0145dc5fa7
Fixups
2026-03-18 15:27:35 +00:00
b5e3b2347e
Fixups
2026-03-18 15:17:32 +00:00
f59264d852
Add state to more places
2026-03-18 14:56:35 +00:00
f39354f535
Add admin_override
2026-03-18 14:56:29 +00:00
1360400b95
Rename
2026-03-18 14:53:26 +00:00
299a7f92cd
Add ClientEvent.state
2026-03-18 14:47:10 +00:00
7a3ef3986c
Add ClientEvent
2026-03-18 14:42:42 +00:00
7b671f4dd6
Move sticky_ttl_ms serialization to serialize_event
2026-03-18 13:27:17 +00:00
1d694c5370
Move 'redacted_by' to internal metadata
2026-03-18 10:32:42 +00:00
d10a6b3e53
Remove redundant unsigned.redacted_because
2026-03-18 10:18:27 +00:00
b99fb4e6c4
Newsfile
2026-03-17 12:37:28 +00:00
5f4d707e34
Batch fetch redaction events from the DB
2026-03-17 12:37:28 +00:00
41f0c7f6ac
Remove 'redacted_because' from internal unsigned
2026-03-17 12:37:28 +00:00
9016c5c042
Always use EventClientSerializer
2026-03-17 12:37:28 +00:00
e748a3a498
Don't fetch confirmed redaction events
2026-03-17 12:37:28 +00:00
feec319c59
Add background update
2026-03-17 11:39:38 +00:00
be16f976c1
Fill out new recheck field
2026-03-17 11:39:37 +00:00
6d2c4a80b5
Add new column
2026-03-17 11:39:37 +00:00
c37a5bb4cd
Restore localhost/complement-synapse change from #19523
...
See https://github.com/element-hq/synapse/pull/19523#discussion_r2944133700
2026-03-16 22:20:56 -05:00
6254e009bb
Fix Build and push complement image CI job pointing to non-existent image ( #19523 )
...
❌
https://github.com/element-hq/synapse/actions/runs/22609655282/job/65509315002#step:8:39
```
Error response from daemon: No such image: complement-synapse:latest
```
Regressed in
https://github.com/element-hq/synapse/pull/19475#discussion_r2823157623
where we updated `complement.sh` to build `localhost/complement-synapse`
instead of `complement-synapse`.
2026-03-16 21:56:16 -05:00
3aa948c50c
When Matrix Authentication Service (MAS) integration is enabled, allow MAS to set the user locked status in Synapse. ( #19554 )
...
Companion PR:
https://github.com/element-hq/matrix-authentication-service/pull/5550
to 1) send this flag
and 2) provision users proactively when their lock status changes.
---
Currently Synapse and MAS have two independent user lock
implementations. This PR makes it so that MAS can push its lock status
to Synapse when 'provisioning' the user.
Having the lock status in Synapse is useful for removing users from the
user directory
when they are locked.
There is otherwise no authentication requirement to have it in Synapse;
the enforcement is done
by MAS at token introspection time.
---------
Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org >
2026-03-16 18:27:54 +00:00
a71c468b04
Bump the patches group with 2 updates ( #19536 )
...
Bumps the patches group with 2 updates:
[anyhow](https://github.com/dtolnay/anyhow ) and
[pyo3-log](https://github.com/vorner/pyo3-log ).
Updates `anyhow` from 1.0.101 to 1.0.102
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dtolnay/anyhow/releases ">anyhow's
releases</a>.</em></p>
<blockquote>
<h2>1.0.102</h2>
<ul>
<li>Remove backtrace dependency (<a
href="https://redirect.github.com/dtolnay/anyhow/issues/438 ">#438</a>,
<a
href="https://redirect.github.com/dtolnay/anyhow/issues/439 ">#439</a>,
<a
href="https://redirect.github.com/dtolnay/anyhow/issues/440 ">#440</a>,
<a
href="https://redirect.github.com/dtolnay/anyhow/issues/441 ">#441</a>,
<a
href="https://redirect.github.com/dtolnay/anyhow/issues/442 ">#442</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/dtolnay/anyhow/commit/5c657b32522023a9f7ef883fb08582fd8e656b1a "><code>5c657b3</code></a>
Release 1.0.102</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/e737fb63918e8c71a3d0a968004a9c7ed7942283 "><code>e737fb6</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/anyhow/issues/442 ">#442</a>
from dtolnay/backtrace</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/7fe62b51c62804f8b84443affeacfb3810ed2516 "><code>7fe62b5</code></a>
Further simply backtrace conditional compilation</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/c8cb5cae23e57a2dbb87bf05cba04f1df1f1660b "><code>c8cb5ca</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/anyhow/issues/441 ">#441</a>
from dtolnay/backtrace</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/de27df7e0f510d543c18e50a0736566b66e62baf "><code>de27df7</code></a>
Delete CI use of --features=backtrace</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/9b67e5dd608658d805640cf1b6f6c9d091686ec1 "><code>9b67e5d</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/anyhow/issues/440 ">#440</a>
from dtolnay/backtrace</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/efdb11a259ca58a2e505ef50486cf2d6b5ddc42a "><code>efdb11a</code></a>
Simplify <code>std_backtrace</code> conditional code</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/b8a9a707838969721a86b28e3c45ce27e279e981 "><code>b8a9a70</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/anyhow/issues/439 ">#439</a>
from dtolnay/backtrace</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/a42fc2c21846ba459df43a3f8b4996a2074909cb "><code>a42fc2c</code></a>
Remove <code>feature = "backtrace"</code> conditional
code</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/2a2a3ceb4cbc409fd99613ab5744b21e825e7908 "><code>2a2a3ce</code></a>
Re-word backtrace feature comment</li>
<li>Additional commits viewable in <a
href="https://github.com/dtolnay/anyhow/compare/1.0.101...1.0.102 ">compare
view</a></li>
</ul>
</details>
<br />
Updates `pyo3-log` from 0.13.2 to 0.13.3
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/vorner/pyo3-log/blob/main/CHANGELOG.md ">pyo3-log's
changelog</a>.</em></p>
<blockquote>
<h1>0.13.3</h1>
<ul>
<li>Support for pyo3 0.28 (<a
href="https://redirect.github.com/vorner/pyo3-log/issues/75 ">#75</a>).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/vorner/pyo3-log/commit/a188f81c37844a0543410707296d79fe6b32cdf5 "><code>a188f81</code></a>
Release 0.13.3</li>
<li><a
href="https://github.com/vorner/pyo3-log/commit/3217bc89497492167ceae9f2f35e04acd889ec48 "><code>3217bc8</code></a>
Bump pyo3 to 0.28 (<a
href="https://redirect.github.com/vorner/pyo3-log/issues/75 ">#75</a>)</li>
<li>See full diff in <a
href="https://github.com/vorner/pyo3-log/compare/v0.13.2...v0.13.3 ">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-16 17:52:13 +00:00
cdd261b1c6
Bump pyopenssl from 25.3.0 to 26.0.0 ( #19574 )
...
