Eric Eastwood
fdb8f2ff2a
Merge branch 'develop' into madlittlemods/msc3871-gappy-timeline
2026-03-26 15:35:36 -05:00
Eric Eastwood
0d25dcd15d
Use org.matrix.msc3871.gaps
2026-03-26 15:33:42 -05:00
Eric Eastwood
d9c9706c05
Debug why we pad
2026-03-26 11:28:35 -05:00
539f708f32
Remove redacted_because from internal unsigned. ( #19581 )
...
This is a simplification so that `unsigned` only includes "simple"
values, to make it easier to port to Rust.
Reviewable commit-by-commit
Summary:
1. **Add `recheck` column to `redactions` table**
A new boolean `recheck` column (default true) is added to the
`redactions` table. This captures whether a redaction needs its sender
domain checked at read time — required for room v3+ where redactions are
accepted speculatively and later validated. When persisting a new
redaction, `recheck` is set directly from
`event.internal_metadata.need_to_check_redaction()`.
It's fine if initially we recheck all redactions, as it only results in
a little more CPU overhead (as we always pull out the redaction event
regardless).
2. **Backfill `recheck` via background update**
A background update (`redactions_recheck`) backfills the new column for
existing rows by reading `recheck_redaction` from each event's
`internal_metadata` JSON. This avoids loading full event objects by
reading `event_json` directly via a SQL JOIN.
3. **Don't fetch confirmed redaction events from the DB**
Previously, when loading events, Synapse recursively fetched all
redaction events regardless of whether they needed domain rechecking.
Now `_fetch_event_rows` reads the `recheck` column and splits redactions
into two lists:
- `unconfirmed_redactions` — need fetching and domain validation
- `confirmed_redactions` — already validated, applied directly without
fetching the event
This avoids unnecessary DB reads for the common case of
already-confirmed redactions.
4. **Move `redacted_because` population to `EventClientSerializer`**
Previously, `redacted_because` (the full redaction event object) was
stored in `event.unsigned` at DB fetch time, coupling storage-layer code
to client serialization concerns. This is removed from
`_maybe_redact_event_row` and moved into
`EventClientSerializer.serialize_event`, which fetches the redaction
event on demand. The storage layer now only sets
`unsigned["redacted_by"]` (the redaction event ID).
5. **Always use `EventClientSerializer`**
The standalone `serialize_event` function was made private
(`_serialize_event`). All external callers — `rest/client/room.py`,
`rest/admin/events.py, appservice/api.py`, and `tests` — were updated to
use `EventClientSerializer.serialize_event` / `serialize_events`,
ensuring
`redacted_because` is always populated correctly via the serializer.
6. **Batch-fetch redaction events in `serialize_events`**
`serialize_events` now collects all `redacted_by` IDs from the event
batch upfront and fetches them in a single `get_events` call, passing
the result as a `redaction_map` to each `serialize_event` call. This
reduces N individual DB round-trips to one when serializing a batch of
events that includes redacted events.
---------
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com >
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2026-03-26 09:18:08 +00:00
f545aa4f33
Port RoomVersion to Rust ( #19589 )
...
Principally so that we can share the same room version configuration
between Python and Rust.
For the most part, this is a direct port. Some special handling has had
to go into `KNOWN_ROOM_VERSIONS` so that it can be sensibly shared
between Python and Rust, since we do update it during config parsing.
---------
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com >
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2026-03-26 09:17:31 +00:00
Eric Eastwood
44b785a9bc
No change extra files from develop
2026-03-25 20:00:40 -05:00
Eric Eastwood
3462c58835
Remove commented out import
2026-03-25 18:19:58 -05:00
Eric Eastwood
030b38632a
Fix typo "that"
2026-03-25 18:12:54 -05:00
Eric Eastwood
3daa32906a
Fix typo
2026-03-25 18:12:24 -05:00
Eric Eastwood
39dc38d4f6
Less wordy comment
2026-03-25 18:12:09 -05:00
Eric Eastwood
54dc2bed3d
Use less restrictive Sequence
2026-03-25 18:09:57 -05:00
Eric Eastwood
45b1086d33
Merge branch 'develop' into madlittlemods/msc3871-gappy-timeline
...
Conflicts:
synapse/handlers/pagination.py
synapse/rest/client/room.py
synapse/storage/databases/main/events_worker.py
synapse/storage/databases/main/stream.py
tests/rest/client/test_rooms.py
2026-03-25 18:07:00 -05:00
Eric Eastwood and GitHub
f2b325f86c
Demystify and deprecate HomeserverTestCase.pump() (Twisted reactor/clock) ( #19602 )
...
