chore: Bump version & cut changelog

Reviewed-By: Jacob Taylor <jacob@explodie.org>

.forgejo/actions/timelord/action.yml

@@ -71,7 +71,7 @@ runs:
 
     - name: Install timelord-cli and git-warp-time
       if: steps.check-binaries.outputs.need-install == 'true'
-      uses: https://github.com/taiki-e/install-action@74e87cbfa15a59692b158178d8905a61bf6fca95 # v2
+      uses: https://github.com/taiki-e/install-action@787505cde8a44ea468a00478fe52baf23b15bccd # v2
       with:
         tool: git-warp-time,timelord-cli@3.0.1
 

.forgejo/workflows/build-debian.yml

@@ -96,7 +96,7 @@ jobs:
           if [[ ${{ forge.ref_name }} =~ ^v+[0-9]\.+[0-9]\.+[0-9]$ ]]; then
             # Use the "stable" component for tagged semver releases
             COMPONENT="stable"
-          elif [[ ${{ forge.ref }} =~ ^refs/tags/^v+[0-9]\.+[0-9]\.+[0-9] ]]; then
+          elif [[ ${{ forge.ref_name }} =~ ^v+[0-9]\.+[0-9]\.+[0-9] ]]; then
             # Use the "unstable" component for tagged semver pre-releases
             COMPONENT="unstable"
           else

.forgejo/workflows/build-fedora.yml

@@ -105,7 +105,7 @@ jobs:
             RELEASE_SUFFIX=""
             TAG_NAME="${{ github.ref_name }}"
             # Extract version from tag (remove v prefix if present)
-            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//')
+            TAG_VERSION=$(echo "$TAG_NAME" | sed 's/^v//' | tr '-' '~')
 
             # Create spec file with tag version
             sed -e "s/^Version:.*$/Version:        $TAG_VERSION/" \
@@ -270,9 +270,13 @@ jobs:
 
           # Determine the group based on ref type and branch
           if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
-            GROUP="stable"
             # For tags, extract the tag name for version info
             TAG_NAME="${{ github.ref_name }}"
+            if [[ "$TAG_NAME" == *"-"* ]]; then
+              GROUP="unstable"
+            else
+              GROUP="stable"
+            fi
           elif [ "${{ github.ref_name }}" = "main" ]; then
             GROUP="dev"
           else

.forgejo/workflows/prek-checks.yml

@@ -53,7 +53,7 @@ jobs:
           persist-credentials: false
 
       - name: Check for file changes
-        uses: https://github.com/dorny/paths-filter@v4
+        uses: https://github.com/dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
         id: filter
         with:
           filters: |

.forgejo/workflows/release-image.yml

@@ -199,6 +199,28 @@ jobs:
           registry_user: ${{ vars.BUILTIN_REGISTRY_USER || github.actor }}
           registry_password: ${{ secrets.BUILTIN_REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
 
+  release-binaries:
+    name: "Release Binaries"
+    runs-on: ubuntu-latest
+    needs:
+      - build-release
+      - build-maxperf
+    permissions:
+      contents: write
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Download binary artifacts
+        uses: forgejo/download-artifact@v4
+        with:
+          pattern: conduwuit*
+          path: binaries
+          merge-multiple: true
+      - name: Create Release and Upload
+        uses: https://github.com/softprops/action-gh-release@v2
+        with:
+          draft: true
+          files: binaries/*
+
   mirror_images:
     name: "Mirror Images"
     runs-on: ubuntu-latest

.pre-commit-config.yaml

@@ -24,7 +24,7 @@ repos:
         - id: check-added-large-files
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.45.1
+    rev: v1.45.2
     hooks:
       - id: typos
       - id: typos

CHANGELOG.md

@@ -1,3 +1,14 @@
+# Continuwuity 0.5.9 (2026-05-07)
+
+## Security
+
+- Fixed a bug that caused the server to drop events during processing if several events for the same room were sent in a
+  singular transaction. Contributed by @nex. (#1711)
+- Fixed a bug that caused the server to panic while handling transactions with malformed events, resulting in a 
+  deadlock that prevented the remote server from federating with us until the server was restarted. Contributed by @nex.
+- Fixed a bug that resulted in the `m.federate` field of `m.room.create` being ignored in v12 rooms, allowing remote 
+  servers to participate in local-only rooms. Contributed by @nex, reported by [@mat:emzee.ee](matrix:u/mat:emzee.ee?action=chat).
+
 # Continuwuity 0.5.8 (2026-04-24)
 
