Update all non-major dependencies (minor)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
aquasecurity/trivy-action	action	minor	0.31.0 → 0.33.1
ghcr.io/nordeck/matrix-widget-toolkit/widget-server	final	minor	1.1.1 → 1.2.1
helm/chart-testing-action	action	minor	v2.6.1 → v2.8.0
helm/kind-action	action	minor	v1.10.0 → v1.13.0
matrixdotorg/synapse		minor	v1.123.0 → v1.145.0
python	uses-with	minor	3.12 → 3.14
sigstore/cosign-installer	action	minor	v3.7.0 → v3.10.1
webpack	resolutions	minor	5.99.9 → 5.104.1

---

Release Notes

aquasecurity/trivy-action (aquasecurity/trivy-action)

v0.33.1

Compare Source

What's Changed

• Update setup-trivy action to version v0.2.4 by @​martincostello in #​486

Full Changelog: aquasecurity/trivy-action@0.33.0...0.33.1

v0.33.0

Compare Source

What's Changed

• Update dependencies in README by @​ibakshay in #​378
• doc: correct sbom fs scan by @​yxtay in #​458
• Pin actions/cache by SHA by @​martincostello in #​480
• chore(ci): Add oras to correctly setup sync jobs by @​simar7 in #​482
• chore(deps): Update trivy to v0.65.0 by @​aqua-bot in #​481

New Contributors

• @​ibakshay made their first contribution in #​378
• @​yxtay made their first contribution in #​458
• @​martincostello made their first contribution in #​480

Full Changelog: aquasecurity/trivy-action@0.32.0...0.33.0

v0.32.0

Compare Source

What's Changed

• chore(deps): Update trivy to v0.64.1 by @​aqua-bot in #​474

Full Changelog: aquasecurity/trivy-action@0.31.0...0.32.0

helm/chart-testing-action (helm/chart-testing-action)

v2.8.0

Compare Source

What's Changed

• Bump the actions group across 1 directory with 4 updates by @​dependabot[bot] in #​171
• Fix the broken link for GitHub Help Documentation by @​subramani95 in #​174
• bump ct and yamale version by @​cpanato in #​178
• Bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in #​181
• Bump actions/setup-python from 5.4.0 to 6.0.0 by @​dependabot[bot] in #​179
• Bump the actions group across 1 directory with 2 updates by @​dependabot[bot] in #​183
• Use uv instead of python venv by @​nikolaik in #​172
• Bump sigstore/cosign-installer from 3.8.1 to 4.0.0 by @​dependabot[bot] in #​184

New Contributors

• @​subramani95 made their first contribution in #​174
• @​nikolaik made their first contribution in #​172

Full Changelog: helm/chart-testing-action@v2...v2.8.0

v2.7.0

Compare Source

For ct change see https://github.com/helm/chart-testing/releases/tag/v3.12.0

What's Changed

• docs: update all version references to latest versions by @​froblesmartin in #​141
• update ct to v3.11.0 / yamlint to 1.33.0 / yamale to 4.0.4 / add e2e test by @​cpanato in #​144
• use ct 3.12.0 as default by @​cpanato in #​165
• clean up and fix cr action next release by @​cpanato in #​166

New Contributors

• @​froblesmartin made their first contribution in #​141

Full Changelog: helm/chart-testing-action@v2.6.1...v2.7.0

helm/kind-action (helm/kind-action)

v1.13.0

Compare Source

What's Changed

• chore: verify sha256sum of kubectl by @​felix-kaestner in #​134
• Load GITHUB_PATH in PATH to use correct binaries when creating registry by @​gotha in #​133
• feat: Add cloud provider by @​waltermity in #​135
• chore: bump kind to v0.29.0 by @​pmalek in #​144
• Bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in #​145
• bug: respect 'install_only' action input value by @​mszostok in #​147
• bump kind and kubectl and also nodejs by @​cpanato in #​150

New Contributors

• @​felix-kaestner made their first contribution in #​134
• @​gotha made their first contribution in #​133
• @​waltermity made their first contribution in #​135
• @​pmalek made their first contribution in #​144
• @​mszostok made their first contribution in #​147