Spawning from
https://github.com/element-hq/synapse/pull/18416#discussion_r2967619735
2026-03-25 15:33:17 -05:00
dependabot[bot] and GitHub
40d35a95e2
Bump tokio from 1.49.0 to 1.50.0 ( #19596 )
2026-03-25 13:21:38 +00:00
Olivier 'reivilibre and GitHub
6c7e05fe20
Allow Synapse to start up even when discovery fails for an OpenID Connect provider. ( #19509 )
...
Fixes : #8088
Previously we would perform OIDC discovery on startup,
which involves making HTTP requests to the identity provider(s).
If that took a long time, we would block startup.
If that failed, we would crash startup.
This commit:
- makes the loading happen in the background on startup
- makes an error in the 'preload' non-fatal (though it logs at CRITICAL
for visibility)
- adds a templated error page to show on failed redirects (for
unavailable providers), as otherwise you get a JSON response in your
navigator.
- This involves introducing 2 new exception types to mark other
exceptions and keep the error handling fine-grained.
The machinery was already there to load-on-demand the discovery config,
so when the identity provider
comes back up, the discovery is reattempted and login can succeed.
Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org >
2026-03-24 17:39:21 +00:00
7fad50fd76
Limit outgoing to_device EDU size to 65536 ( #18416 )
...
If a set of messages exceeds this limit, the messages are split
across several EDUs.
Fix #17035 (should)
There is currently [no official specced limit for
EDUs](https://github.com/matrix-org/matrix-spec/issues/807 ), but the
consensus seems to be that it would be useful to have one to avoid this
bug by bounding the transaction size.
As a side effect it also limits the size of a single to-device message
to a bit less than 65536.
This should probably be added to the spec similarly to the [message size
limit.](https://spec.matrix.org/v1.14/client-server-api/#size-limits )
Spec PR: https://github.com/matrix-org/matrix-spec/pull/2340
---------
Co-authored-by: mcalinghee <mcalinghee.dev@gmail.com >
Co-authored-by: Eric Eastwood <madlittlemods@gmail.com >
2026-03-24 11:22:11 -05:00
Quentin Gliech
8c3daff244
Merge branch 'master' into develop
2026-03-24 15:52:46 +01:00
Quentin Gliech
33d47f43e4
1.150.0
v1.150.0
2026-03-24 15:17:23 +01:00
dependabot[bot] and GitHub
4b19411445
Bump rustls-webpki from 0.103.4 to 0.103.10 ( #19594 )
2026-03-24 10:20:24 +00:00
dependabot[bot] and GitHub
57ef7b9192
Bump docker/login-action from 3.7.0 to 4.0.0 ( #19597 )
2026-03-24 10:17:30 +00:00
dependabot[bot] and GitHub
71092aa584
Bump docker/setup-buildx-action from 3.12.0 to 4.0.0 ( #19598 )
2026-03-24 10:17:14 +00:00
dependabot[bot] and GitHub
e0b08da42e
Bump docker/build-push-action from 6.19.2 to 7.0.0 ( #19599 )
2026-03-24 10:16:50 +00:00
dependabot[bot] and GitHub
963fc9e55a
Bump docker/metadata-action from 5.10.0 to 6.0.0 ( #19600 )
2026-03-24 10:16:28 +00:00
713aa7ebf0
Hide successful, skipped Complement tests in the CI ( #19590 )
...
Co-authored-by: Eric Eastwood <erice@element.io >
2026-03-23 15:16:23 +00:00
40d699b1d4
Stable support for MSC4284 policy servers ( #19503 )
...
Fixes https://github.com/element-hq/synapse/issues/19494
MSC4284 policy servers
This:
* removes the old `/check` (recommendation) support because it's from an
older design. Policy servers should have updated to `/sign` by now. We
also remove optionality around the policy server's public key because it
was only optional to support `/check`.
* supports the stable `m.room.policy` state event and `/sign` endpoints,
falling back to unstable if required. Note the changes between unstable
and stable:
* Stable `/sign` uses errors instead of an empty signatures block to
indicate refusal.
* Stable `m.room.policy` nests the public key in an object with explicit
key algorithm (always ed25519 for now)
* does *not* introduce tests that the above fallback to unstable works.
If it breaks, we're not going to be sad about an early transition. Tests
can be added upon request, though.
* fixes a bug where the policy server was asked to sign policy server
state events (the events were correctly skipped in `is_event_allowed`,
but `ask_policy_server_to_sign_event` didn't do the same).
* fixes a bug where the original event sender's signature can be deleted
if the sending server is the same as the policy server.
* proxies Matrix-shaped errors from the policy server to the
Client-Server API as `SynapseError`s (a new capability of the stable
API).