Bumps [pyopenssl](https://github.com/pyca/pyopenssl ) from 25.3.0 to
26.0.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst ">pyopenssl's
changelog</a>.</em></p>
<blockquote>
<h2>26.0.0 (2026-03-15)</h2>
<p>Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^</p>
<ul>
<li>Dropped support for Python 3.7.</li>
<li>The minimum <code>cryptography</code> version is now 46.0.0.</li>
</ul>
<p>Deprecations:
^^^^^^^^^^^^^</p>
<p>Changes:
^^^^^^^^</p>
<ul>
<li>Added support for using aws-lc instead of OpenSSL.</li>
<li>Properly raise an error if a DTLS cookie callback returned a cookie
longer than <code>DTLS1_COOKIE_LENGTH</code> bytes. Previously this
would result in a buffer-overflow. Credit to <strong>dark_haxor</strong>
for reporting the issue. <strong>CVE-2026-27459</strong></li>
<li>Added <code>OpenSSL.SSL.Connection.get_group_name</code> to
determine which group name was negotiated.</li>
<li><code>Context.set_tlsext_servername_callback</code> now handles
exceptions raised in the callback by calling <code>sys.excepthook</code>
and returning a fatal TLS alert. Previously, exceptions were silently
swallowed and the handshake would proceed as if the callback had
succeeded. Credit to <strong>Leury Castillo</strong> for reporting this
issue. <strong>CVE-2026-27448</strong></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pyca/pyopenssl/commit/358cbf29c4e364c59930e53a270116249581eaa3 "><code>358cbf2</code></a>
Prepare for 26.0.0 release (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1487 ">#1487</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/a8d28e7069ca213049ccfbcc227ed9ef6080a15b "><code>a8d28e7</code></a>
Bump actions/cache from 4 to 5 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1486 ">#1486</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/6fefff05561c0a5e8f668b4e029a6ba3adb7d89e "><code>6fefff0</code></a>
Add aws-lc compatibility to tests and CI (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1476 ">#1476</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/a739f9661d09ec6cda448ad71ca3e6df0dce9d75 "><code>a739f96</code></a>
Bump actions/download-artifact from 8.0.0 to 8.0.1 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1485 ">#1485</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/8b4c66b1b5649ce046665b151772d40c1cddd66a "><code>8b4c66b</code></a>
Bump actions/upload-artifact in /.github/actions/upload-coverage (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1484 ">#1484</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/02a5c78435cd445a7d5ef20b354dba2b6abdac64 "><code>02a5c78</code></a>
Bump actions/upload-artifact from 6.0.0 to 7.0.0 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1483 ">#1483</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/d9733878d67ee2ad94327768bb6dc416f7827443 "><code>d973387</code></a>
Bump actions/download-artifact from 7.0.0 to 8.0.0 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1482 ">#1482</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408 "><code>57f09bb</code></a>
Fix buffer overflow in DTLS cookie generation callback (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1479 ">#1479</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0 "><code>d41a814</code></a>
Handle exceptions in set_tlsext_servername_callback callbacks (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1478 ">#1478</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/7b29beba7759f0b810b5d5375a50469c4f8947b3 "><code>7b29beb</code></a>
Fix not using a cryptography wheel on uv (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1475 ">#1475</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pyca/pyopenssl/compare/25.3.0...26.0.0 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-16 17:35:35 +00:00
eedd4c8796
Bump pyjwt from 2.11.0 to 2.12.0 ( #19560 )
...
