v4.4.2 - CVE Remediation: patch npm bundled minimatch in Dockerfile

v4.4.2 - CVE Remediation (minimatch Dockerfile Patch)

Released: February 27, 2026

Highlights

• Docker CVE Fix — Manually patched npm's bundled minimatch in Dockerfile to resolve Docker deploy block

---

Security

CVE-2026-27903 + CVE-2026-27904 (minimatch) — HIGH

Manually patched npm's bundled minimatch@10.2.2 → 10.2.3 in Dockerfile to fix HIGH severity ReDoS and algorithmic complexity vulnerabilities (CVSS 7.5).

The v4.4.1 npm override only affected project dependencies. Docker Scout detected the vulnerable copy inside npm's own bundled packages at /usr/local/lib/node_modules/npm/node_modules/minimatch. This follows the same manual patch pattern used for tar and diff CVEs.

---

Upgrade

# npm
npm update -g memory-journal-mcp

# Docker
docker pull writenotenow/memory-journal-mcp:v4.4.2

Full Changelog: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

v4.4.1 - CVE Remediation (minimatch)

v4.4.1 - CVE Remediation (minimatch)

Released: February 27, 2026

Highlights

• Security Patch — Fixed 2 HIGH severity CVEs in minimatch that blocked Docker deployment

---

Security

CVE-2026-27903 (minimatch) — HIGH

Inefficient algorithmic complexity vulnerability in minimatch >=10.0.0, <10.2.3 (CVSS 7.5). Added npm override minimatch@^10.2.3.

CVE-2026-27904 (minimatch) — HIGH

Inefficient regular expression complexity (ReDoS) in minimatch >=10.0.0, <10.2.3 (CVSS 7.5). Same fix as CVE-2026-27903.

---

Upgrade

# npm
npm update -g memory-journal-mcp

# Docker
docker pull writenotenow/memory-journal-mcp:v4.4.1

Full Changelog: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

v4.4.0 - Milestones, Insights, Security Hardening & Performance

v4.4.0 - Milestones, Insights, Security Hardening & Performance

Released: February 27, 2026

Highlights

• GitHub Milestones Integration — Full CRUD support with 5 new tools, 2 new resources, and briefing/status integration
• Repository Insights/Traffic Tool — New get_repo_insights tool and memory://github/insights resource for monitoring stars, forks, clones, views, referrers, and popular paths (14-day rolling data)
• HTTP Transport Security Hardening — Configurable CORS, request body size limits, security headers, session timeout, and error log token scrubbing
• Performance Improvements — Debounced database save, paginated vector rebuild, parallel batch embedding, GitHub API TTL cache, and startup deduplication
• 15+ Bug Fixes — Including memory://significant sort correctness, delete_entry permanent delete, JournalEntry GitHub metadata exposure, and list_tags zero-count filtering

---

Added

GitHub Milestones Integration

Full lifecycle management for GitHub Milestones:

• 5 new tools: get_github_milestones, get_github_milestone, create_github_milestone, update_github_milestone, delete_github_milestone
• 2 new resources: memory://github/milestones (list) and memory://milestones/{number} (detail)
• Briefing and status resources now include milestone progress data
• create_github_issue_with_entry accepts optional milestone_number parameter

Repository Insights/Traffic

• New tool: get_repo_insights with token-efficient sections parameter
• New resource: memory://github/insights — compact summary (~150 tokens)
• Surfaces stars, forks, watchers, clones, views, top referrers, and popular pages
• Extended 10-minute cache TTL for slowly-changing traffic data

Server Host Bind Parameter

• New --server-host CLI option and MCP_HOST / HOST environment variables
• Defaults to localhost; set to 0.0.0.0 for container deployments

Performance Benchmarking Suite

• New npm run bench script using vitest bench for baseline performance measurement

---

Improved

• get_entry_by_id Importance Scoring Breakdown — Returns weighted component contributions
• get_cross_project_insights Inactive Threshold Visibility — Self-documenting inactiveThresholdDays field
• Database I/O — Debounced Save — 500ms debounce batches rapid writes into single disk flush
• Vector Index Rebuild — Paginated fetching (200 per page) + parallel batch embedding (5 at a time) + sequential insertion
• Server Startup — getTools() Deduplication — Eliminated duplicate call during startup
• GitHub API — TTL Response Cache — 5-minute cache for read methods with automatic invalidation on mutations