Membership event handling (from the issue) is expected to be a different
PR due to the size of changes involved (tracked by
https://github.com/element-hq/synapse/issues/19587 ).
### Pull Request Checklist
<!-- Please read
https://element-hq.github.io/synapse/latest/development/contributing_guide.html
before submitting your pull request -->
* [x] Pull request is based on the develop branch
* [x] Pull request includes a [changelog
file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog ).
The entry should:
- Be a short description of your change which makes sense to users.
"Fixed a bug that prevented receiving messages from other servers."
instead of "Moved X method from `EventStore` to `EventWorkerStore`.".
- Use markdown where necessary, mostly for `code blocks`.
- End with either a period (.) or an exclamation mark (!).
- Start with a capital letter.
- Feel free to credit yourself, by adding a sentence "Contributed by
@github_username." or "Contributed by [Your Name]." to the end of the
entry.
* [x] [Code
style](https://element-hq.github.io/synapse/latest/code_style.html ) is
correct (run the
[linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters ))
---------
Co-authored-by: turt2live <1190097+turt2live@users.noreply.github.com >
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
Co-authored-by: Eric Eastwood <madlittlemods@gmail.com >
2026-03-20 19:34:26 +00:00
Hugh Nimmo-Smith and GitHub
b4282b82d0
Updates for experimental MSC4388 support (sign-in with QR code) ( #19573 )
2026-03-20 16:33:43 +00:00
Andrew Morgan and GitHub
2c412ba24a
complement.sh: ensure old complement checkout files are deleted; remove -N wget flag ( #19592 )
2026-03-20 16:30:03 +00:00
Andrew Morgan and GitHub
9edbf56969
Prevent sending registration emails if registration is disabled ( #19585 )
2026-03-19 12:52:40 +00:00
f490c49c85
Bump pyasn1 from 0.6.2 to 0.6.3 ( #19584 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-19 10:54:04 +00:00
9fe7cbfe7f
Bump actions/upload-artifact from 6.0.0 to 7.0.0 ( #19565 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-18 19:24:28 +00:00
90697637a8
Bump actions/setup-go from 6.2.0 to 6.3.0 in the minor-and-patches group ( #19564 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-18 19:16:14 +00:00
Quentin Gliech and GitHub
edf5ce277a
Allow using HTTP/2 over plaintext when introspecting tokens with MAS ( #19586 )
2026-03-18 19:47:17 +01:00
Travis Ralston and GitHub
261bfb786f
Fix zeroing out remote quarantined media count ( #19559 )
...
Just something I noticed while working on
https://github.com/element-hq/synapse/pull/19558
We start the function by setting `total_media_quarantined` to zero, then
we do work on the `media_ids`, add the number affected, zero it out
(**bug**), do work on `hashes`, add the number of affected rows, then
return `total_media_quarantined`.
### Pull Request Checklist
<!-- Please read
https://element-hq.github.io/synapse/latest/development/contributing_guide.html
before submitting your pull request -->
* [x] Pull request is based on the develop branch
* [x] Pull request includes a [changelog
file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog ).
The entry should:
- Be a short description of your change which makes sense to users.
"Fixed a bug that prevented receiving messages from other servers."
instead of "Moved X method from `EventStore` to `EventWorkerStore`.".
- Use markdown where necessary, mostly for `code blocks`.
- End with either a period (.) or an exclamation mark (!).
- Start with a capital letter.
- Feel free to credit yourself, by adding a sentence "Contributed by
@github_username." or "Contributed by [Your Name]." to the end of the
entry.
* [x] [Code
style](https://element-hq.github.io/synapse/latest/code_style.html ) is
correct (run the
[linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters ))
2026-03-18 09:50:09 -06:00
Tulir Asokan and GitHub
8201e58767
Update and stabilize mutual rooms support (MSC2666) ( #19511 )
...
Updates the error codes to match MSC2666 changes (user ID query param
validation + proper errcode for requesting rooms with self), added the
new `count` field, and stabilized the endpoint.
2026-03-18 14:29:36 +00:00
Eric Eastwood and GitHub
3d960d88b3
Add MSC3820 comment context to RoomVersion attributes ( #19577 )
...
Spawning from
https://github.com/element-hq/synapse/pull/19424#discussion_r2855303614
2026-03-18 07:53:13 -05:00
Olivier 'reivilibre and GitHub
0d4accb0a6
Remove support for MSC3852: Expose user agent information on Device as the MSC was closed. ( #19430 )
...
Fixes : #14836
Discovered whilst looking at the state of MSCs in Synapse.
---------
Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org >
2026-03-17 17:08:04 +00:00
Eric Eastwood and GitHub
d65ef848eb
Fix Build and push complement image CI job not having Poetry for complement.sh ( #19578 )
...
