,7 @@ Last Updated January 11, 2026 - v3.1.4
 [![npm](https://img.shields.io/npm/v/memory-journal-mcp)](https://www.npmjs.com/package/memory-journal-mcp)
 [![Docker Pulls](https://img.shields.io/docker/pulls/writenotenow/memory-journal-mcp)](https://hub.docker.com/r/writenotenow/memory-journal-mcp)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-![Version](https://img.shields.io/badge/version-v3.1.4-green)
+![Version](https://img.shields.io/badge/version-v3.1.5-green)
 ![Status](https://img.shields.io/badge/status-Production%2FStable-brightgreen)
 [![MCP Registry](https://img.shields.io/badge/MCP_Registry-Published-green)](https://registry.modelcontextprotocol.io/v0/servers?search=io.github.neverinfamous/memory-journal-mcp)
 [![Security](https://img.shields.io/badge/Security-Enhanced-green.svg)](SECURITY.md)

package/VERSION

@@ -1 +1 @@
-3.1.4
+3.1.5

package/dist/cli.js

@@ -8,7 +8,7 @@ const program = new Command();
 program
     .name('memory-journal-mcp')
     .description('Project context management for AI-assisted development')
-    .version('3.1.4')
+    .version('3.1.5')
     .option('--transport <type>', 'Transport type: stdio or http', 'stdio')
     .option('--port <number>', 'HTTP port (for http transport)', '3000')
     .option('--db <path>', 'Database path', './memory_journal.db')

package/dist/server/McpServer.js

@@ -62,7 +62,7 @@ export async function createServer(options) {
     // Create MCP server with capabilities and instructions
     const server = new McpServer({
         name: 'memory-journal-mcp',
-        version: '3.1.4',
+        version: '3.1.5',
     }, {
         capabilities: {
             logging: {}

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "memory-journal-mcp",
-    "version": "3.1.4",
+    "version": "3.1.5",
     "description": "Project context management for AI-assisted development - Persistent knowledge graphs and intelligent context recall across fragmented AI threads",
     "type": "module",
     "main": "dist/index.js",

package/releases/v3.1.5.md

@@ -0,0 +1,40 @@
+# v3.1.5 - Remove protobufjs CLI to Eliminate taffydb CVE
+
+**Release Date:** January 11, 2026
+
+## Security Fixes
+
+### protobufjs CLI Removal
+
+The `protobufjs` package (transitive dependency via `@xenova/transformers → onnxruntime-web → onnx-proto`) includes a `/cli/` folder for `.proto` file compilation. This CLI folder contains unmaintained dependencies with known CVEs.
+
+**Since the CLI is not used at runtime**, we now remove it entirely from the Docker image:
+
+```dockerfile
+RUN rm -rf node_modules/protobufjs/cli
+```
+
+**CVEs Eliminated:**
+- **CVE-2019-10790** (taffydb, HIGH) — 6+ year old unmaintained package
+- **CVE-2025-54798** (tmp, LOW) — Symlink vulnerability  
+- **CVE-2025-5889** (brace-expansion, LOW) — ReDoS vulnerability
+
+### Remaining Allowlisted CVEs (No Upstream Fix)
+
+These CVEs still have **no fix available** from Alpine:
+- **CVE-2026-22184** (zlib, CRITICAL) — Alpine hasn't packaged zlib 1.3.1.3 yet
+- **CVE-2025-60876** (busybox, MEDIUM) — Patch submitted to busybox but not released
+
+---
+
+## Installation
+
+**npm:**
+```bash
+npm install -g memory-journal-mcp@3.1.5
+```
+
+**Docker:**
+```bash
+docker pull writenotenow/memory-journal-mcp:3.1.5
+```

package/server.json

@@ -3,12 +3,12 @@
   "name": "io.github.neverinfamous/memory-journal-mcp",
   "title": "Memory Journal MCP",
   "description": "MCP server– Project memory system with GitHub-aware context, knowledge graphs, and CI/PR timelines",
-  "version": "3.1.4",
+  "version": "3.1.5",
   "packages": [
     {
       "registryType": "oci",
-      "identifier": "docker.io/writenotenow/memory-journal-mcp:v3.1.4",
-      "version": "3.1.4",
+      "identifier": "docker.io/writenotenow/memory-journal-mcp:v3.1.5",
+      "version": "3.1.5",
       "transport": {
         "type": "stdio"
       }

package/src/cli.ts

@@ -11,7 +11,7 @@ const program = new Command();
 program
     .name('memory-journal-mcp')
     .description('Project context management for AI-assisted development')
-    .version('3.1.4')
+    .version('3.1.5')
     .option('--transport <type>', 'Transport type: stdio or http', 'stdio')
     .option('--port <number>', 'HTTP port (for http transport)', '3000')
     .option('--db <path>', 'Database path', './memory_journal.db')

package/src/server/McpServer.ts

@@ -89,7 +89,7 @@ export async function createServer(options: ServerOptions): Promise<void> {
     const server = new McpServer(
         {
             name: 'memory-journal-mcp',
-            version: '3.1.4',
+            version: '3.1.5',
         },
         {
             capabilities: {