Full Changelog: helm/kind-action@v1...v1.13.0

v1.12.0

Compare Source

What's Changed

• update kind to use release v0.26.0 by @​cpanato in #​129
• feat: options to configure local registry by @​tthvo in #​113
• Bump actions/checkout from 4.1.4 to 4.2.2 in the actions group by @​dependabot in #​130

New Contributors

• @​tthvo made their first contribution in #​113

Full Changelog: helm/kind-action@v1.11.0...v1.12.0

v1.11.0

Compare Source

What's Changed

• add wait test by @​cpanato in #​111
• revert wget to use curl again by @​cpanato in #​110
• feat: add custom kubeconfig option as action input by @​jbattiato in #​119
• fix: Use new mirror for downloading kubectl by @​jriedel-ionos in #​127
• update kind to default to release v0.24.0 by @​cpanato in #​122

New Contributors

• @​jbattiato made their first contribution in #​119
• @​jriedel-ionos made their first contribution in #​127

Full Changelog: helm/kind-action@v1.10.0...v1.11.0

element-hq/synapse (matrixdotorg/synapse)

v1.145.0

Compare Source

Synapse 1.145.0 (2026-01-13)

No significant changes since 1.145.0rc4.

End of Life of Ubuntu 25.04 Plucky Puffin

Ubuntu 25.04 (Plucky Puffin) will be end of life on Jan 17, 2026. Synapse will stop building packages for Ubuntu 25.04 shortly thereafter.

Updates to Locked Dependencies No Longer Included in Changelog

The "Updates to locked dependencies" section has been removed from the changelog due to lack of use and the maintenance burden. (#​19254)

Synapse 1.145.0rc4 (2026-01-08)

No significant changes since 1.145.0rc3.

This RC contains a fix specifically for openSUSE packaging and no other changes.

Synapse 1.145.0rc3 (2026-01-07)

No significant changes since 1.145.0rc2.

This RC strips out unnecessary files from the wheels that were added when fixing the source distribution packaging in the previous RC.

Synapse 1.145.0rc2 (2026-01-07)

No significant changes since 1.145.0rc1.

This RC fixes the source distribution packaging for uploading to PyPI.

Synapse 1.145.0rc1 (2026-01-06)

Features

• Add memberships endpoint to the admin API. This is useful for forensics and T&S purposes. (#​19260)
• Server admins can bypass the quarantine media check when downloading media by setting the admin_unsafely_bypass_quarantine query parameter to true on Client-Server API media download requests. (#​19275)
• Implemented pagination for the MSC2666 mutual rooms endpoint. Contributed by @​tulir @​ Beeper. (#​19279)
• Admin API: add worker support to GET /_synapse/admin/v2/users/<user_id>. (#​19281)
• Improve proxy support for the federation_client.py dev script. Contributed by Denis Kasak (@​dkasak). (#​19300)

Bugfixes

• Fix sliding sync performance slow down for long lived connections. (#​19206)
• Fix a bug where Mastodon posts (and possibly other embeds) have the wrong description for URL previews. (#​19231)
• Fix bug where Duration was logged incorrectly. (#​19267)
• Fix bug introduced in 1.143.0 that broke support for versions of zope-interface older than 6.2. (#​19274)
• Transform events with client metadata before serialising in /event response. (#​19340)

Updates to the Docker image

• Add a way to expose metrics from the Docker image (SYNAPSE_ENABLE_METRICS). (#​19324)

Improved Documentation

• Document the importance of public_baseurl when configuring OpenID Connect authentication. (#​19270)

Deprecations and Removals

• Ubuntu 25.04 (Plucky Puffin) will be end of life on Jan 17, 2026. Synapse will stop building packages for Ubuntu 25.04 shortly thereafter.
• Remove the "Updates to locked dependencies" section from the changelog due to lack of use and the maintenance burden. (#​19254)