❌ `Build and push complement image`,
https://github.com/element-hq/synapse/actions/runs/23176317296/job/67339146082
```
scripts-dev/complement.sh: line 227: poetry: command not found
```
Follow-up to https://github.com/element-hq/synapse/pull/19523
This regressed in https://github.com/element-hq/synapse/pull/19476
### Testing strategy
1. Visit
https://github.com/element-hq/synapse/actions/workflows/push_complement_image.yml
1. **Run workflow**:
- **Use workflow from:**
`madlittlemods/fix-complement-push-image-ci-job-poetry`
- **Branch:** `develop`
1. Wait for CI to run and pass ✅
2026-03-17 10:51:53 -05:00
Quentin Gliech
7d8e8747ea
1.150.0rc1
v1.150.0rc1
2026-03-17 15:56:55 +01:00
Quentin Gliech and GitHub
6a63f0dcd7
Migrate dev dependencies to PEP 735 dependency groups ( #19490 )
...
This moves the dev dependencies to PEP 735 dependency groups, to help us
move to standard project metadata, which will help us moving to `uv`
(#19566 )
This requires poetry 2.2.0
2026-03-17 14:45:28 +00:00
Eric Eastwood and GitHub
8ad7e8af81
Add some light labels to the Processed request logs ( #19548 )
...
It's pretty hard to remember the order of all of these ambiguous
numbers. I assume they're not totally labeled already to cut down on the
length when scanning with your eyes. This just adds a few hints of what
each grouping is.
Spawning from [staring at some Synapse
logs](https://github.com/element-hq/matrix-hosted/issues/10631 ) and
cross-referencing the Synapse source code over and over.
2026-03-17 09:43:05 -05:00
Andrew Ferrazzutti and GitHub
8a6d9a8d45
Admin API docs: use consistent path param syntax ( #19307 )
...
Always use `/<param>` instead of sometimes using `/$param`
### Pull Request Checklist
<!-- Please read
https://element-hq.github.io/synapse/latest/development/contributing_guide.html
before submitting your pull request -->
* [x] Pull request is based on the develop branch
* [x] Pull request includes a [changelog
file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog ).
The entry should:
- Be a short description of your change which makes sense to users.
"Fixed a bug that prevented receiving messages from other servers."
instead of "Moved X method from `EventStore` to `EventWorkerStore`.".
- Use markdown where necessary, mostly for `code blocks`.
- End with either a period (.) or an exclamation mark (!).
- Start with a capital letter.
- Feel free to credit yourself, by adding a sentence "Contributed by
@github_username." or "Contributed by [Your Name]." to the end of the
entry.
* [x] [Code
style](https://element-hq.github.io/synapse/latest/code_style.html ) is
correct (run the
[linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters ))
2026-03-17 15:36:07 +01:00
Eric Eastwood
c37a5bb4cd
Restore localhost/complement-synapse change from #19523
...
See https://github.com/element-hq/synapse/pull/19523#discussion_r2944133700
2026-03-16 22:20:56 -05:00
Eric Eastwood and GitHub
6254e009bb
Fix Build and push complement image CI job pointing to non-existent image ( #19523 )
...
❌
https://github.com/element-hq/synapse/actions/runs/22609655282/job/65509315002#step:8:39
```
Error response from daemon: No such image: complement-synapse:latest
```
Regressed in
https://github.com/element-hq/synapse/pull/19475#discussion_r2823157623
where we updated `complement.sh` to build `localhost/complement-synapse`
instead of `complement-synapse`.
2026-03-16 21:56:16 -05:00
Olivier 'reivilibre and GitHub
3aa948c50c
When Matrix Authentication Service (MAS) integration is enabled, allow MAS to set the user locked status in Synapse. ( #19554 )
...
Companion PR:
https://github.com/element-hq/matrix-authentication-service/pull/5550
to 1) send this flag
and 2) provision users proactively when their lock status changes.
---
Currently Synapse and MAS have two independent user lock
implementations. This PR makes it so that MAS can push its lock status
to Synapse when 'provisioning' the user.
Having the lock status in Synapse is useful for removing users from the
user directory
when they are locked.
There is otherwise no authentication requirement to have it in Synapse;
the enforcement is done
by MAS at token introspection time.
---------
Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org >
2026-03-16 18:27:54 +00:00
a71c468b04
Bump the patches group with 2 updates ( #19536 )
...
Bumps the patches group with 2 updates:
[anyhow](https://github.com/dtolnay/anyhow ) and
[pyo3-log](https://github.com/vorner/pyo3-log ).
