github doobidoo/mcp-memory-service v10.53.0
v10.53.0 — Milvus Consolidation Embedding Hydration + GitPython Security
on GitHub

13 hours ago

Highlights

This release completes a 4-PR series (#872#878#881#885) that resolves a production failure on Milvus-backed deployments where the consolidation pipeline silently produced 0 clusters and 0 associations. The root cause: the vector column was dropped during bulk reads, leaving every Memory with embedding=None before clustering even started.

Also included: a GitPython security bump resolving 3 high-severity CVEs in a transitive dependency.

What's New

feat(milvus): consolidation embedding hydration end-to-end (#885, @henry201605)

Root cause fixed: consolidator._get_memories_for_horizon now passes include_embeddings=True to both get_all_memories and get_memories_by_time_range, ensuring embedding vectors are present before the clustering and association-discovery stages run.

Backend changes (all 4 storage backends updated):

  • sqlite_vec.pyget_memories_by_time_range gains a conditional LEFT JOIN on memory_embeddings when include_embeddings=True; get_all_memories already did an unconditional JOIN, accepts the kwarg as a no-op
  • hybrid.py — forwards the kwarg to the primary backend on both methods
  • cloudflare.py — accepts the kwarg on both methods but ignores it (vectors live in Vectorize, not locally); signatures now match the ABC
  • milvus.py_coerce_vector now explicitly rejects str/bytes/dict types; _log_hydration_stats takes a pre-computed hydration count (O(n) optimization)

Test coverage: 24 unit tests (tests/storage/test_milvus_hydration.py) + 5 Milvus Lite integration tests (tests/storage/test_milvus_consolidation.py)

security: GitPython 3.1.47 → 3.1.50 (#886)

Resolves 3 high-severity vulnerabilities in the transitive wandb → GitPython dependency:

  • Path traversal allowing arbitrary file write/delete outside the repository (GHSA-7545-fcxq-7j24)
  • Newline injection in config_writer().set_value() enabling RCE via core.hooksPath (GHSA-v87r-6q3f-2j67)
  • Newline injection in config_writer() section parameter bypassing the prior CVE patch (GHSA-mv93-w799-cj2w)

SemVer Rationale

MINOR bump: the include_embeddings parameter added to public MemoryStorage ABC methods in v10.52.0 (PR #881) represents a new backward-compatible parameter on the abstract interface. The consolidator's use of that parameter in this release completes the feature. Per the semver-feat-param-is-minor instinct, new parameters on public ABC methods are MINOR even with safe default=False.

🙏 Special Thanks

Big thanks to @henry201605 for seeing the Milvus consolidation bug all the way through — from the initial delete_memory proxy (#872) to the complete embedding hydration fix (#885). This was a persistent, well-executed multi-PR investigation.

Upgrade

pip install --upgrade mcp-memory-service
# or
uvx mcp-memory-service@latest

Full changelog: https://github.com/doobidoo/mcp-memory-service/blob/main/CHANGELOG.md#10530---2026-05-09

Check out latest releases or
releases around doobidoo/mcp-memory-service v10.53.0

Don't miss a new mcp-memory-service release

NewReleases is sending notifications on new releases.

Get notifications