memory-journal-mcp 4.4.1 → 4.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -2
- package/DOCKER_README.md +1 -1
- package/Dockerfile +17 -1
- package/package.json +1 -1
- package/releases/v4.4.2.md +31 -0
- package/server.json +3 -3
package/CHANGELOG.md
CHANGED
|
@@ -7,11 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
-
## [4.4.
|
|
10
|
+
## [4.4.2] - 2026-02-27
|
|
11
11
|
|
|
12
12
|
### Security
|
|
13
13
|
|
|
14
|
-
- **CVE-2026-27903 + CVE-2026-27904 (minimatch)** —
|
|
14
|
+
- **CVE-2026-27903 + CVE-2026-27904 (minimatch)** — Manually patched npm's bundled `minimatch` → `10.2.3` in Dockerfile to fix HIGH severity ReDoS and algorithmic complexity vulnerabilities (CVSS 7.5). The v4.4.1 npm override only affected project dependencies; Docker Scout detected the vulnerable copy inside npm's own bundled packages. Also added npm override.
|
|
15
15
|
|
|
16
16
|
## [4.4.0] - 2026-02-27
|
|
17
17
|
|
package/DOCKER_README.md
CHANGED
|
@@ -466,7 +466,7 @@ Memory Journal is designed for extremely low overhead during AI task execution.
|
|
|
466
466
|
|
|
467
467
|
**Available Tags:**
|
|
468
468
|
|
|
469
|
-
- `4.4.
|
|
469
|
+
- `4.4.2` - Specific version (recommended for production)
|
|
470
470
|
- `4.4` - Latest patch in 4.4.x series
|
|
471
471
|
- `4` - Latest minor in 4.x series
|
|
472
472
|
- `latest` - Always the newest version
|
package/Dockerfile
CHANGED
|
@@ -31,6 +31,14 @@ RUN cd /usr/local/lib/node_modules/npm && \
|
|
|
31
31
|
mv package node_modules/tar && \
|
|
32
32
|
rm tar-7.5.8.tgz
|
|
33
33
|
|
|
34
|
+
# Fix CVE-2026-27903, CVE-2026-27904: Manually update npm's bundled minimatch to 10.2.3
|
|
35
|
+
RUN cd /usr/local/lib/node_modules/npm && \
|
|
36
|
+
npm pack minimatch@10.2.3 && \
|
|
37
|
+
rm -rf node_modules/minimatch && \
|
|
38
|
+
tar -xzf minimatch-10.2.3.tgz && \
|
|
39
|
+
mv package node_modules/minimatch && \
|
|
40
|
+
rm minimatch-10.2.3.tgz
|
|
41
|
+
|
|
34
42
|
# Copy package files first for better layer caching
|
|
35
43
|
COPY package*.json .npmrc ./
|
|
36
44
|
|
|
@@ -78,6 +86,14 @@ RUN cd /usr/local/lib/node_modules/npm && \
|
|
|
78
86
|
mv package node_modules/tar && \
|
|
79
87
|
rm tar-7.5.8.tgz
|
|
80
88
|
|
|
89
|
+
# Fix CVE-2026-27903, CVE-2026-27904: Manually update npm's bundled minimatch to 10.2.3
|
|
90
|
+
RUN cd /usr/local/lib/node_modules/npm && \
|
|
91
|
+
npm pack minimatch@10.2.3 && \
|
|
92
|
+
rm -rf node_modules/minimatch && \
|
|
93
|
+
tar -xzf minimatch-10.2.3.tgz && \
|
|
94
|
+
mv package node_modules/minimatch && \
|
|
95
|
+
rm minimatch-10.2.3.tgz
|
|
96
|
+
|
|
81
97
|
# Copy built artifacts and production dependencies
|
|
82
98
|
COPY --from=builder /app/dist ./dist
|
|
83
99
|
COPY --from=builder /app/node_modules ./node_modules
|
|
@@ -110,6 +126,6 @@ CMD ["node", "dist/cli.js"]
|
|
|
110
126
|
# Labels for Docker Hub
|
|
111
127
|
LABEL maintainer="Adamic.tech"
|
|
112
128
|
LABEL description="Memory Journal MCP Server - Project context management for AI-assisted development"
|
|
113
|
-
LABEL version="4.4.
|
|
129
|
+
LABEL version="4.4.2"
|
|
114
130
|
LABEL org.opencontainers.image.source="https://github.com/neverinfamous/memory-journal-mcp"
|
|
115
131
|
LABEL io.modelcontextprotocol.server.name="io.github.neverinfamous/memory-journal-mcp"
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "memory-journal-mcp",
|
|
3
|
-
"version": "4.4.
|
|
3
|
+
"version": "4.4.2",
|
|
4
4
|
"description": "Project context management for AI-assisted development - Persistent knowledge graphs and intelligent context recall across fragmented AI threads",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
# v4.4.2 - CVE Remediation (minimatch Dockerfile Patch)
|
|
2
|
+
|
|
3
|
+
Released: February 27, 2026
|
|
4
|
+
|
|
5
|
+
## Highlights
|
|
6
|
+
|
|
7
|
+
- **Docker CVE Fix** — Manually patched npm's bundled minimatch in Dockerfile to resolve Docker deploy block
|
|
8
|
+
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
## Security
|
|
12
|
+
|
|
13
|
+
### CVE-2026-27903 + CVE-2026-27904 (minimatch) — HIGH
|
|
14
|
+
|
|
15
|
+
Manually patched npm's bundled `minimatch@10.2.2` → `10.2.3` in Dockerfile to fix HIGH severity ReDoS and algorithmic complexity vulnerabilities (CVSS 7.5).
|
|
16
|
+
|
|
17
|
+
The v4.4.1 npm override only affected project dependencies. Docker Scout detected the vulnerable copy inside npm's own bundled packages at `/usr/local/lib/node_modules/npm/node_modules/minimatch`. This follows the same manual patch pattern used for tar and diff CVEs.
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
## Upgrade
|
|
22
|
+
|
|
23
|
+
```bash
|
|
24
|
+
# npm
|
|
25
|
+
npm update -g memory-journal-mcp
|
|
26
|
+
|
|
27
|
+
# Docker
|
|
28
|
+
docker pull writenotenow/memory-journal-mcp:v4.4.2
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
**Full Changelog**: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG
|
package/server.json
CHANGED
|
@@ -3,12 +3,12 @@
|
|
|
3
3
|
"name": "io.github.neverinfamous/memory-journal-mcp",
|
|
4
4
|
"title": "Memory Journal MCP",
|
|
5
5
|
"description": "MCP server– Project memory system with GitHub-aware context, knowledge graphs, and CI/PR timelines",
|
|
6
|
-
"version": "4.4.
|
|
6
|
+
"version": "4.4.2",
|
|
7
7
|
"packages": [
|
|
8
8
|
{
|
|
9
9
|
"registryType": "oci",
|
|
10
|
-
"identifier": "docker.io/writenotenow/memory-journal-mcp:v4.4.
|
|
11
|
-
"version": "4.4.
|
|
10
|
+
"identifier": "docker.io/writenotenow/memory-journal-mcp:v4.4.2",
|
|
11
|
+
"version": "4.4.2",
|
|
12
12
|
"transport": {
|
|
13
13
|
"type": "stdio"
|
|
14
14
|
}
|