Updates `anyhow` from 1.0.101 to 1.0.102
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dtolnay/anyhow/releases ">anyhow's
releases</a>.</em></p>
<blockquote>
<h2>1.0.102</h2>
<ul>
<li>Remove backtrace dependency (<a
href="https://redirect.github.com/dtolnay/anyhow/issues/438 ">#438</a>,
<a
href="https://redirect.github.com/dtolnay/anyhow/issues/439 ">#439</a>,
<a
href="https://redirect.github.com/dtolnay/anyhow/issues/440 ">#440</a>,
<a
href="https://redirect.github.com/dtolnay/anyhow/issues/441 ">#441</a>,
<a
href="https://redirect.github.com/dtolnay/anyhow/issues/442 ">#442</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/dtolnay/anyhow/commit/5c657b32522023a9f7ef883fb08582fd8e656b1a "><code>5c657b3</code></a>
Release 1.0.102</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/e737fb63918e8c71a3d0a968004a9c7ed7942283 "><code>e737fb6</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/anyhow/issues/442 ">#442</a>
from dtolnay/backtrace</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/7fe62b51c62804f8b84443affeacfb3810ed2516 "><code>7fe62b5</code></a>
Further simply backtrace conditional compilation</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/c8cb5cae23e57a2dbb87bf05cba04f1df1f1660b "><code>c8cb5ca</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/anyhow/issues/441 ">#441</a>
from dtolnay/backtrace</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/de27df7e0f510d543c18e50a0736566b66e62baf "><code>de27df7</code></a>
Delete CI use of --features=backtrace</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/9b67e5dd608658d805640cf1b6f6c9d091686ec1 "><code>9b67e5d</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/anyhow/issues/440 ">#440</a>
from dtolnay/backtrace</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/efdb11a259ca58a2e505ef50486cf2d6b5ddc42a "><code>efdb11a</code></a>
Simplify <code>std_backtrace</code> conditional code</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/b8a9a707838969721a86b28e3c45ce27e279e981 "><code>b8a9a70</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/anyhow/issues/439 ">#439</a>
from dtolnay/backtrace</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/a42fc2c21846ba459df43a3f8b4996a2074909cb "><code>a42fc2c</code></a>
Remove <code>feature = "backtrace"</code> conditional
code</li>
<li><a
href="https://github.com/dtolnay/anyhow/commit/2a2a3ceb4cbc409fd99613ab5744b21e825e7908 "><code>2a2a3ce</code></a>
Re-word backtrace feature comment</li>
<li>Additional commits viewable in <a
href="https://github.com/dtolnay/anyhow/compare/1.0.101...1.0.102 ">compare
view</a></li>
</ul>
</details>
<br />
Updates `pyo3-log` from 0.13.2 to 0.13.3
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/vorner/pyo3-log/blob/main/CHANGELOG.md ">pyo3-log's
changelog</a>.</em></p>
<blockquote>
<h1>0.13.3</h1>
<ul>
<li>Support for pyo3 0.28 (<a
href="https://redirect.github.com/vorner/pyo3-log/issues/75 ">#75</a>).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/vorner/pyo3-log/commit/a188f81c37844a0543410707296d79fe6b32cdf5 "><code>a188f81</code></a>
Release 0.13.3</li>
<li><a
href="https://github.com/vorner/pyo3-log/commit/3217bc89497492167ceae9f2f35e04acd889ec48 "><code>3217bc8</code></a>
Bump pyo3 to 0.28 (<a
href="https://redirect.github.com/vorner/pyo3-log/issues/75 ">#75</a>)</li>
<li>See full diff in <a
href="https://github.com/vorner/pyo3-log/compare/v0.13.2...v0.13.3 ">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-16 17:52:13 +00:00
cdd261b1c6
Bump pyopenssl from 25.3.0 to 26.0.0 ( #19574 )
...