Bumps [pyjwt](https://github.com/jpadilla/pyjwt ) from 2.11.0 to 2.12.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/releases ">pyjwt's
releases</a>.</em></p>
<blockquote>
<h2>2.12.0</h2>
<h2>Security</h2>
<ul>
<li>Validate the crit (Critical) Header Parameter defined in RFC 7515
§4.1.11. by <a
href="https://github.com/dmbs335 "><code>@dmbs335</code></a> in <a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f ">GHSA-752w-5fwx-jx9f</a></li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>[pre-commit.ci] pre-commit autoupdate by <a
href="https://github.com/pre-commit-ci "><code>@pre-commit-ci</code></a>[bot]
in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1132 ">jpadilla/pyjwt#1132</a></li>
<li>chore(docs): fix docs build by <a
href="https://github.com/tamird "><code>@tamird</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1137 ">jpadilla/pyjwt#1137</a></li>
<li>Annotate PyJWKSet.keys for pyright by <a
href="https://github.com/tamird "><code>@tamird</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1134 ">jpadilla/pyjwt#1134</a></li>
<li>fix: close HTTPError to prevent ResourceWarning on Python 3.14 by <a
href="https://github.com/veeceey "><code>@veeceey</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1133 ">jpadilla/pyjwt#1133</a></li>
<li>chore: remove superfluous constants by <a
href="https://github.com/tamird "><code>@tamird</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1136 ">jpadilla/pyjwt#1136</a></li>
<li>[pre-commit.ci] pre-commit autoupdate by <a
href="https://github.com/pre-commit-ci "><code>@pre-commit-ci</code></a>[bot]
in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1135 ">jpadilla/pyjwt#1135</a></li>
<li>chore(tests): enable mypy by <a
href="https://github.com/tamird "><code>@tamird</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1138 ">jpadilla/pyjwt#1138</a></li>
<li>Bump actions/download-artifact from 7 to 8 by <a
href="https://github.com/dependabot "><code>@dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1142 ">jpadilla/pyjwt#1142</a></li>
<li>[pre-commit.ci] pre-commit autoupdate by <a
href="https://github.com/pre-commit-ci "><code>@pre-commit-ci</code></a>[bot]
in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1141 ">jpadilla/pyjwt#1141</a></li>
<li>[pre-commit.ci] pre-commit autoupdate by <a
href="https://github.com/pre-commit-ci "><code>@pre-commit-ci</code></a>[bot]
in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1145 ">jpadilla/pyjwt#1145</a></li>
<li>fix: do not store reference to algorithms dict on PyJWK by <a
href="https://github.com/akx "><code>@akx</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1143 ">jpadilla/pyjwt#1143</a></li>
<li>Use PyJWK algorithm when encoding without explicit algorithm by <a
href="https://github.com/jpadilla "><code>@jpadilla</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1148 ">jpadilla/pyjwt#1148</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/tamird "><code>@tamird</code></a> made
their first contribution in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1137 ">jpadilla/pyjwt#1137</a></li>
<li><a href="https://github.com/veeceey "><code>@veeceey</code></a> made
their first contribution in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1133 ">jpadilla/pyjwt#1133</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0 ">https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0 </a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst ">pyjwt's
changelog</a>.</em></p>
<blockquote>
<h2><code>v2.12.0
<https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0> ;</code>__</h2>
<p>Fixed</p>
<pre><code>
- Annotate PyJWKSet.keys for pyright by @tamird in
`[#1134 ](https://github.com/jpadilla/pyjwt/issues/1134 )
<https://github.com/jpadilla/pyjwt/pull/1134> ;`__
- Close ``HTTPError`` response to prevent ``ResourceWarning`` on Python
3.14 by @veeceey in
`[#1133 ](https://github.com/jpadilla/pyjwt/issues/1133 )
<https://github.com/jpadilla/pyjwt/pull/1133> ;`__
- Do not keep ``algorithms`` dict in PyJWK instances by @akx in
`[#1143 ](https://github.com/jpadilla/pyjwt/issues/1143 )
<https://github.com/jpadilla/pyjwt/pull/1143> ;`__
- Validate the crit (Critical) Header Parameter defined in RFC 7515
§4.1.11. by @dmbs335 in `GHSA-752w-5fwx-jx9f
<https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f> ;`__
- Use PyJWK algorithm when encoding without explicit algorithm in
`[#1148 ](https://github.com/jpadilla/pyjwt/issues/1148 )
<https://github.com/jpadilla/pyjwt/pull/1148> ;`__
<p>Added
</code></pre></p>
<ul>
<li>Docs: Add <code>PyJWKClient</code> API reference and document the
two-tier caching system (JWK Set cache and signing key LRU cache).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/bd9700cca7f9258fadcc429c1034e508025931f2 "><code>bd9700c</code></a>
Use PyJWK algorithm when encoding without explicit algorithm (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1148 ">#1148</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92 "><code>051ea34</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/1451d70eca2059bc472703692f0bb0777bc0fe93 "><code>1451d70</code></a>
fix: do not store reference to algorithms dict on PyJWK (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1143 ">#1143</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/f3ba74c106df9ce10e272dfaad96acb4ab3ef5a5 "><code>f3ba74c</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1145 ">#1145</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/0318ffa7b156b01600376e38952bf961382e0724 "><code>0318ffa</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1141 ">#1141</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/a52753db3c1075ac01337fa8b7cc92b13a19ac09 "><code>a52753d</code></a>
Bump actions/download-artifact from 7 to 8 (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1142 ">#1142</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/b85050f1d444c6828bb4618ee764443b0a3f5d18 "><code>b85050f</code></a>
chore(tests): enable mypy (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1138 ">#1138</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/1272b264779717cc481c8341f321a7fc8b3aaba6 "><code>1272b26</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1135 ">#1135</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/99a87287c26cb97c94399084ee4186ee52207a7f "><code>99a8728</code></a>
chore: remove superfluous constants (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1136 ">#1136</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/412cb67a93363812ae4029d6a95f5d4d40ab2609 "><code>412cb67</code></a>
fix: close HTTPError to prevent ResourceWarning on Python 3.14 (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1133 ">#1133</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-16 18:30:42 +01:00
c0924fbbd8
MSC4140: put delay_id in unsigned data for sender ( #19479 )
...
Implements
https://github.com/matrix-org/matrix-spec-proposals/pull/4140/changes/49b200dcc11de286974925177b1e184cd905e6fa
2026-03-16 16:29:42 +00:00
4c475dcd7a
Allow the caching of the /versions and /auth_metadata endpoints ( #19530 )
...
Can be reviewed commit by commit.
This sets caching headers on the /versions and /auth_metadata endpoints
to:
- allow clients to cache the response for up to 10 minutes
(`max-age=600`)
- allow proxies to cache the response for up to an hour
(`s-maxage=3600`)
- make proxies serve stale response for up to an hour (`s-maxage=3600`)
but make them refresh their response after 10 minutes
(`stale-while-revalidate=600`) so that we always have a snappy response
to client, but also have fresh responses most of the time
- only cache the response for unauthenticated requests on /versions
(`Vary: Authorization`)
I'm not too worried about the 1h TTL on the proxy side, as with the
`stale-while-revalidate` directive, one just needs to do two requests
after 10 minutes to get a fresh response from the cache.