---

Fixed

• memory://significant Importance Sort — Fixed resource returning timestamp-sorted instead of importance-sorted entries when >20 entries exist
• memory://instructions Active Tool Count — Fixed hardcoded 3-tool fallback; now uses getAllToolNames()
• memory://health Tool Count — Dynamic computation from TOOL_GROUPS instead of hardcoded value
• delete_entry Permanent Delete — Now works on previously soft-deleted entries via getEntryByIdIncludeDeleted()
• delete_entry Existence Check (P154) — Pre-checks entry existence before mutation
• link_entries Existence Check (P154) — Pre-checks both source and target entry existence
• visualize_relationships Disambiguation (P154) — Clear "Entry not found" message for nonexistent entries
• list_tags Zero-Count Filtering — No longer returns orphan tags with zero usage
• get_github_issue Missing Milestone Field — Now maps issue.milestone from API response
• JournalEntry GitHub Metadata — 10 GitHub fields now included in all tool responses
• delete_github_milestone Structured Error — Returns proper DeleteMilestoneOutputSchema on failure
• ServerInstructions.ts Entry Types — Updated from 7 stale types to full 13-type union
• Docker Hub Short Description — Corrected "HTTPS" → "HTTP/SSE"

---

Security

• HTTP Transport Hardening — Configurable CORS (--cors-origin), 1MB request body limit, X-Content-Type-Options: nosniff + X-Frame-Options: DENY, 30-min session timeout
• Error Log Token Scrubbing — Automatic sanitization of GitHub tokens and Authorization headers
• CVE-2026-26960 (tar) — Updated npm's bundled tar → 7.5.8 (HIGH, path traversal CVSS 7.1)
• GHSA-w7fw-mjwx-w883 (qs) — Updated qs 6.14.1 → 6.14.2 (low, arrayLimit bypass DoS)
• GHSA-43fc-jf86-j433 (axios) — Override to 1.13.5 (DoS via __proto__ key)
• SECURITY.md Rewrite — Complete rewrite for TypeScript era
• docker-compose.yml Rewrite — Removed Python-era configuration, added secure mounts
• Dockerfile Healthcheck — Replaced no-op healthcheck with process.exit(0) validation

---

CI/CD

• Removed Dependabot auto-merge workflow — manual review required
• Trivy Action updated to 0.34.0
• CI test matrix aligned to [24.x, 25.x] matching engines.node: >=24.0.0
• Blocking npm audit — known vulnerabilities now fail the pipeline
• Blocking secret scanning — verified leaks now fail the pipeline

---

Dependencies

Package	From	To
@eslint/js	9.39.2	10.0.1 (major)
@modelcontextprotocol/sdk	1.26.0	1.27.1 (minor)
@types/node	25.2.0	25.3.2 (minor)
eslint	9.39.2	10.0.2 (major)
simple-git	3.28.0	3.32.3 (minor)
sql.js	1.12.0	1.14.0 (minor)
typescript-eslint	8.54.0	8.56.1 (minor)

---

Upgrade

# npm
npm update -g memory-journal-mcp

# Docker
docker pull writenotenow/memory-journal-mcp:v4.4.0

Full Changelog: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

v4.3.1 - OutputSchema Fix & CVE Remediations

v4.3.1 - OutputSchema Fix & CVE Remediations

Released: February 5, 2026

Highlights

• OutputSchema Fix — Fixed get_cross_project_insights validation error on empty results
• Security Patches — Remediated 3 CVEs in Docker image (libexpat CRITICAL, tar HIGH)
• Dependency Updates — MCP SDK 1.26.0 and other updates

---

Fixed

get_cross_project_insights OutputSchema Validation

When no projects met the minimum entry threshold, the tool returned only message and projects fields, failing outputSchema validation.

Now returns all required fields:

• project_count: 0
• total_entries: 0
• inactive_projects: []
• time_distribution: []
• message (with explanation)
• projects: []

---

Security

CVE-2026-24515 (libexpat) — CRITICAL

Null pointer dereference vulnerability. Fixed by explicitly installing libexpat from Alpine edge repositories in Dockerfile.

CVE-2026-25210 (libexpat) — MEDIUM

Integer overflow leading to information disclosure. Same fix as CVE-2026-24515.

CVE-2026-24842 (tar) — HIGH

Path traversal vulnerability in npm's bundled tar package. Updated from 7.5.4 → 7.5.7 in Dockerfile.