Bumps [pyopenssl](https://github.com/pyca/pyopenssl ) from 25.3.0 to
26.0.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst ">pyopenssl's
changelog</a>.</em></p>
<blockquote>
<h2>26.0.0 (2026-03-15)</h2>
<p>Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^</p>
<ul>
<li>Dropped support for Python 3.7.</li>
<li>The minimum <code>cryptography</code> version is now 46.0.0.</li>
</ul>
<p>Deprecations:
^^^^^^^^^^^^^</p>
<p>Changes:
^^^^^^^^</p>
<ul>
<li>Added support for using aws-lc instead of OpenSSL.</li>
<li>Properly raise an error if a DTLS cookie callback returned a cookie
longer than <code>DTLS1_COOKIE_LENGTH</code> bytes. Previously this
would result in a buffer-overflow. Credit to <strong>dark_haxor</strong>
for reporting the issue. <strong>CVE-2026-27459</strong></li>
<li>Added <code>OpenSSL.SSL.Connection.get_group_name</code> to
determine which group name was negotiated.</li>
<li><code>Context.set_tlsext_servername_callback</code> now handles
exceptions raised in the callback by calling <code>sys.excepthook</code>
and returning a fatal TLS alert. Previously, exceptions were silently
swallowed and the handshake would proceed as if the callback had
succeeded. Credit to <strong>Leury Castillo</strong> for reporting this
issue. <strong>CVE-2026-27448</strong></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pyca/pyopenssl/commit/358cbf29c4e364c59930e53a270116249581eaa3 "><code>358cbf2</code></a>
Prepare for 26.0.0 release (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1487 ">#1487</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/a8d28e7069ca213049ccfbcc227ed9ef6080a15b "><code>a8d28e7</code></a>
Bump actions/cache from 4 to 5 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1486 ">#1486</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/6fefff05561c0a5e8f668b4e029a6ba3adb7d89e "><code>6fefff0</code></a>
Add aws-lc compatibility to tests and CI (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1476 ">#1476</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/a739f9661d09ec6cda448ad71ca3e6df0dce9d75 "><code>a739f96</code></a>
Bump actions/download-artifact from 8.0.0 to 8.0.1 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1485 ">#1485</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/8b4c66b1b5649ce046665b151772d40c1cddd66a "><code>8b4c66b</code></a>
Bump actions/upload-artifact in /.github/actions/upload-coverage (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1484 ">#1484</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/02a5c78435cd445a7d5ef20b354dba2b6abdac64 "><code>02a5c78</code></a>
Bump actions/upload-artifact from 6.0.0 to 7.0.0 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1483 ">#1483</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/d9733878d67ee2ad94327768bb6dc416f7827443 "><code>d973387</code></a>
Bump actions/download-artifact from 7.0.0 to 8.0.0 (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1482 ">#1482</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408 "><code>57f09bb</code></a>
Fix buffer overflow in DTLS cookie generation callback (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1479 ">#1479</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0 "><code>d41a814</code></a>
Handle exceptions in set_tlsext_servername_callback callbacks (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1478 ">#1478</a>)</li>
<li><a
href="https://github.com/pyca/pyopenssl/commit/7b29beba7759f0b810b5d5375a50469c4f8947b3 "><code>7b29beb</code></a>
Fix not using a cryptography wheel on uv (<a
href="https://redirect.github.com/pyca/pyopenssl/issues/1475 ">#1475</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pyca/pyopenssl/compare/25.3.0...26.0.0 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-16 17:35:35 +00:00
eedd4c8796
Bump pyjwt from 2.11.0 to 2.12.0 ( #19560 )
...
Bumps [pyjwt](https://github.com/jpadilla/pyjwt ) from 2.11.0 to 2.12.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/releases ">pyjwt's
releases</a>.</em></p>
<blockquote>
<h2>2.12.0</h2>
<h2>Security</h2>
<ul>
<li>Validate the crit (Critical) Header Parameter defined in RFC 7515
§4.1.11. by <a
href="https://github.com/dmbs335 "><code>@dmbs335</code></a> in <a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f ">GHSA-752w-5fwx-jx9f</a></li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>[pre-commit.ci] pre-commit autoupdate by <a
href="https://github.com/pre-commit-ci "><code>@pre-commit-ci</code></a>[bot]
in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1132 ">jpadilla/pyjwt#1132</a></li>
<li>chore(docs): fix docs build by <a
href="https://github.com/tamird "><code>@tamird</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1137 ">jpadilla/pyjwt#1137</a></li>
<li>Annotate PyJWKSet.keys for pyright by <a
href="https://github.com/tamird "><code>@tamird</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1134 ">jpadilla/pyjwt#1134</a></li>
<li>fix: close HTTPError to prevent ResourceWarning on Python 3.14 by <a
href="https://github.com/veeceey "><code>@veeceey</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1133 ">jpadilla/pyjwt#1133</a></li>
<li>chore: remove superfluous constants by <a
href="https://github.com/tamird "><code>@tamird</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1136 ">jpadilla/pyjwt#1136</a></li>
<li>[pre-commit.ci] pre-commit autoupdate by <a
href="https://github.com/pre-commit-ci "><code>@pre-commit-ci</code></a>[bot]
in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1135 ">jpadilla/pyjwt#1135</a></li>