The reason we want this, is that clients usually load this right away,
leading to a lot of traffic from people just loading the Element Web
login screen with the default config. This is currently routed to
`client_readers` on matrix.org (and ESS) which can be overwhelmed for
other reasons, leading to slow response times on those endpoints (3s+).
Overwhelmed workers shouldn't prevent people from logging in, and
shouldn't result in a long loading spinner in clients. This PR allows
caching proxies (like Cloudflare) to publicly cache the unauthenticated
response of those two endpoints and make it load quicker, reducing
server load as well.
2026-03-12 17:11:09 +00:00
3ce5508c7e
Bump quinn-proto from 0.11.12 to 0.11.14 ( #19544 )
...
Bumps [quinn-proto](https://github.com/quinn-rs/quinn ) from 0.11.12 to
0.11.14.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/quinn-rs/quinn/releases ">quinn-proto's
releases</a>.</em></p>
<blockquote>
<h2>quinn-proto 0.11.14</h2>
<p><a href="https://github.com/jxs "><code>@jxs</code></a> reported a
denial of service issue in quinn-proto 5 days ago:</p>
<ul>
<li><a
href="https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98 ">https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98 </a></li>
</ul>
<p>We coordinated with them to release this version to patch the issue.
Unfortunately the maintainers missed these issues during code review and
we did not have enough fuzzing coverage -- we regret the oversight and
have added an additional fuzzing target.</p>
<p>Organizations that want to participate in coordinated disclosure can
contact us privately to discuss terms.</p>
<h2>What's Changed</h2>
<ul>
<li>Fix over-permissive proto dependency edge by <a
href="https://github.com/Ralith "><code>@Ralith</code></a> in <a
href="https://redirect.github.com/quinn-rs/quinn/pull/2385 ">quinn-rs/quinn#2385</a></li>
<li>0.11.x: avoid unwrapping VarInt decoding during parameter parsing by
<a href="https://github.com/djc "><code>@djc</code></a> in <a
href="https://redirect.github.com/quinn-rs/quinn/pull/2559 ">quinn-rs/quinn#2559</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/quinn-rs/quinn/commit/2c315aa7f9c2a6c1db87f8f51f40623a427c78fd "><code>2c315aa</code></a>
proto: bump version to 0.11.14</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/8ad47f431e7deb82c08b09c2e33ef85aa88fd212 "><code>8ad47f4</code></a>
Use newer rustls-pki-types PEM parser API</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/c81c0289abe30d8437ccbf9b6304e2bc9c707cea "><code>c81c028</code></a>
ci: fix workflow syntax</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/0050172969f7e69e136c433181330da7790d8d73 "><code>0050172</code></a>
ci: pin wasm-bindgen-cli version</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/8a6f82c58d1c565eab78f986e614223e6ed76a85 "><code>8a6f82c</code></a>
Take semver-compatible dependency updates</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/e52db4ad8df0f9720e7b0e32ecc0e48c9a93de0f "><code>e52db4a</code></a>
Apply suggestions from clippy 1.91</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/6df7275c582ca9b7225e0ccf9f9871a55eb73155 "><code>6df7275</code></a>
chore: Fix <code>unnecessary_unwrap</code> clippy</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/c8eefa07e087b06d8f2b78ff262ce8ac952994f1 "><code>c8eefa0</code></a>
proto: avoid unwrapping varint decoding during parameters parsing</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/9723a977754c8662001b0fef97aab8f3ddf1df92 "><code>9723a97</code></a>
fuzz: add fuzzing target for parsing transport parameters</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/eaf0ef30252cef4acec21f150427e604cd4271c9 "><code>eaf0ef3</code></a>
Fix over-permissive proto dependency edge (<a
href="https://redirect.github.com/quinn-rs/quinn/issues/2385 ">#2385</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/quinn-rs/quinn/compare/quinn-proto-0.11.12...quinn-proto-0.11.14 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-12 15:44:21 +01:00
8d03a4df11
Avoid re-computing the event ID when cloning events. ( #19527 )
...
`event_id` is a lazily-computed property on events, as it's a hash of
the event content on room version 3 and later. The reason we do this is
that it helps finding database inconsistencies by not trusting the event
ID we got from the database.
The thing is, when we clone events (to return them through /sync or
/messages for example) we don't copy the computed hash if we already
computed it, duplicating the work. This copies the internal `_event_id`
property.
2026-03-12 15:17:13 +01:00
18f717d717
Bump tornado from 6.5.4 to 6.5.5 ( #19551 )
...
Bumps [tornado](https://github.com/tornadoweb/tornado ) from 6.5.4 to
6.5.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst ">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/tornadoweb/tornado/commit/7d6465056ceb7a054b3f64cf1c18271753b10482 "><code>7d64650</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3586 ">#3586</a>
from bdarnell/update-cibw</li>
<li><a
href="https://github.com/tornadoweb/tornado/commit/d05d59b8080a0d5d6a260994c7aad7049209d345 "><code>d05d59b</code></a>
build: Bump cibuildwheel to 3.4.0</li>
<li><a
href="https://github.com/tornadoweb/tornado/commit/c2f46732b0ad14bf0db4219c96a945f4b60205f5 "><code>c2f4673</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3585 ">#3585</a>
from bdarnell/release-655</li>
<li><a
href="https://github.com/tornadoweb/tornado/commit/e5f1aa4b6fa2c16b29024830227838fcb0c79b6f "><code>e5f1aa4</code></a>
Release notes and version bump for v6.5.5</li>
<li><a
href="https://github.com/tornadoweb/tornado/commit/78a046f99f89977dfc8ff5a1fe16d298afbeeaca "><code>78a046f</code></a>
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE</li>
<li><a
href="https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104 "><code>24a2d96</code></a>
web: Validate characters in all cookie attributes.</li>
<li><a
href="https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839 "><code>119a195</code></a>
httputil: Add limits on multipart form data parsing</li>
<li>See full diff in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.4...v6.5.5 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-12 13:41:06 +00:00
e30001883c
Add in-repo Complement test to sanity check Synapse version matches git checkout ( #19476 )
...