---

Changed

Dependency Updates

Package	From	To
@modelcontextprotocol/sdk	1.25.3	1.26.0
@types/node	25.0.10	25.2.0
commander	14.0.2	14.0.3
globals	17.1.0	17.3.0

---

Upgrade

# npm
npm update -g memory-journal-mcp

# Docker
docker pull writenotenow/memory-journal-mcp:v4.3.1

Full Changelog: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

v4.3.0 - Causal Knowledge Graphs & Analytics

v4.3.0 - Causal Knowledge Graphs & Analytics

Released: January 18, 2026

Highlights

• Causal Relationship Types — 3 new relationship types for decision tracing and failure analysis
• Enhanced Analytics — 4 additional metrics in get_statistics for deeper insights
• Significance Gradients — Computed importance scores (0.0-1.0) for entries

---

Added

Causal Relationship Types

Three new relationship types for building causal knowledge graphs:

Type	Description	Mermaid Arrow
blocked_by	Entry was blocked by another (e.g., blocker → resolution)	--x
resolved	Entry resolved/fixed an issue from another	==>
caused	Entry caused or led to another outcome	-.->

Updated Field Notes with guidance on when to use causal types.

Enhanced Analytics

get_statistics now returns 4 additional metrics:

• decisionDensity: Significant entries per period (entries with significanceType)
• relationshipComplexity: Total relationships / total entries average
• activityTrend: Period-over-period growth percentage
• causalMetrics: Counts for blocked_by, resolved, caused relationships

Significance Gradients

Computed importance scores (0.0-1.0) for entries based on:

• Significance type (30%)

• Relationship count (35%)

• Causal relationships (20%)

• Recency (15%)

• get_entry_by_id now returns importance field

• memory://significant resource sorts entries by importance (highest first)

---

Fixed

Docker Workflow Duplicate Builds

Removed push: tags: ['v*'] trigger that caused duplicate image sets when releasing versions.

• Docker builds now only trigger via workflow_run after "Lint and Test" passes
• Version tags still applied based on package.json version
• Removed obsolete preflight-check job

---

Improved

memory://significant Secondary Sort

Entries with equal importance scores are now sorted by timestamp (newest first), ensuring consistent chronological ordering for ties.

create_entry Auto-populates issueUrl

When creating an entry with issue_number but no issueUrl, the URL is now auto-constructed from cached repository info. Requires GitHub integration and prior getRepoInfo() call.

Harmonized Graph Arrow Styles

memory://graph/recent now uses the same arrow mappings as visualize_relationships tool:

• Added causal types: blocked_by (--x), resolved (==>), caused (-.->)
• Added missing types: clarifies (-.->) and response_to (<-->)
• Standardized implements to use ==> for consistency

---

Upgrade

# npm
npm update -g memory-journal-mcp

# Docker
docker pull writenotenow/memory-journal-mcp:v4.3.0

Full Changelog: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

v4.2.0 - HTTP/SSE Transport & Maintenance

Memory Journal MCP Server v4.2.0

Release Date: January 17, 2026

Highlights

• HTTP/SSE Transport — Run the server in HTTP mode for remote access and web-based clients
• New Tool: cleanup_backups — Automatic backup rotation to prune old backups
• New Tool: merge_tags — Tag normalization for consolidating similar tags
• 100% StructuredContent Coverage — All 33 tools now have formal output schemas
• Enhanced Feedback — Improved hints for semantic_search, restore_backup, and PR timeline

---

Added

HTTP/SSE Transport

• New --transport http --port 3000 CLI options
• POST /mcp — JSON-RPC requests (initialize, tools/call, resources/read, etc.)
• GET /mcp — SSE stream for server-to-client notifications (supports resumability via Last-Event-ID)
• DELETE /mcp — Session termination
• Stateful mode (default): Session management via mcp-session-id header
• Stateless mode (--stateless): No session management, ideal for serverless deployments
• New dependencies: express@^5.1.0, @types/express (devDependency)

cleanup_backups Tool

• keep_count parameter specifies how many recent backups to retain (default: 5)
• Returns list of deleted filenames and count of kept backups
• Added to backup tool group in ToolFilter

merge_tags Tool

• Merge duplicate/similar tags (e.g., phase-2 → phase2)
• Source tag is deleted after merge; target tag created if not exists
• Updates all entry-tag links and usage counts
• Added to admin tool group in ToolFilter

Tool Count

• 31 → 33 tools (backup: 3 → 4, admin: 4 → 5)

---

Improved

semantic_search Hint Enhancement

• Hint now includes the current similarity_threshold value (e.g., "0.3")
• Suggests lowering threshold (e.g., "Try 0.2 for broader matches.")

restore_backup Enhanced Warning

• Warning message now explicitly mentions tag merges, new entries, and relationships are reverted
• New revertedChanges field in output with specific details
• Added Field Note in memory://instructions documenting restore behavior

memory://prs/{pr_number}/timeline Enhancement

• New prMetadata field with title, state, draft, mergedAt, closedAt, author, headBranch, baseBranch
• New timelineNote field with human-readable PR status