<li>chore(tests): enable mypy by <a
href="https://github.com/tamird "><code>@tamird</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1138 ">jpadilla/pyjwt#1138</a></li>
<li>Bump actions/download-artifact from 7 to 8 by <a
href="https://github.com/dependabot "><code>@dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1142 ">jpadilla/pyjwt#1142</a></li>
<li>[pre-commit.ci] pre-commit autoupdate by <a
href="https://github.com/pre-commit-ci "><code>@pre-commit-ci</code></a>[bot]
in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1141 ">jpadilla/pyjwt#1141</a></li>
<li>[pre-commit.ci] pre-commit autoupdate by <a
href="https://github.com/pre-commit-ci "><code>@pre-commit-ci</code></a>[bot]
in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1145 ">jpadilla/pyjwt#1145</a></li>
<li>fix: do not store reference to algorithms dict on PyJWK by <a
href="https://github.com/akx "><code>@akx</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1143 ">jpadilla/pyjwt#1143</a></li>
<li>Use PyJWK algorithm when encoding without explicit algorithm by <a
href="https://github.com/jpadilla "><code>@jpadilla</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1148 ">jpadilla/pyjwt#1148</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/tamird "><code>@tamird</code></a> made
their first contribution in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1137 ">jpadilla/pyjwt#1137</a></li>
<li><a href="https://github.com/veeceey "><code>@veeceey</code></a> made
their first contribution in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1133 ">jpadilla/pyjwt#1133</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0 ">https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0 </a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst ">pyjwt's
changelog</a>.</em></p>
<blockquote>
<h2><code>v2.12.0
<https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0> ;</code>__</h2>
<p>Fixed</p>
<pre><code>
- Annotate PyJWKSet.keys for pyright by @tamird in
`[#1134 ](https://github.com/jpadilla/pyjwt/issues/1134 )
<https://github.com/jpadilla/pyjwt/pull/1134> ;`__
- Close ``HTTPError`` response to prevent ``ResourceWarning`` on Python
3.14 by @veeceey in
`[#1133 ](https://github.com/jpadilla/pyjwt/issues/1133 )
<https://github.com/jpadilla/pyjwt/pull/1133> ;`__
- Do not keep ``algorithms`` dict in PyJWK instances by @akx in
`[#1143 ](https://github.com/jpadilla/pyjwt/issues/1143 )
<https://github.com/jpadilla/pyjwt/pull/1143> ;`__
- Validate the crit (Critical) Header Parameter defined in RFC 7515
§4.1.11. by @dmbs335 in `GHSA-752w-5fwx-jx9f
<https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f> ;`__
- Use PyJWK algorithm when encoding without explicit algorithm in
`[#1148 ](https://github.com/jpadilla/pyjwt/issues/1148 )
<https://github.com/jpadilla/pyjwt/pull/1148> ;`__
<p>Added
</code></pre></p>
<ul>
<li>Docs: Add <code>PyJWKClient</code> API reference and document the
two-tier caching system (JWK Set cache and signing key LRU cache).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/bd9700cca7f9258fadcc429c1034e508025931f2 "><code>bd9700c</code></a>
Use PyJWK algorithm when encoding without explicit algorithm (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1148 ">#1148</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92 "><code>051ea34</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/1451d70eca2059bc472703692f0bb0777bc0fe93 "><code>1451d70</code></a>
fix: do not store reference to algorithms dict on PyJWK (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1143 ">#1143</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/f3ba74c106df9ce10e272dfaad96acb4ab3ef5a5 "><code>f3ba74c</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1145 ">#1145</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/0318ffa7b156b01600376e38952bf961382e0724 "><code>0318ffa</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1141 ">#1141</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/a52753db3c1075ac01337fa8b7cc92b13a19ac09 "><code>a52753d</code></a>
Bump actions/download-artifact from 7 to 8 (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1142 ">#1142</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/b85050f1d444c6828bb4618ee764443b0a3f5d18 "><code>b85050f</code></a>
chore(tests): enable mypy (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1138 ">#1138</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/1272b264779717cc481c8341f321a7fc8b3aaba6 "><code>1272b26</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1135 ">#1135</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/99a87287c26cb97c94399084ee4186ee52207a7f "><code>99a8728</code></a>
chore: remove superfluous constants (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1136 ">#1136</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/412cb67a93363812ae4029d6a95f5d4d40ab2609 "><code>412cb67</code></a>
fix: close HTTPError to prevent ResourceWarning on Python 3.14 (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1133 ">#1133</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-16 18:30:42 +01:00
Andrew Ferrazzutti and GitHub
c0924fbbd8
MSC4140: put delay_id in unsigned data for sender ( #19479 )
...
Implements
https://github.com/matrix-org/matrix-spec-proposals/pull/4140/changes/49b200dcc11de286974925177b1e184cd905e6fa
2026-03-16 16:29:42 +00:00
Quentin Gliech and GitHub
4c475dcd7a
Allow the caching of the /versions and /auth_metadata endpoints ( #19530 )
...
Can be reviewed commit by commit.