 ## Features

Cargo.lock

@@ -960,7 +960,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit"
-version = "0.5.8"
+version = "0.5.9"
 dependencies = [
  "aws-lc-rs",
  "clap",
@@ -997,7 +997,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_admin"
-version = "0.5.8"
+version = "0.5.9"
 dependencies = [
  "clap",
  "conduwuit_api",
@@ -1020,7 +1020,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_api"
-version = "0.5.8"
+version = "0.5.9"
 dependencies = [
  "async-trait",
  "axum",
@@ -1055,7 +1055,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_build_metadata"
-version = "0.5.8"
+version = "0.5.9"
 dependencies = [
  "built",
  "cargo_metadata",
@@ -1063,7 +1063,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_core"
-version = "0.5.8"
+version = "0.5.9"
 dependencies = [
  "argon2",
  "arrayvec",
@@ -1127,7 +1127,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_database"
-version = "0.5.8"
+version = "0.5.9"
 dependencies = [
  "async-channel",
  "conduwuit_core",
@@ -1147,7 +1147,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_macros"
-version = "0.5.8"
+version = "0.5.9"
 dependencies = [
  "cargo_toml",
  "itertools 0.14.0",
@@ -1158,7 +1158,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_router"
-version = "0.5.8"
+version = "0.5.9"
 dependencies = [
  "axum",
  "axum-client-ip",
@@ -1194,7 +1194,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_service"
-version = "0.5.8"
+version = "0.5.9"
 dependencies = [
  "askama",
  "async-trait",
@@ -1223,6 +1223,7 @@ dependencies = [
  "rand 0.10.1",
  "recaptcha-verify",
  "regex",
+ "reqwest 0.12.28",
  "reqwest 0.13.2",
  "ruma",
  "rustyline-async",
@@ -1241,7 +1242,7 @@ dependencies = [
 
 [[package]]
 name = "conduwuit_web"
-version = "0.5.8"
+version = "0.5.9"
 dependencies = [
  "askama",
  "async-trait",
@@ -2617,6 +2618,7 @@ dependencies = [
  "hyper",
  "hyper-util",
  "rustls",
+ "rustls-native-certs",
  "tokio",
  "tokio-rustls",
  "tower-service",
@@ -4572,16 +4574,21 @@ dependencies = [
  "http-body",
  "http-body-util",
  "hyper",
+ "hyper-rustls",
  "hyper-util",
  "js-sys",
  "log",
  "percent-encoding",
  "pin-project-lite",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-pki-types",
  "serde",
  "serde_json",
  "serde_urlencoded",
  "sync_wrapper",
  "tokio",
+ "tokio-rustls",
  "tower",
  "tower-http",
  "tower-service",
@@ -7010,7 +7017,7 @@ dependencies = [
 
 [[package]]
 name = "xtask"
-version = "0.5.8"
+version = "0.5.9"
 dependencies = [
  "askama",
  "cargo_metadata",

Cargo.toml

@@ -12,7 +12,7 @@ license = "Apache-2.0"
 # See also `rust-toolchain.toml`
 readme = "README.md"
 repository = "https://forgejo.ellis.link/continuwuation/continuwuity"
-version = "0.5.8"
+version = "0.5.9"
 
 [workspace.metadata.crane]
 name = "conduwuit"

docs/public/.well-known/continuwuity/announcements

@@ -6,10 +6,10 @@
             "message": "Welcome to Continuwuity! Important announcements about the project will appear here."
         },
         {
-            "id": 11,
+            "id": 12,
             "mention_room": false,
-            "date": "2026-04-17",
-            "message": "[v0.5.7](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.7) is out! Email verification! Terms and Conditions! Deleting notification pushers! So much good stuff. Go grab the release and read the changelog!"
+            "date": "2026-04-24",
+            "message": "[v0.5.8](https://forgejo.ellis.link/continuwuation/continuwuity/releases/tag/v0.5.8) is out! This is a patch release which fixes a bug in 0.5.7's email support -- upgrade soon if you use that feature."
         }
     ]
 }

src/api/server/send.rs

@@ -26,7 +26,7 @@
 use itertools::Itertools;
 use ruma::{
 	CanonicalJsonObject, MilliSecondsSinceUnixEpoch, OwnedEventId, OwnedRoomId, OwnedUserId,
-	RoomId, ServerName, UserId,
+	RoomId, ServerName, UInt, UserId,
 	api::{
 		client::error::{ErrorKind, ErrorKind::LimitExceeded},
 		federation::transactions::{
@@ -42,7 +42,6 @@
 	int,
 	serde::Raw,
 	to_device::DeviceIdOrAllDevices,
-	uint,
 };
 use service::transactions::{
 	FederationTxnState, TransactionError, TxnKey, WrappedTransactionResponse,
@@ -281,11 +280,18 @@ async fn build_local_dag(
 	pdu_map: &HashMap<OwnedEventId, CanonicalJsonObject>,
 ) -> Result<Vec<OwnedEventId>> {
 	debug_assert!(pdu_map.len() >= 2, "needless call to build_local_dag with less than 2 PDUs");
-	let mut dag: HashMap<OwnedEventId, HashSet<OwnedEventId>> = HashMap::new();
+	let mut dag: HashMap<OwnedEventId, HashSet<OwnedEventId>> =
+		HashMap::with_capacity(pdu_map.len());
+	let mut id_origin_ts: HashMap<OwnedEventId, _> = HashMap::with_capacity(pdu_map.len());
 
