doobidoo/mcp-memory-service v10.17.16

v10.17.16 — Security: minimatch ReDoS + PyPDF2 → pypdf

on GitHub

Security Fixes

minimatch ReDoS (Dependabot #3, #6 — High severity)

• Vulnerability: Older minimatch versions are susceptible to a Regular Expression Denial-of-Service (ReDoS) attack
• Fix: Pinned minimatch to ^10.2.1 via npm overrides in tests/bridge/package.json and tests/integration/package.json
• Impact: Test infrastructure only; production runtime is not affected

PyPDF2 replaced with pypdf (Dependabot moderate — Infinite Loop)

• Vulnerability: PyPDF2 is abandoned and has a known infinite-loop vulnerability; no further security patches will be released upstream
• Fix: Replaced PyPDF2 with its official maintained successor pypdf in pyproject.toml; updated all imports and API usage in src/mcp_memory_service/ingestion/pdf_loader.py
• Impact: PDF ingestion continues to work identically — pypdf is the direct continuation of PyPDF2 by the same maintainer

Files Changed

• pyproject.toml — dependency swap: PyPDF2 → pypdf
• src/mcp_memory_service/ingestion/pdf_loader.py — updated imports/API
• tests/bridge/package.json + package-lock.json — pin minimatch
• tests/integration/package.json + package-lock.json — pin minimatch
• uv.lock — removes pypdf2 v3.0.1, adds pypdf v6.7.2

Upgrade

pip install --upgrade mcp-memory-service

No configuration changes required. No breaking changes.