This sets caching headers on the /versions and /auth_metadata endpoints
to:
- allow clients to cache the response for up to 10 minutes
(`max-age=600`)
- allow proxies to cache the response for up to an hour
(`s-maxage=3600`)
- make proxies serve stale response for up to an hour (`s-maxage=3600`)
but make them refresh their response after 10 minutes
(`stale-while-revalidate=600`) so that we always have a snappy response
to client, but also have fresh responses most of the time
- only cache the response for unauthenticated requests on /versions
(`Vary: Authorization`)
I'm not too worried about the 1h TTL on the proxy side, as with the
`stale-while-revalidate` directive, one just needs to do two requests
after 10 minutes to get a fresh response from the cache.
The reason we want this, is that clients usually load this right away,
leading to a lot of traffic from people just loading the Element Web
login screen with the default config. This is currently routed to
`client_readers` on matrix.org (and ESS) which can be overwhelmed for
other reasons, leading to slow response times on those endpoints (3s+).
Overwhelmed workers shouldn't prevent people from logging in, and
shouldn't result in a long loading spinner in clients. This PR allows
caching proxies (like Cloudflare) to publicly cache the unauthenticated
response of those two endpoints and make it load quicker, reducing
server load as well.
2026-03-12 17:11:09 +00:00
3ce5508c7e
Bump quinn-proto from 0.11.12 to 0.11.14 ( #19544 )
...
Bumps [quinn-proto](https://github.com/quinn-rs/quinn ) from 0.11.12 to
0.11.14.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/quinn-rs/quinn/releases ">quinn-proto's
releases</a>.</em></p>
<blockquote>
<h2>quinn-proto 0.11.14</h2>
<p><a href="https://github.com/jxs "><code>@jxs</code></a> reported a
denial of service issue in quinn-proto 5 days ago:</p>
<ul>
<li><a
href="https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98 ">https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98 </a></li>
</ul>
<p>We coordinated with them to release this version to patch the issue.
Unfortunately the maintainers missed these issues during code review and
we did not have enough fuzzing coverage -- we regret the oversight and
have added an additional fuzzing target.</p>
<p>Organizations that want to participate in coordinated disclosure can
contact us privately to discuss terms.</p>
<h2>What's Changed</h2>
<ul>
<li>Fix over-permissive proto dependency edge by <a
href="https://github.com/Ralith "><code>@Ralith</code></a> in <a
href="https://redirect.github.com/quinn-rs/quinn/pull/2385 ">quinn-rs/quinn#2385</a></li>
<li>0.11.x: avoid unwrapping VarInt decoding during parameter parsing by
<a href="https://github.com/djc "><code>@djc</code></a> in <a
href="https://redirect.github.com/quinn-rs/quinn/pull/2559 ">quinn-rs/quinn#2559</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/quinn-rs/quinn/commit/2c315aa7f9c2a6c1db87f8f51f40623a427c78fd "><code>2c315aa</code></a>
proto: bump version to 0.11.14</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/8ad47f431e7deb82c08b09c2e33ef85aa88fd212 "><code>8ad47f4</code></a>
Use newer rustls-pki-types PEM parser API</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/c81c0289abe30d8437ccbf9b6304e2bc9c707cea "><code>c81c028</code></a>
ci: fix workflow syntax</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/0050172969f7e69e136c433181330da7790d8d73 "><code>0050172</code></a>
ci: pin wasm-bindgen-cli version</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/8a6f82c58d1c565eab78f986e614223e6ed76a85 "><code>8a6f82c</code></a>
Take semver-compatible dependency updates</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/e52db4ad8df0f9720e7b0e32ecc0e48c9a93de0f "><code>e52db4a</code></a>
Apply suggestions from clippy 1.91</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/6df7275c582ca9b7225e0ccf9f9871a55eb73155 "><code>6df7275</code></a>
chore: Fix <code>unnecessary_unwrap</code> clippy</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/c8eefa07e087b06d8f2b78ff262ce8ac952994f1 "><code>c8eefa0</code></a>
proto: avoid unwrapping varint decoding during parameters parsing</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/9723a977754c8662001b0fef97aab8f3ddf1df92 "><code>9723a97</code></a>
fuzz: add fuzzing target for parsing transport parameters</li>
<li><a
href="https://github.com/quinn-rs/quinn/commit/eaf0ef30252cef4acec21f150427e604cd4271c9 "><code>eaf0ef3</code></a>
Fix over-permissive proto dependency edge (<a
href="https://redirect.github.com/quinn-rs/quinn/issues/2385 ">#2385</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/quinn-rs/quinn/compare/quinn-proto-0.11.12...quinn-proto-0.11.14 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-12 15:44:21 +01:00