 	for (event_id, value) in pdu_map {
 		// We already checked that these properties are correct in parse_incoming_pdu,
 		// so it's safe to unwrap here.
+		// We also filter to remove any prev_events that are not in this pdu_map, as we
+		// need to have at least one event with zero out degrees for the lexico-topo
+		// sort below. If there are multiple events with omitted prevs, they will be
+		// ordered by timestamp, then event ID. At that point though, it's unlikely to
+		// matter.
 		let prev_events = value
 			.get("prev_events")
 			.unwrap()
@@ -293,17 +299,41 @@ async fn build_local_dag(
 			.unwrap()
 			.iter()
 			.map(|v| OwnedEventId::parse(v.as_str().unwrap()).unwrap())
+			.filter(|id| pdu_map.contains_key(id))
 			.collect();
 
 		dag.insert(event_id.clone(), prev_events);
+		let origin_server_ts = value
+			.get("origin_server_ts")
+			.and_then(ruma::CanonicalJsonValue::as_integer)
+			.unwrap_or_default();
+		id_origin_ts.insert(event_id.clone(), origin_server_ts);
 	}
-	lexicographical_topological_sort(&dag, &|_| async {
+
+	debug!(count = dag.len(), "Sorting incoming events with partial graph");
+	lexicographical_topological_sort(&dag, &async |node_id| {
 		// Note: we don't bother fetching power levels because that would massively slow
 		// this function down. This is a best-effort attempt to order events correctly
 		// for processing, however ultimately that should be the sender's job.
-		Ok((int!(0), MilliSecondsSinceUnixEpoch(uint!(0))))
+		let ts = id_origin_ts
+			.get(&node_id)
+			.copied()
+			.unwrap_or_else(|| int!(0))
+			.to_string()
+			.parse::<u64>()
+			.ok()
+			.and_then(UInt::new)
+			.unwrap_or_default();
+		Ok((int!(0), MilliSecondsSinceUnixEpoch(ts)))
 	})
 	.await
+	.inspect(|sorted| {
+		debug_assert_eq!(
+			sorted.len(),
+			pdu_map.len(),
+			"Sorted graph was not the same size as the input graph"
+		);
+	})
 	.map_err(|e| err!("failed to resolve local graph: {e}"))
 }
 

src/core/matrix/state_res/event_auth.rs

@@ -332,8 +332,7 @@ pub async fn auth_check<E, F, Fut>(
 	// If the create event content has the field m.federate set to false and the
 	// sender domain of the event does not match the sender domain of the create
 	// event, reject.
-	if !room_version.room_ids_as_hashes
-		&& !room_create_content.federate
+	if !room_create_content.federate
 		&& room_create_event.sender().server_name() != incoming_event.sender().server_name()
 	{
 		warn!(

src/core/utils/hash/sha256.rs

@@ -19,9 +19,7 @@ pub fn delimited<'a, T, I>(mut inputs: I) -> DigestOut
 		}
 	}
 
-	ctx.finalize()
-		.try_into()
-		.expect("failed to return Digest buffer")
+	ctx.finalize().into()
 }
 
 /// Sha256 hash (input gather)
@@ -38,8 +36,7 @@ pub fn concat<'a, T, I>(inputs: I) -> DigestOut
 			ctx
 		})
 		.finalize()
-		.try_into()
-		.expect("failed to return Digest buffer")
+		.into()
 }
 
 /// Sha256 hash
@@ -50,7 +47,5 @@ pub fn hash<T>(input: T) -> DigestOut
 where
 	T: AsRef<[u8]>,
 {
-	Sha256::digest(input)
-		.try_into()
-		.expect("failed to return Digest buffer")
+	Sha256::digest(input).into()
 }

src/service/Cargo.toml

@@ -124,6 +124,7 @@ webpage.optional = true
 blurhash.workspace = true
 blurhash.optional = true
 recaptcha-verify = { version = "0.2.0", default-features = false }
+reqwest_recaptcha = { package = "reqwest", version = "0.12.28", default-features = false, features = ["rustls-tls-native-roots-no-provider"]  } # As long as recaptcha-verify's reqwest is outdated
 yansi.workspace = true
 lettre.workspace = true