Internal Changes

• Group together dependabot update PRs to reduce the review load. (#​18402)
• Fix HomeServer.shutdown() failing if the homeserver hasn't been setup yet. (#​19187)
• Respond with useful error codes with Content-Length header/s are invalid. (#​19212)
• Fix HomeServer.shutdown() failing if the homeserver failed to start. (#​19232)
• Switch the build backend from poetry-core to maturin. (#​19234)
• Raise the limit for concurrently-open non-security @​dependabot PRs from 5 to 10. (#​19253)
• Require 14 days to pass before pulling in general dependency updates to help mitigate upstream supply chain attacks. (#​19258)
• Drop the broken netlify documentation workflow until a new one is implemented. (#​19262)
• Don't include debug logs in Clock unless explicitly enabled. (#​19278)
• Use uv to test olddeps to ensure all transitive dependencies use minimum versions. (#​19289)
• Add a config to be able to rate limit search in the user directory. (#​19291)
• Log the original bind exception when encountering Failed to listen on 0.0.0.0, continuing because listening on [::]. (#​19297)
• Unpin the version of Rust we use to build Synapse wheels (was 1.82.0) now that MacOS support has been dropped. (#​19302)
• Make it more clear how shared_extra_conf is combined in our Docker configuration scripts. (#​19323)
• Update CI to stream Complement progress and format logs in a separate step after all tests are done. (#​19326)
• Format .github/workflows/tests.yml. (#​19327)

v1.144.0

Compare Source

Synapse 1.144.0 (2025-12-09)

Deprecation of MacOS Python wheels

The team has decided to deprecate and stop publishing python wheels for MacOS as of this release. Synapse docker images will continue to work on MacOS, as will building Synapse from source (though note this requires a Rust compiler).

Unstable mutual rooms endpoint is now behind an experimental feature flag

Admins using the unstable MSC2666 endpoint (/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms), please check the relevant section in the upgrade notes as this release contains changes that disable that endpoint by default.

No significant changes since 1.144.0rc1.

Synapse 1.144.0rc1 (2025-12-02)

Admins using the unstable MSC2666 endpoint (/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms), please check the relevant section in the upgrade notes as this release contains changes that disable that endpoint by default.

Features

• Add experimental implementation of MSC4380 (invite blocking). (#​19203)
• Allow restarting delayed event timeouts on workers. (#​19207)

Bugfixes

• Fix a bug in the database function for fetching state deltas that could result in unnecessarily long query times. (#​18960)
• Fix v12 rooms when running with use_frozen_dicts: True. (#​19235)
• Fix bug where invalid canonical_alias content would return 500 instead of 400. (#​19240)
• Fix bug where Duration was logged incorrectly. (#​19267)

Improved Documentation

• Document in the --config-path help how multiple files are merged - by merging them shallowly. (#​19243)

Deprecations and Removals

• Stop building release wheels for MacOS. (#​19225)

Internal Changes

• Improve event filtering for Simplified Sliding Sync. (#​17782)
• Export SYNAPSE_SUPPORTED_COMPLEMENT_TEST_PACKAGES environment variable from scripts-dev/complement.sh. (#​19208)
• Refactor scripts-dev/complement.sh logic to avoid exit to facilitate being able to source it from other scripts (composable). (#​19209)
• Expire sliding sync connections that are too old or have too much pending data. (#​19211)
• Require an experimental feature flag to be enabled in order for the unstable MSC2666 endpoint (/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms) to be available. (#​19219)
• Prevent changelog check CI running on @​dependabot's PRs even when a human has modified the branch. (#​19220)
• Auto-fix trailing spaces in multi-line strings and comments when running the lint script. (#​19221)
• Move towards using a dedicated Duration type. (#​19223, #​19229)
• Improve robustness of the SQL schema linting in CI. (#​19224)
• Add log to determine whether clients are using /messages as expected. (#​19226)
• Simplify README and add ESS Getting started section. (#​19228, #​19259)
• Add a unit test for ensuring associated refresh tokens are erased when a device is deleted. (#​19230)
• Prompt user to consider adding future deprecations to the changelog in release script. (#​19239)
• Fix check of the Rust compiled code being outdated when using source checkout and .egg-info. (#​19251)
• Stop building MacOS wheels in CI pipeline. (#​19263)