---

Changed

• memory://instructions Default Level — Changed from standard to full (~600 tokens)
• Briefing clientNote — Simplified to "For complete tool reference and field notes, read memory://instructions."
• Expanded StructuredContent Coverage — 7 additional tools now return structuredContent with Zod validation
  • All 33 tools with response data now have formal output schemas

---

Fixed

• CI Status "unknown" for Cancelled Workflows — Fixed memory://briefing and memory://github/status reporting "unknown" when latest workflow was cancelled
  • CI status type now includes passing | failing | pending | cancelled | unknown

---

Documentation

• memory://tags vs list_tags Schema — Documented intentional difference between resource and tool output
• Tag Naming Conventions — Added guidance for consistent tag naming patterns
• semantic_search Threshold Guidance — New Field Note documenting threshold recommendations

---

Full Changelog: v4.1.0...v4.2.0

v4.1.0 - Auto-rebuild index, MCP icons, progress notifications

Memory Journal MCP Server v4.1.0

Release Date: January 17, 2026

Highlights

• Auto-rebuild Vector Index — New --auto-rebuild-index CLI flag and AUTO_REBUILD_INDEX env var to synchronize vector index on server startup
• MCP Progress Notifications — Long-running operations emit notifications/progress for improved UX
• MCP Icons Array Support — 31 tools, 15 resources, and 15 prompts now include visual icons
• Expanded Structured Output — Output schemas extended from 5 to 24 tools for programmatic consumption
• Kanban Automation — close_github_issue_with_entry gains move_to_done parameter

---

Added

Auto-rebuild Vector Index on Startup

• New --auto-rebuild-index CLI flag and AUTO_REBUILD_INDEX env var
• Rebuilds vector index from all database entries during startup
• Ensures memory://health reports accurate itemCount matching entryCount

move_to_done for close_github_issue_with_entry

• New move_to_done boolean parameter (default: false)
• Automatically moves Kanban item to "Done" column when closing an issue
• New project_number parameter (uses DEFAULT_PROJECT_NUMBER if not specified)

MCP Progress Notifications

• rebuild_vector_index: Reports progress every 10 entries
• restore_backup: Reports 3-phase progress (backup → restore → verify)
• export_entries: Reports 2-phase progress (fetch → process)
• New utility module: src/utils/progress-utils.ts

MCP Icons Array Support

• Tools, resources, and prompts include optional icons array
• Follows MCP 2025-11-25 specification
• Uses SVG data URIs for self-contained distribution

Expanded StructuredContent Coverage

• 17 new output schemas (5 → 24 tools total)
• Core Read, Mutation, GitHub, and Backup tool schemas
• Clients supporting structuredContent receive validated JSON

semantic_search Hint Control

• New hint_on_empty parameter (default: true)
• Suppresses hints when false for programmatic consumers

PR Resource Empty Hints

• memory://prs/{pr_number}/entries and memory://prs/{pr_number}/timeline include hints when no entries linked

---

Fixed

• list_tags Output Schema — Fixed usageCount → count mapping
• semantic_search Hints — Fixed always showing "No entries in vector index"
• getRecentEntries Ordering — Added secondary sort by ID for deterministic results
• GHSA-73rr-hh4g-fpgx — Patched npm's bundled diff@8.0.2 → 8.0.3
• CVE-2026-23745 — Patched npm's bundled tar@7.5.2 → 7.5.3
• memory://health Field Name — Aligned indexedEntries → itemCount
• memory://tags Field Naming — Mapped usageCount → count
• create_github_issue_with_entry — Default status now "Backlog"
• delete_entry Vector Cleanup — Removes entries from vector index
• Docker Security Gate — Scan before push, --only-fixed for fixable CVEs
• Docker Build — Reduced context by ~200MB with .dockerignore rewrite

---

Documentation

• GitHub Fallback Behavior — Documented requiresUserInput: true response pattern
• autoContext Field — Added "Field Notes" section explaining reserved field

---

Known Limitations

• Icons not visible in protocol output — MCP SDK v1.25.2 doesn't pass icons through to responses. Server implementation is correct and future-ready.

---

Full Changelog: v4.0.0...v4.1.0

v4.0.0 - GitHub Issue Lifecycle & MCP Compliance

v4.0.0 - GitHub Issue Lifecycle & MCP 2025-11-25 Compliance

Release Date: January 16, 2026

Highlights

This major release introduces GitHub Issue Lifecycle Management with automatic journal linking, full MCP 2025-11-25 compliance with structured output validation, and Dynamic Context Management enhancements. It also updates the minimum Node.js requirement to 24+.