This way we actually detect problems like
https://github.com/element-hq/synapse/pull/19475 as they happen instead
of being invisible until something breaks.
Sanity check that Complement is testing against your code changes
(whether it be local or from the PR in CI).
```
COMPLEMENT_DIR=../complement ./scripts-dev/complement.sh --in-repo -run TestSynapseVersion
```
2026-03-11 15:30:32 -05:00
ae239280cb
Fix a bug introduced in v1.26.0 that caused deactivated, erased users to not be removed from the user directory. ( #19542 )
...
Fixes : #19540
Fixes : #16290 (side effect of the proposed fix)
Closes : #12804 (side effect of the proposed fix)
Introduced in: https://github.com/matrix-org/synapse/pull/8932
---
This PR is a relatively simple simplification of the profile change on
deactivation that appears to remove multiple bugs.
This PR's **primary motivating fix** is #19540 : when a user is
deactivated and erased, they would be kept in the user directory. This
bug appears to have been here since #8932 (previously
https://github.com/matrix-org/synapse/pull/8932 ) (v1.26.0).
The root cause of this bug is that after removing the user from the user
directory, we would immediately update their displayname and avatar to
empty strings (one at a time), which re-inserts
the user into the user directory.
With this PR, we now delete the entire `profiles` row upon user erasure,
which is cleaner (from a 'your database goes back to zero after
deactivating and erasing a user' point of view) and
only needs one database operation (instead of doing displayname then
avatar).
With this PR, we also no longer send the 2 (deferred) `m.room.member`
`join` events to every room to propagate the displayname and avatar_url
changes.
This is good for two reasons:
- the user is about to get parted from those rooms anyway, so this
reduces the number of state events sent per room from 3 to 1. (More
efficient for us in the moment and leaves less litter in the room DAG.)
- it is possible for the displayname/avatar update to be sent **after**
the user parting, which seems as though it could trigger the user to be
re-joined to a public room.
(With that said, although this sounds vaguely familiar in my lossy
memory, I can't find a ticket that actually describes this bug, so this
might be fictional. Edit: #16290 seems to describe this, although the
title is misleading.)
Additionally, as a side effect of the proposed fix (deleting the
`profiles` row), this PR also now deletes custom profile fields upon
user erasure, which is a new feature/bugfix (not sure which) in its own
right.
I do not see a ticket that corresponds to this feature gap, possibly
because custom profile fields are still a niche feature without
mainstream support (to the best of my knowledge).
Tests are included for the primary bugfix and for the cleanup of custom
profile fields.
### `set_displayname` module API change
This change includes a minor _technically_-breaking change to the module
API.
The change concerns `set_displayname` which is exposed to the module API
with a `deactivation: bool = False` flag, matching the internal handler
method it wraps.
I suspect that this is a mistake caused by overly-faithfully piping
through the args from the wrapped method (this Module API was introduced
in
https://github.com/matrix-org/synapse/pull/14629/changes#diff-0b449f6f95672437cf04f0b5512572b4a6a729d2759c438b7c206ea249619885R1592 ).
The linked PR did the same for `by_admin` originally before it was
changed.
The `deactivation` flag's only purpose is to be piped through to other
Module API callbacks when a module has registered to be notified about
profile changes.
My claim is that it makes no sense for the Module API to have this flag
because it is not the one doing the deactivation, thus it should never
be in a position to set this to `True`.
My proposed change keeps the flag (for function signature
compatibility), but turns it into a no-op (with a `ERROR` log when it's
set to True by the module).
The Module API callback notifying of the module-caused displayname
change will therefore now always have `deactivation = False`.
*Discussed in
[`#synapse-dev:matrix.org`](https://matrix.to/#/!i5D5LLct_DYG-4hQprLzrxdbZ580U9UB6AEgFnk6rZQ/$1f8N6G_EJUI_I_LvplnVAF2UFZTw_FzgsPfB6pbcPKk?via=element.io&via=matrix.org&via=beeper.com )*
---------
Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org >
2026-03-11 15:38:45 +00:00
59c9e92aed
Merge branch 'master' into develop
2026-03-11 11:20:43 +01:00
b99a58719b
1.149.1
2026-03-11 10:34:08 +01:00
f37a30d7c5
Bump matrix-synapse-ldap3 to v0.4.0 in poetry.lock ( #19543 )
...
To address https://github.com/element-hq/synapse/issues/19541
### Pull Request Checklist
<!-- Please read
https://element-hq.github.io/synapse/latest/development/contributing_guide.html
before submitting your pull request -->
* [x] Pull request is based on the develop branch
* [x] Pull request includes a [changelog
file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog ).
The entry should:
- Be a short description of your change which makes sense to users.
"Fixed a bug that prevented receiving messages from other servers."
instead of "Moved X method from `EventStore` to `EventWorkerStore`.".
- Use markdown where necessary, mostly for `code blocks`.
- End with either a period (.) or an exclamation mark (!).
- Start with a capital letter.
- Feel free to credit yourself, by adding a sentence "Contributed by
@github_username." or "Contributed by [Your Name]." to the end of the
entry.