Updates to locked dependencies

• Bump Swatinem/rust-cache from 2.8.1 to 2.8.2. (#​19244)
• Bump actions/checkout from 5.0.0 to 6.0.0. (#​19213)
• Bump actions/setup-go from 6.0.0 to 6.1.0. (#​19214)
• Bump actions/setup-python from 6.0.0 to 6.1.0. (#​19245)
• Bump attrs from 25.3.0 to 25.4.0. (#​19215)
• Bump docker/metadata-action from 5.9.0 to 5.10.0. (#​19246)
• Bump http from 1.3.1 to 1.4.0. (#​19249)
• Bump pydantic from 2.12.4 to 2.12.5. (#​19250)
• Bump pyopenssl from 25.1.0 to 25.3.0. (#​19248)
• Bump rpds-py from 0.28.0 to 0.29.0. (#​19216)
• Bump rpds-py from 0.29.0 to 0.30.0. (#​19247)
• Bump sentry-sdk from 2.44.0 to 2.46.0. (#​19218)
• Bump types-bleach from 6.2.0.20250809 to 6.3.0.20251115. (#​19217)
• Bump types-jsonschema from 4.25.1.20250822 to 4.25.1.20251009. (#​19252)

v1.143.0

Compare Source

Synapse 1.143.0 (2025-11-25)

Dropping support for PostgreSQL 13

In line with our deprecation policy, we've dropped support for PostgreSQL 13, as it is no longer supported upstream. This release of Synapse requires PostgreSQL 14+.

No significant changes since 1.143.0rc2.

synapse 1.143.0rc2 (2025-11-18)

Internal Changes

• Fixes docker image creation in the release workflow.

Synapse 1.143.0rc1 (2025-11-18)

Features

• Support multiple config files in register_new_matrix_user. (#​18784)
• Remove authentication from POST /_matrix/client/v1/delayed_events, and allow calling this endpoint with the update action to take (send/cancel/restart) in the request path instead of the body. (#​19152)

Bugfixes

• Fixed a longstanding bug where background updates were only run on the main database. (#​19181)
• Fixed a bug introduced in v1.142.0 preventing subpaths in MAS endpoints from working. (#​19186)
• Fix the SQLite-to-PostgreSQL migration script to correctly migrate a boolean column in the delayed_events table. (#​19155)

Improved Documentation

• Improve documentation around streams, particularly ID generators and adding new streams. (#​18943)

Deprecations and Removals

• Remove support for PostgreSQL 13. (#​19170)

Internal Changes

• Provide additional servers with federation room directory results. (#​18970)
• Add a shortcut return when there are no events to purge. (#​19093)
• Write union types as X | Y where possible, as per PEP 604, added in Python 3.10. (#​19111)
• Reduce cardinality of synapse_storage_events_persisted_events_sep_total metric by removing origin_entity label. This also separates out events sent by local application services by changing the origin_type for such events to application_service. The type field also only tracks common event types, and anything else is bucketed under *other*. (#​19133, #​19168)
• Run trial tests on Python 3.14 for PRs. (#​19135)
• Update pyproject.toml project metadata to be compatible with standard Python packaging tooling. (#​19137)
• Minor speed up of processing of inbound replication. (#​19138, #​19145, #​19146)
• Ignore recent Python language refactors from git blame (.git-blame-ignore-revs). (#​19150)
• Bump lower bounds of dependencies parameterized to 0.9.0 and idna to 3.3 as those are the first to advertise support for Python 3.10. (#​19167)
• Point out which event caused the exception when checking MSC4293 redactions. (#​19169)
• Restore printing sentinel for the log record request when no logcontext is active. (#​19172)
• Add debug logs to track Clock utilities. (#​19173)
• Remove explicit python version skips in cibuildwheel config as it's no longer required after #​19137. (#​19177)
• Fix potential lost logcontext when PerDestinationQueue.shutdown(...) is called. (#​19178)
• Fix bad deferred logcontext handling across the codebase. (#​19180)

