Skip to content

v4.4.2 - CVE Remediation: patch npm bundled minimatch in Dockerfile

Latest
Latest

Choose a tag to compare

View all tags
@neverinfamous neverinfamous released this 28 Feb 00:45
v4.4.2
af64aac
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v4.4.2 - CVE Remediation (minimatch Dockerfile Patch)

Released: February 27, 2026

Highlights

  • Docker CVE Fix — Manually patched npm's bundled minimatch in Dockerfile to resolve Docker deploy block

Security

CVE-2026-27903 + CVE-2026-27904 (minimatch) — HIGH

Manually patched npm's bundled minimatch@10.2.210.2.3 in Dockerfile to fix HIGH severity ReDoS and algorithmic complexity vulnerabilities (CVSS 7.5).

The v4.4.1 npm override only affected project dependencies. Docker Scout detected the vulnerable copy inside npm's own bundled packages at /usr/local/lib/node_modules/npm/node_modules/minimatch. This follows the same manual patch pattern used for tar and diff CVEs.

Upgrade

# npm
npm update -g memory-journal-mcp

# Docker
docker pull writenotenow/memory-journal-mcp:v4.4.2

Full Changelog: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

Assets 2
Loading