* [x] [Code
style](https://element-hq.github.io/synapse/latest/code_style.html ) is
correct (run the
[linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters ))
2026-03-11 10:27:38 +01:00
1caa602960
Merge branch 'master' into develop
2026-03-10 14:39:07 +01:00
86dc38621f
1.149.0
2026-03-10 14:04:30 +01:00
6e1ac551f4
Expose MSC4354 Sticky Events over the legacy (v3) /sync API. ( #19487 )
...
Follows: #19365
Part of: MSC4354 whose experimental feature tracking issue is #19409
Partially supersedes: #18968
---------
Signed-off-by: Olivier 'reivilibre' <oliverw@matrix.org >
2026-03-10 10:39:39 +00:00
16125cecd2
Remove the optional systemd-python dependency ( #19491 )
...
Summary
- drop the `systemd` extra from `pyproject.toml` and the
`systemd-python` optional dependency
- this means we don't ship the journald log handler, so it clarifies the
docs how to install that in the venv
- ensure the Debian virtualenv build keeps shipping
`systemd-python>=231` in the venv, so the packaged log config can keep
using `systemd.journal.JournalHandler`
Context of this is the following:
> Today in my 'how hard would it be to move to uv' journey:
https://github.com/systemd/python-systemd/issues/167
>
> The gist of it is that uv really wants to create a universal lock
file, which means it needs to be able to resolve the package metadata,
even for packages locked for other platforms. In the case of
systemd-python, they use mesonpy as build backend, which doesn't
implement prepare_metadata_for_build_wheel, which means it needs to run
meson to be able to resolve the package metadata. And it will hard-fail
if libsystemd dev headers aren't available 😭
>
> [*message in
#synapse-dev:matrix.org*](https://matrix.to/#/!i5D5LLct_DYG-4hQprLzrxdbZ580U9UB6AEgFnk6rZQ/$OKLB3TJVXAwq43sAZFJ-_PvMMzl4P_lWmSAtlmsoMuM?via=element.io&via=matrix.org&via=beeper.com )
2026-03-09 15:11:04 +00:00
6e21f9c12b
Add unstable federation API for MSC4370 GET /extremities ( #19314 )
...
MSC (recommended reading):
https://github.com/matrix-org/matrix-spec-proposals/pull/4370
### Pull Request Checklist
<!-- Please read
https://element-hq.github.io/synapse/latest/development/contributing_guide.html
before submitting your pull request -->
* [x] Pull request is based on the develop branch
* [x] Pull request includes a [changelog
file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog ).
The entry should:
- Be a short description of your change which makes sense to users.
"Fixed a bug that prevented receiving messages from other servers."
instead of "Moved X method from `EventStore` to `EventWorkerStore`.".
- Use markdown where necessary, mostly for `code blocks`.
- End with either a period (.) or an exclamation mark (!).
- Start with a capital letter.
- Feel free to credit yourself, by adding a sentence "Contributed by
@github_username." or "Contributed by [Your Name]." to the end of the
entry.
* [x] [Code
style](https://element-hq.github.io/synapse/latest/code_style.html ) is
correct (run the
[linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters ))
---------
Co-authored-by: turt2live <1190097+turt2live@users.noreply.github.com >
Co-authored-by: Olivier 'reivilibre' <oliverw@element.io >
2026-03-05 18:30:52 +00:00
699a898b30
Backgrounds membership updates when changing the avatar or the display name ( #19311 )
2026-03-05 14:46:05 +00:00
46c6e0ae1e
Unify Complement developer docs ( #19518 )
...
Instead of having info spread across a few places, consolidate and link
to one spot.
2026-03-03 13:18:49 -06:00
c2c05879bb
Bump docker/build-push-action from 6.18.0 to 6.19.2 in the minor-and-patches group ( #19514 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-03 17:30:30 +00:00
fd61b8eeb0
Merge branch 'release-v1.149' into develop
2026-03-03 17:24:12 +01:00
51048b8e36
Update docs to clarify outbound_federation_restricted_to can also be used with the SBG ( #19517 )
...
[Secure Border Gateway (SBG)](https://element.io/en/server-suite/secure-border-gateways )
Spawning from [internal
discussion](https://matrix.to/#/!mNoPShRlwEeyHAEJOe:element.io/$6eGip85OUKOmyK1VzqrFMc7eF7dON7Vs76O40kVbRRY?via=banzan.uk&via=element.io&via=jki.re )
around integrating [Synapse Pro for small
hosts](https://docs.element.io/latest/element-server-suite-pro/synapse-pro-for-small-hosts/overview )
in the [Element Server Suite (ESS)](https://element.io/en/server-suite )
stack and wanting it be compatible with the SBG.
We know that the SBG works with monolith Synapse because that's what we
have configured with the [Complement tests in the SBG
repo](https://github.com/element-hq/sbg/blob/b76b05b53e40bf6890e51dd1b83cec3460274eb2/complement/configure_synapse_for_sbg.sh#L8-L10 ).
2026-03-03 10:04:37 -06:00
639922e835
1.149.0rc1
2026-03-03 15:38:17 +01:00
160d9788c0
Simplify Rust HTTP client response streaming and limiting ( #19510 )
...
*As suggested by @sandhose in
https://github.com/element-hq/synapse/pull/19498#discussion_r2865607737 ,*
Simplify Rust HTTP client response streaming and limiting
### Dev notes
Synapse's Rust HTTP client was introduced in
https://github.com/element-hq/synapse/pull/18357
### Pull Request Checklist
<!-- Please read
https://element-hq.github.io/synapse/latest/development/contributing_guide.html
before submitting your pull request -->
* [x] Pull request is based on the develop branch
* [x] Pull request includes a [changelog
file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog ).
The entry should:
- Be a short description of your change which makes sense to users.
"Fixed a bug that prevented receiving messages from other servers."
instead of "Moved X method from `EventStore` to `EventWorkerStore`.".
- Use markdown where necessary, mostly for `code blocks`.
- End with either a period (.) or an exclamation mark (!).
