[pull] main from mem0ai:main

cli/node/CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to `@mem0/cli` are documented here.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.8] — 2026-06-01
+
+### Security
+
+- Pinned transitive dependencies via pnpm overrides to remediate high-severity CVEs:
+  - `jws` → 4.0.1 (CVE-2025-65945)
+  - `langsmith` → ^0.6.0 (CVE-2026-45134)
+  - `tar-fs` → ^2.1.4 (CVE-2025-48387, CVE-2025-59343)
+  - `picomatch` → ^2.3.2 (CVE-2026-33671)
+  - `minimatch` → ^3.1.3 / ^5.1.8 / ^9.0.7 (CVE-2026-27903, CVE-2026-27904, CVE-2026-26996)
+  - `path-to-regexp` → ^8.4.0 (CVE-2026-4926)
+  - `rollup` → ^4.59.0 (CVE-2026-27606)
+  - `glob` → ^10.5.0 (CVE-2025-64756)
+  - `@modelcontextprotocol/sdk` → ^1.25.4 (CVE-2025-66414, CVE-2026-0621)
+
 ## [0.2.7] — 2026-05-20
 
 ### Added

cli/node/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mem0/cli",
-  "version": "0.2.7",
+  "version": "0.2.8",
   "description": "The official CLI for mem0 — the memory layer for AI agents",
   "type": "module",
   "bin": {

cli/node/pnpm-workspace.yaml

@@ -0,0 +1,12 @@
+packages:
+  - '.'
+
+onlyBuiltDependencies:
+  - "@biomejs/biome"
+  - esbuild
+
+overrides:
+  jws@4.0.0: 4.0.1
+  langsmith@<0.6.0: ^0.6.0
+  tar-fs@>=2.0.0 <2.1.4: ^2.1.4
+  picomatch@<2.3.2: ^2.3.2

docs/changelog/sdk.mdx

@@ -939,6 +939,13 @@ See the [OSS v1 to v2 migration guide](https://docs.mem0.ai/migration/oss-v1-to-
 </Tab>
 
 <Tab title="TypeScript">
+<Update label="2026-06-01" description="v3.0.6">
+
+**Security:**
+- **Dependencies:** Bumped `axios` to `^1.16.0` to remediate high-severity prototype-pollution CVEs (credential theft, MITM, DoS). Pinned transitive dependencies via pnpm overrides: `jws` → 4.0.1 (CVE-2025-65945), `langsmith` → ^0.6.0 (CVE-2026-45134), `tar-fs` → ^2.1.4 (CVE-2025-48387, CVE-2025-59343), `picomatch` → ^2.3.2 (CVE-2026-33671), `minimatch` → ^3.1.3 / ^5.1.8 / ^9.0.7 (CVE-2026-27903, CVE-2026-27904, CVE-2026-26996), `path-to-regexp` → ^8.4.0 (CVE-2026-4926), `rollup` → ^4.59.0 (CVE-2026-27606), `glob` → ^10.5.0 (CVE-2025-64756), `@modelcontextprotocol/sdk` → ^1.25.4 (CVE-2025-66414, CVE-2026-0621)
+
+</Update>
+
 <Update label="2026-05-27" description="v3.0.5">
 
 **New Features:**
@@ -1352,6 +1359,13 @@ See the [TypeScript SDK migration guide](https://docs.mem0.ai/migration/ts-v2-to
 
 <Tab title="CLI">
 
+<Update label="2026-06-01" description="Node v0.2.8">
+
+**Security:**
+- **Dependencies:** Pinned transitive dependencies via pnpm overrides to remediate high-severity CVEs: `jws` → 4.0.1 (CVE-2025-65945), `langsmith` → ^0.6.0 (CVE-2026-45134), `tar-fs` → ^2.1.4 (CVE-2025-48387, CVE-2025-59343), `picomatch` → ^2.3.2 (CVE-2026-33671), `minimatch` → ^3.1.3 / ^5.1.8 / ^9.0.7 (CVE-2026-27903, CVE-2026-27904, CVE-2026-26996), `path-to-regexp` → ^8.4.0 (CVE-2026-4926), `rollup` → ^4.59.0 (CVE-2026-27606), `glob` → ^10.5.0 (CVE-2025-64756), `@modelcontextprotocol/sdk` → ^1.25.4 (CVE-2025-66414, CVE-2026-0621)
+
+</Update>
+
 <Update label="2026-05-16" description="Python v0.2.6 / Node v0.2.6">
 
