github doobidoo/mcp-memory-service v9.0.2
v9.0.2 - Critical Hotfix (Actual Code Fix Included)
on GitHub

latest releases: v10.48.0, v10.47.2, v10.47.1...
3 months ago

🚨 CRITICAL HOTFIX - This release actually includes the code fix for the mass deletion bug

⚠️ IMPORTANT: Do NOT Use v9.0.1

v9.0.1 was incorrectly tagged and does NOT contain the actual code fix. The tag was created BEFORE the code changes were committed, resulting in:

  • PyPI package for v9.0.1 does NOT include the security fix
  • Docker images for v9.0.1 do NOT include the security fix
  • Users downloading v9.0.1 are still vulnerable to the mass deletion bug

All users should upgrade directly to v9.0.2 (this release).

What's Fixed in v9.0.2

This release includes the actual code changes from commit 9c5ed87 that were intended for v9.0.1:

Security Fix: Prevent Accidental Mass Deletion

  • File Changed: src/mcp_memory_service/web/api/manage.py:254
  • Fix: confirm_count parameter is now REQUIRED (not optional) in /api/manage/delete-untagged endpoint
  • Impact: Prevents accidental deletion of all untagged memories without confirmation
  • Documentation: Added comprehensive security documentation and error messages

Root Cause of v9.0.1 Tagging Error

  1. Code changes were committed to fix the mass deletion bug
  2. Tag v9.0.1 was created BEFORE the commit was made
  3. Result: Tag pointed to version WITHOUT the fix
  4. This release (v9.0.2) includes the actual fix

Original Bug (from v9.0.0)

Incident: On 2026-01-17 at 10:59:20, 6733 memories (87% of database) were accidentally soft-deleted

Root Cause: The confirm_count parameter was optional in the /api/manage/delete-untagged endpoint. If called without this parameter, ALL untagged memories were deleted without confirmation.

Fix Applied in v9.0.2:

  • Made confirm_count parameter REQUIRED
  • Enhanced safety check to validate confirm_count matches actual count
  • Improved error messages to guide users to use GET /api/manage/count-untagged first
  • Added comprehensive security documentation

Recovery Instructions

If you were affected by the v9.0.0 bug, all memories can be restored: 

-- Restore all soft-deleted memories
UPDATE memories SET deleted_at = NULL WHERE deleted_at IS NOT NULL;

For detailed recovery instructions, see CHANGELOG.md.

Installation

# PyPI (recommended)
pip install --upgrade mcp-memory-service==9.0.2

# Docker
docker pull doobidoo/mcp-memory-service:9.0.2
docker pull doobidoo/mcp-memory-service:latest

Breaking Changes

This is a breaking change for API consumers:

  • The /api/manage/delete-untagged endpoint now requires the confirm_count parameter
  • Calls without confirm_count will return a 400 error with instructions

Timeline Summary

  • v9.0.0 (2026-01-17): Released with mass deletion bug
  • v9.0.1 (2026-01-17): Tagged incorrectly WITHOUT code fix ❌
  • v9.0.2 (2026-01-17): Contains actual code fix ✅

Verification

To verify you have the correct version with the fix: 

# Check version
python -c "from mcp_memory_service import __version__; print(__version__)"

# Verify the fix is present
grep -n "confirm_count.*required=True" src/mcp_memory_service/web/api/manage.py
# Should show line 254 with confirm_count as required parameter

Full Changelog

See CHANGELOG.md for complete details.

Recommendation: All users on v9.0.0 or v9.0.1 should upgrade to v9.0.2 immediately.

🙏 Thank you for your patience with this release process. We've implemented additional safeguards to prevent similar tagging errors in the future.

Check out latest releases or
releases around doobidoo/mcp-memory-service v9.0.2

Don't miss a new mcp-memory-service release

NewReleases is sending notifications on new releases.

Get notifications