- Start with a capital letter.
- Feel free to credit yourself, by adding a sentence "Contributed by
@github_username." or "Contributed by [Your Name]." to the end of the
entry.
* [x] [Code
style](https://element-hq.github.io/synapse/latest/code_style.html ) is
correct (run the
[linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters ))
2026-03-03 15:24:25 +01:00
c3af44339c
Fix /sync missing membership in state_after (re-introduce) ( #19460 )
...
*This PR was originally only to enable
[MSC4222](https://github.com/matrix-org/matrix-spec-proposals/pull/4222 )
Complement tests (`/sync` `state_after`) but after merging the [fix
PR](https://github.com/element-hq/synapse/pull/19463 ), we discovered
that while the tests pass locally, [fail in
CI](https://github.com/element-hq/synapse/pull/19460#discussion_r2818080879 ).
To unblock the RC, we decided to revert the fix PR (see
https://github.com/element-hq/synapse/pull/19474#discussion_r2818061001
for more info). To better ensure tests actually pass in CI, we're
re-introducing the fix here in the same PR that we enable the tests in.*
---
Fix `/sync` missing membership in `state_after`.
This applies to any scenario where the first membership has a different
`sender` compared to the `state_key` and then the second membership has
the same `sender`/`state_key`. Like someone inviting another person and
then them joining. Or someone being kicked and then they leave.
This bug has been present since the MSC4222 implementation was
introduced into the codebase
(https://github.com/element-hq/synapse/pull/17888 ).
---
Fix https://github.com/element-hq/synapse/issues/19455
Fix https://github.com/element-hq/customer-success/issues/656
I have a feeling, this might also fix these issues (will close and see
how people report back):
Fix https://github.com/element-hq/synapse/issues/18182
Fix https://github.com/element-hq/synapse/issues/19478
### Testing strategy
Complement tests: https://github.com/matrix-org/complement/pull/842
We will need https://github.com/element-hq/synapse/pull/19460 to merge
in order to enable the Complement tests in Synapse but this PR should be
merged first so they pass in the first place. I've tested locally that
the Complement tests pass with this fix.
### Dev notes
[MSC4222](https://github.com/matrix-org/matrix-spec-proposals/pull/4222 )
has already been merged into the spec and is already part of Matrix
v1.16 but we haven't [stabilized support in Synapse
yet](https://github.com/element-hq/synapse/issues/19414 ).
---
In the same ballpark:
- https://github.com/element-hq/synapse/issues/19455
- https://github.com/element-hq/synapse/issues/17050
- https://github.com/element-hq/synapse/issues/17430
- https://github.com/element-hq/synapse/issues/16940
- https://github.com/element-hq/synapse/issues/18182
- https://github.com/element-hq/synapse/issues/18793
- https://github.com/element-hq/synapse/issues/19478
---
Docker builds preferring remote image over the local image we just
built,
https://github.com/element-hq/synapse/pull/19460#discussion_r2818080879
`containerd` image store (storage driver, driver type)
-> https://github.com/element-hq/synapse/pull/19475
### Todo
- [x] Wait for https://github.com/element-hq/synapse/pull/19463 to merge
so the Complement tests all pass
- [x] Wait for https://github.com/element-hq/synapse/pull/19475 to merge
### Pull Request Checklist
<!-- Please read
https://element-hq.github.io/synapse/latest/development/contributing_guide.html
before submitting your pull request -->
* [x] Pull request is based on the develop branch
* [x] Pull request includes a [changelog
file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog ).
The entry should:
- Be a short description of your change which makes sense to users.
"Fixed a bug that prevented receiving messages from other servers."
instead of "Moved X method from `EventStore` to `EventWorkerStore`.".
- Use markdown where necessary, mostly for `code blocks`.
- End with either a period (.) or an exclamation mark (!).
- Start with a capital letter.
- Feel free to credit yourself, by adding a sentence "Contributed by
@github_username." or "Contributed by [Your Name]." to the end of the
entry.
* [x] [Code
style](https://element-hq.github.io/synapse/latest/code_style.html ) is
correct (run the
[linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters ))
---------
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com >
Co-authored-by: Andrew Ferrazzutti <andrewf@element.io >
2026-03-03 15:13:59 +01:00
094a48efb5
Bump all locked dependencies to their latest versions. ( #19519 )
...
This is a manual lock bump, as it looks like Dependabot is currently
timing out updating dependencies. This should hopefully unlock it, as it
will have fewer dependencies to update.
Two outstanding exceptions:
- pympler upgrade adds a pywin32 deps, which is missing sdist (so CI is
complaining)
- pysaml2 for some unknown reason pinned the MAX version of pyopenssl,
which duplicates pyopenssl and cryptography, which obviously breaks
stuff
2026-03-03 14:29:59 +01:00
2deeef4118
Bump futures from 0.3.31 to 0.3.32 in the patches group ( #19513 )
...
Bumps the patches group with 1 update:
[futures](https://github.com/rust-lang/futures-rs ).