 **Bug Fixes:**
@@ -1468,6 +1482,20 @@ A full-featured command-line interface for Mem0, available in both Python and No
 
 <Tab title="Plugins">
 
+<Update label="2026-06-01" description="openclaw-mem0 v1.0.12">
+
+**Security:**
+- **Dependencies:** Pinned transitive dependencies via pnpm overrides to remediate high-severity CVEs: `protobufjs` → ^7.5.5, `vite` → ^8.0.5, `langsmith` → ^0.6.0 (CVE-2026-45134), `picomatch` → ^2.3.2 (CVE-2026-33671), `@qdrant/js-client-rest` → ^1.18.0
+
+</Update>
+
+<Update label="2026-06-01" description="Vercel AI SDK v2.0.6">
+
+**Security:**
+- **Dependencies:** Pinned transitive dependencies via pnpm overrides to remediate high-severity CVEs: `glob` → ^10.5.0 (CVE-2025-64756), `minimatch` → ^3.1.3 / ^5.1.8 / ^9.0.7 (CVE-2026-27903, CVE-2026-27904, CVE-2026-26996), `picomatch` → ^2.3.2 (CVE-2026-33671), `rollup` → ^4.59.0 (CVE-2026-27606)
+
+</Update>
+
 <Update label="2026-04-02" description="mem0-plugin v1.0.0">
 
 **Mem0 Plugin for Claude Code, Cursor, and Codex**

examples/mem0-demo/package.json

@@ -26,7 +26,7 @@
     "ai": "^4.1.46",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
-    "js-cookie": "^3.0.5",
+    "js-cookie": "^3.0.6",
     "lucide-react": "^0.477.0",
     "next": "15.5.18",
     "react": "^19.0.0",

mem0-ts/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mem0ai",
-  "version": "3.0.5",
+  "version": "3.0.6",
   "description": "The Memory Layer For Your AI Apps",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -100,7 +100,7 @@
     "typescript": "5.5.4"
   },
   "dependencies": {
-    "axios": "^1.15.2",
+    "axios": "^1.16.0",
     "openai": "^4.93.0",
     "uuid": "9.0.1",
     "zod": "^3.24.1"
@@ -110,10 +110,10 @@
     "@azure/identity": "^4.0.0",
     "@azure/search-documents": "^12.0.0",
     "@cloudflare/workers-types": "^4.20250504.0",
-    "@google/genai": "^1.2.0",
+    "@google/genai": "^1.40.0",
     "@langchain/core": "^1.1.47",
     "@mistralai/mistralai": "^1.5.2",
-    "@qdrant/js-client-rest": "1.13.0",
+    "@qdrant/js-client-rest": "^1.18.0",
     "@supabase/supabase-js": "^2.49.1",
     "@types/jest": "29.5.14",
     "@types/pg": "8.11.0",
@@ -137,6 +137,19 @@
     "onlyBuiltDependencies": [
       "esbuild",
       "better-sqlite3"
-    ]
+    ],
+    "overrides": {
+      "picomatch@<2.3.2": "^2.3.2",
+      "jws@4.0.0": "4.0.1",
+      "langsmith@<0.6.0": "^0.6.0",
+      "minimatch@<3.1.3": "^3.1.3",
+      "minimatch@>=5.0.0 <5.1.8": "^5.1.8",
+      "minimatch@>=9.0.0 <9.0.7": "^9.0.7",
+      "path-to-regexp@>=8.0.0 <8.4.0": "^8.4.0",
+      "rollup@>=4.0.0 <4.59.0": "^4.59.0",
+      "tar-fs@>=2.0.0 <2.1.4": "^2.1.4",
+      "glob@>=10.2.0 <10.5.0": "^10.5.0",
+      "@modelcontextprotocol/sdk": "^1.25.4"
+    }
   }
 }