Breaking Changes

• Node.js 24+ Required — engines.node updated from ≥18.0.0 to ≥24.0.0
• Structured Output — 5 tools now return structuredContent alongside text content. Clients that don't understand structuredContent will fall back to the text representation.

New Features

GitHub Issue Lifecycle Tools (+2 tools: 29→31)

• create_github_issue_with_entry — Creates GitHub issue AND linked journal entry in one operation
  • New initial_status parameter to set Kanban column (e.g., "Backlog", "Ready")
  • Accepts project_number to auto-add issue to GitHub Project v2
• close_github_issue_with_entry — Closes issue AND creates resolution entry with significance

New Resources (+2: 16→18)

• memory://briefing (enhanced) — Now includes userMessage for agents to relay to users, template resource discovery, and client compatibility notes
• memory://instructions (new) — Universal access to server behavioral guidance with tiered levels (?level=essential|standard|full)

New Prompt (+1: 14→15)

• confirm-briefing — Session context acknowledgment for users to understand what context the agent received

MCP 2025-11-25 Compliance

• outputSchema — 5 tools with structured output validation: get_recent_entries, search_entries, search_by_date_range, get_entry_by_id, get_statistics
• lastModified Annotations — Dynamic resources now include ISO 8601 timestamps
• structuredContent + Text Fallback — Tools return both structured JSON and formatted text for client compatibility

Bug Fixes

• Semantic Search Timing — Fixed race condition where search returned 0 results immediately after rebuild
• Auto-Indexing — New and updated entries are now immediately available for semantic search
• CI Status Discrepancy — Resources now use latest completed run for status determination
• GitHub Actions Resource — memory://actions/recent now fetches live workflow runs from GitHub API
• Search Filter Accuracy — Fixed search_entries ignoring filters when query is empty
• Vector Index Stats — Fixed memory://health reporting 0 indexed entries after rebuild
• Trivy Security Scan — Fixed workflow that hadn't run since September 2025
• Docker Latest Tag — Fixed latest tag not being applied on workflow_run triggered builds

Documentation

• Added hybrid workflow documentation explaining MCP + gh CLI approach for GitHub management
• Enhanced wiki pages with Dynamic Context Management patterns
• Documented AntiGravity IDE workarounds for clients that don't auto-inject ServerInstructions

---

Installation

npm:

npm install -g memory-journal-mcp@4.0.0

Docker:

docker pull writenotenow/memory-journal-mcp:4.0.0

Full Changelog: v3.1.5...v4.0.0

v3.1.5 - Remove protobufjs CLI to Eliminate taffydb CVE

v3.1.5 - Remove protobufjs CLI to Eliminate taffydb CVE

Release Date: January 11, 2026

Security Fixes

protobufjs CLI Removal

The protobufjs package (transitive dependency via @xenova/transformers → onnxruntime-web → onnx-proto) includes a /cli/ folder for .proto file compilation. This CLI folder contains unmaintained dependencies with known CVEs.

Since the CLI is not used at runtime, we now remove it entirely from the Docker image:

RUN rm -rf node_modules/protobufjs/cli

CVEs Eliminated:

• CVE-2019-10790 (taffydb, HIGH) — 6+ year old unmaintained package
• CVE-2025-54798 (tmp, LOW) — Symlink vulnerability
• CVE-2025-5889 (brace-expansion, LOW) — ReDoS vulnerability

Remaining Allowlisted CVEs (No Upstream Fix)

These CVEs still have no fix available from Alpine:

• CVE-2026-22184 (zlib, CRITICAL) — Alpine hasn't packaged zlib 1.3.1.3 yet
• CVE-2025-60876 (busybox, MEDIUM) — Patch submitted to busybox but not released

---

Installation

npm:

npm install -g memory-journal-mcp@3.1.5

Docker:

docker pull writenotenow/memory-journal-mcp:3.1.5

v3.1.4 - npm Upgrade in Production Stage

v3.1.4 - npm Global Upgrade in Production Stage

Release Date: January 11, 2026

Fixed

Docker Scout CVE-2025-64756 and CVE-2025-64118

The v3.1.3 release added npm install -g npm@latest to the builder stage only, but the production stage uses a fresh node:24-alpine base image with its own bundled npm.

Fix: Added npm install -g npm@latest to the production stage as well.

This ensures the final Docker image has the latest npm with fixed versions of:

• glob (fixes CVE-2025-64756, HIGH)
• tar (fixes CVE-2025-64118, MEDIUM)

---

Installation

npm:

npm install -g memory-journal-mcp@3.1.4

Docker:

docker pull writenotenow/memory-journal-mcp:3.1.4