Updates `futures` from 0.3.31 to 0.3.32
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/rust-lang/futures-rs/releases ">futures's
releases</a>.</em></p>
<blockquote>
<h2>0.3.32</h2>
<ul>
<li>Bump MSRV of utility crates to 1.71. (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2989 ">#2989</a>)</li>
<li>Soft-deprecate <code>ready!</code> macro in favor of
<code>std::task::ready!</code> added in Rust 1.64 (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2925 ">#2925</a>)</li>
<li>Soft-deprecate <code>pin_mut!</code> macro in favor of
<code>std::pin::pin!</code> added in Rust 1.68 (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2929 ">#2929</a>)</li>
<li>Add <code>FuturesOrdered::clear</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2927 ">#2927</a>)</li>
<li>Add <code>mpsc::*Receiver::recv</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2947 ">#2947</a>)</li>
<li>Add <code>mpsc::*Receiver::try_recv</code> and deprecate
<code>mpsc::*Receiver::::try_next</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2944 ">#2944</a>)</li>
<li>Implement <code>FusedStream</code> for <code>sink::With</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2948 ">#2948</a>)</li>
<li>Add <code>no_std</code> support for <code>shared</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2868 ">#2868</a>)</li>
<li>Make <code>Mutex::new()</code> const (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2956 ">#2956</a>)</li>
<li>Add <code>#[clippy::has_significant_drop]</code> to guards (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2967 ">#2967</a>)</li>
<li>Remove dependency to <code>pin-utils</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2929 ">#2929</a>)</li>
<li>Remove dependency on <code>num_cpus</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2946 ">#2946</a>)</li>
<li>Performance improvements (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2983 ">#2983</a>)</li>
<li>Documentation improvements (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2925 ">#2925</a>,
<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2926 ">#2926</a>,
<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2940 ">#2940</a>,
<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2971 ">#2971</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/rust-lang/futures-rs/blob/master/CHANGELOG.md ">futures's
changelog</a>.</em></p>
<blockquote>
<h1>0.3.32 - 2026-02-15</h1>
<ul>
<li>Bump MSRV of utility crates to 1.71. (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2989 ">#2989</a>)</li>
<li>Soft-deprecate <code>ready!</code> macro in favor of
<code>std::task::ready!</code> added in Rust 1.64 (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2925 ">#2925</a>)</li>
<li>Soft-deprecate <code>pin_mut!</code> macro in favor of
<code>std::pin::pin!</code> added in Rust 1.68 (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2929 ">#2929</a>)</li>
<li>Add <code>FuturesOrdered::clear</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2927 ">#2927</a>)</li>
<li>Add <code>mpsc::*Receiver::recv</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2947 ">#2947</a>)</li>
<li>Add <code>mpsc::*Receiver::try_recv</code> and deprecate
<code>mpsc::*Receiver::::try_next</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2944 ">#2944</a>)</li>
<li>Implement <code>FusedStream</code> for <code>sink::With</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2948 ">#2948</a>)</li>
<li>Add <code>no_std</code> support for <code>shared</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2868 ">#2868</a>)</li>
<li>Make <code>Mutex::new()</code> const (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2956 ">#2956</a>)</li>
<li>Add <code>#[clippy::has_significant_drop]</code> to guards (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2967 ">#2967</a>)</li>
<li>Remove dependency to <code>pin-utils</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2929 ">#2929</a>)</li>
<li>Remove dependency on <code>num_cpus</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2946 ">#2946</a>)</li>
<li>Performance improvements (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2983 ">#2983</a>)</li>
<li>Documentation improvements (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2925 ">#2925</a>,
<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2926 ">#2926</a>,
<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2940 ">#2940</a>,
<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2971 ">#2971</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/rust-lang/futures-rs/commit/d9bba94c239daa1175a5bb2958f37a5c72db3f6a "><code>d9bba94</code></a>
Release 0.3.32</li>
<li><a
href="https://github.com/rust-lang/futures-rs/commit/151e0b90dec62103df5239f0612f42467994f406 "><code>151e0b9</code></a>
Add comments on rust-version field in Cargo.toml</li>
<li><a
href="https://github.com/rust-lang/futures-rs/commit/4aaf00c35176d7180557559f54b0c151e2e608aa "><code>4aaf00c</code></a>
Bump MSRV of utility crates to 1.71</li>
<li><a
href="https://github.com/rust-lang/futures-rs/commit/a4cce12c55942c6e1f2a507061fc6ca94c5b8862 "><code>a4cce12</code></a>
perf: improve AtomicWaker::wake performance (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2983 ">#2983</a>)</li>
<li><a
href="https://github.com/rust-lang/futures-rs/commit/ba9d102ca6e4a941a5068a1a8dcf0ff3a6c9085a "><code>ba9d102</code></a>
Add <code>#[clippy::has_significant_drop]</code> to guards (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2967 ">#2967</a>)</li>
<li><a
href="https://github.com/rust-lang/futures-rs/commit/20396a83eff35414d17320dc35858243e54f0bc8 "><code>20396a8</code></a>
Fix rustdoc::broken_intra_doc_links warning</li>
<li><a
href="https://github.com/rust-lang/futures-rs/commit/815f6eb4e40ca9ff81d7d9a25a863d3c1ffdb79e "><code>815f6eb</code></a>
Fix documentation of <code>BiLock::lock</code> (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2971 ">#2971</a>)</li>
<li><a
href="https://github.com/rust-lang/futures-rs/commit/0f0db0421d4edc9fc56c3643f7e7f3bd23058023 "><code>0f0db04</code></a>
futures-util: make <code>Mutex::new()</code> const (<a
href="https://redirect.github.com/rust-lang/futures-rs/issues/2956 ">#2956</a>)</li>
<li><a
href="https://github.com/rust-lang/futures-rs/commit/5d6fc5e4083f5da376ccc7a50403d842e553e286 "><code>5d6fc5e</code></a>
ci: Test big-endian target (s390x Linux)</li>
<li><a
href="https://github.com/rust-lang/futures-rs/commit/9f739fe40b9c3e80b8f40054a739a220428a4675 "><code>9f739fe</code></a>
Ignore dead_code lint on Fn1 trait</li>
<li>Additional commits viewable in <a
href="https://github.com/rust-lang/futures-rs/compare/0.3.31...0.3.32 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-03 11:24:17 +01:00
825f3087bf
Replace deprecated collection import locations with current locations. ( #19515 )
...
Use non-deprecated imports for collections
Other than being deprecated, these legacy imports also don't seem to be
compatible with [Ty](https://github.com/astral-sh/ty )
---------
Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org >
2026-03-02 18:15:33 +00:00
Erik Johnston