memory-journal-mcp 4.4.0 → 4.4.2

package/CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [4.4.2] - 2026-02-27
+
+### Security
+
+- **CVE-2026-27903 + CVE-2026-27904 (minimatch)** — Manually patched npm's bundled `minimatch` → `10.2.3` in Dockerfile to fix HIGH severity ReDoS and algorithmic complexity vulnerabilities (CVSS 7.5). The v4.4.1 npm override only affected project dependencies; Docker Scout detected the vulnerable copy inside npm's own bundled packages. Also added npm override.
+
 ## [4.4.0] - 2026-02-27
 
 ### Added

package/DOCKER_README.md

@@ -466,7 +466,7 @@ Memory Journal is designed for extremely low overhead during AI task execution.
 
 **Available Tags:**
 
-- `4.4.0` - Specific version (recommended for production)
+- `4.4.2` - Specific version (recommended for production)
 - `4.4` - Latest patch in 4.4.x series
 - `4` - Latest minor in 4.x series
 - `latest` - Always the newest version

package/Dockerfile

@@ -31,6 +31,14 @@ RUN cd /usr/local/lib/node_modules/npm && \
     mv package node_modules/tar && \
     rm tar-7.5.8.tgz
 
+# Fix CVE-2026-27903, CVE-2026-27904: Manually update npm's bundled minimatch to 10.2.3
+RUN cd /usr/local/lib/node_modules/npm && \
+    npm pack minimatch@10.2.3 && \
+    rm -rf node_modules/minimatch && \
+    tar -xzf minimatch-10.2.3.tgz && \
+    mv package node_modules/minimatch && \
+    rm minimatch-10.2.3.tgz
+
 # Copy package files first for better layer caching
 COPY package*.json .npmrc ./
 
@@ -78,6 +86,14 @@ RUN cd /usr/local/lib/node_modules/npm && \
     mv package node_modules/tar && \
     rm tar-7.5.8.tgz
 
+# Fix CVE-2026-27903, CVE-2026-27904: Manually update npm's bundled minimatch to 10.2.3
+RUN cd /usr/local/lib/node_modules/npm && \
+    npm pack minimatch@10.2.3 && \
+    rm -rf node_modules/minimatch && \
+    tar -xzf minimatch-10.2.3.tgz && \
+    mv package node_modules/minimatch && \
+    rm minimatch-10.2.3.tgz
+
 # Copy built artifacts and production dependencies
 COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/node_modules ./node_modules
@@ -110,6 +126,6 @@ CMD ["node", "dist/cli.js"]
 # Labels for Docker Hub
 LABEL maintainer="Adamic.tech"
 LABEL description="Memory Journal MCP Server - Project context management for AI-assisted development"
-LABEL version="4.4.0"
+LABEL version="4.4.2"
 LABEL org.opencontainers.image.source="https://github.com/neverinfamous/memory-journal-mcp"
 LABEL io.modelcontextprotocol.server.name="io.github.neverinfamous/memory-journal-mcp"

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "memory-journal-mcp",
-    "version": "4.4.0",
+    "version": "4.4.2",
     "description": "Project context management for AI-assisted development - Persistent knowledge graphs and intelligent context recall across fragmented AI threads",
     "type": "module",
     "main": "dist/index.js",
@@ -78,6 +78,7 @@
         "axios": "^1.13.5",
         "brace-expansion": "^2.0.2",
         "glob": "^11.1.0",
+        "minimatch": "^10.2.3",
         "tar": "^7.5.8",
         "tmp": "^0.2.4"
     }

package/releases/v4.4.1.md

@@ -0,0 +1,33 @@
+# v4.4.1 - CVE Remediation (minimatch)
+
+Released: February 27, 2026
+
+## Highlights
+
+- **Security Patch** — Fixed 2 HIGH severity CVEs in minimatch that blocked Docker deployment
+
+---
+
+## Security
+
+### CVE-2026-27903 (minimatch) — HIGH
+
+Inefficient algorithmic complexity vulnerability in minimatch >=10.0.0, <10.2.3 (CVSS 7.5). Added npm override `minimatch@^10.2.3`.
+
+### CVE-2026-27904 (minimatch) — HIGH
+
+Inefficient regular expression complexity (ReDoS) in minimatch >=10.0.0, <10.2.3 (CVSS 7.5). Same fix as CVE-2026-27903.
+
+---
+
+## Upgrade
+
+```bash
+# npm
+npm update -g memory-journal-mcp
+
+# Docker
+docker pull writenotenow/memory-journal-mcp:v4.4.1
+```
+
+**Full Changelog**: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

package/releases/v4.4.2.md

@@ -0,0 +1,31 @@
+# v4.4.2 - CVE Remediation (minimatch Dockerfile Patch)
+
+Released: February 27, 2026
+
+## Highlights
+
+- **Docker CVE Fix** — Manually patched npm's bundled minimatch in Dockerfile to resolve Docker deploy block
+
+---
+
+## Security
+
+### CVE-2026-27903 + CVE-2026-27904 (minimatch) — HIGH
+
+Manually patched npm's bundled `minimatch@10.2.2` → `10.2.3` in Dockerfile to fix HIGH severity ReDoS and algorithmic complexity vulnerabilities (CVSS 7.5).
+
+The v4.4.1 npm override only affected project dependencies. Docker Scout detected the vulnerable copy inside npm's own bundled packages at `/usr/local/lib/node_modules/npm/node_modules/minimatch`. This follows the same manual patch pattern used for tar and diff CVEs.
+
+---
+
+## Upgrade
+
+```bash
+# npm
+npm update -g memory-journal-mcp
+
+# Docker
+docker pull writenotenow/memory-journal-mcp:v4.4.2
+```
+
+**Full Changelog**: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

package/server.json

@@ -3,12 +3,12 @@
     "name": "io.github.neverinfamous/memory-journal-mcp",
     "title": "Memory Journal MCP",
     "description": "MCP server– Project memory system with GitHub-aware context, knowledge graphs, and CI/PR timelines",
-    "version": "4.4.0",
+    "version": "4.4.2",
     "packages": [
         {
             "registryType": "oci",
-            "identifier": "docker.io/writenotenow/memory-journal-mcp:v4.4.0",
-            "version": "4.4.0",
+            "identifier": "docker.io/writenotenow/memory-journal-mcp:v4.4.2",
+            "version": "4.4.2",
             "transport": {
                 "type": "stdio"
             }