Updates to locked dependencies

• Bump bytes from 1.10.1 to 1.11.0. (#​19193)
• Bump click from 8.1.8 to 8.3.1. (#​19195)
• Bump cryptography from 43.0.3 to 45.0.7. (#​19159)
• Bump docker/metadata-action from 5.8.0 to 5.9.0. (#​19161)
• Bump pydantic from 2.12.3 to 2.12.4. (#​19158)
• Bump pyo3-log from 0.13.1 to 0.13.2. (#​19156)
• Bump ruff from 0.14.3 to 0.14.5. (#​19196)
• Bump sentry-sdk from 2.34.1 to 2.43.0. (#​19157)
• Bump sentry-sdk from 2.43.0 to 2.44.0. (#​19197)
• Bump tomli from 2.2.1 to 2.3.0. (#​19194)
• Bump types-netaddr from 1.3.0.20240530 to 1.3.0.20251108. (#​19160)

v1.142.1

Compare Source

Synapse 1.142.1 (2025-11-18)

Bugfixes

• Fixed a bug introduced in v1.142.0 preventing subpaths in MAS endpoints from working. (#​19186)

v1.142.0

Compare Source

Synapse 1.142.0 (2025-11-11)

Dropped support for Python 3.9

This release drops support for Python 3.9, in line with our dependency deprecation policy, as it is now end of life.

SQLite 3.40.0+ is now required

The minimum supported SQLite version has been increased from 3.27.0 to 3.40.0.

If you use current versions of the matrixorg/synapse Docker images, no action is required.

Deprecation of MacOS Python wheels

The team has decided to deprecate and eventually stop publishing python wheels for MacOS. This is a burden on the team, and we're not aware of any parties that use them. Synapse docker images will continue to work on MacOS, as will building Synapse from source (though note this requires a Rust compiler).

At present, publishing MacOS Python wheels will continue for the next release (1.143.0), but will not be available after that (1.144.0+). If you do make use of these wheels downstream, please reach out to us in #synapse-dev:matrix.org. We'd love to hear from you!

Internal Changes

• Properly stop building wheels for Python 3.9 and free-threaded CPython. (#​19154)

Synapse 1.142.0rc4 (2025-11-07)

Bugfixes

• Fix a bug introduced in 1.142.0rc1 where any attempt to configure matrix_authentication_service.secret_path would prevent the homeserver from starting up. (#​19144)

Synapse 1.142.0rc3 (2025-11-04)

Internal Changes

• Update release scripts to prevent building wheels for free-threaded Python, as Synapse does not currently support it. (#​19140)

Synapse 1.142.0rc2 (2025-11-04)

Internal Changes

• Manually skip building Python 3.9 wheels, to prevent errors in the release workflow. (#​19119)

Synapse 1.142.0rc1 (2025-11-04)

Features

• Add support for Python 3.14. (#​19055, #​19134)
• Add an Admin API
  to allow an admin to fetch the space/room hierarchy for a given space. (#​19021)

Bugfixes

• Fix a bug introduced in 1.111.0 where failed attempts to download authenticated remote media would not be handled correctly. (#​19062)
• Update the oidc_session_no_samesite cookie to have the Secure attribute, so the only difference between it and the paired oidc_session cookie, is the configuration of the SameSite attribute as described in the comments / cookie names. Contributed by @​kieranlane. (#​19079)
• Fix a bug introduced in 1.140.0 where lost logcontext warnings would be emitted from timeouts in sync and requests made by Synapse itself. (#​19090)
• Fix a bug introdued in 1.140.0 where lost logcontext warning were emitted when using HomeServer.shutdown(). (#​19108)

Improved Documentation

• Update the link to the Debian oldstable package for SQLite. (#​19047)
• Point out additional Redis configuration options available in the worker docs. Contributed by @​servisbryce. (#​19073)
• Update the list of Debian releases that the downstream Debian package is maintained for. (#​19100)
• Add a page to the documentation describing the steps the Synapse team takes to review the release notes before publishing them. (#​19109)

Deprecations and Removals

• Drop support for Python 3.9. (#​19099)
• Remove support for SQLite < 3.37.2. (#​19047)

Internal Changes

• Fix CI linter for schema delta files to correctly handle all types of CREATE TABLE syntax. (#​19020)
• Use type hinting generics in standard collections, as per PEP 585, added in Python 3.9. (#​19046)
• Always treat RETURNING as supported by SQL engines, now that the minimum-supported versions of both SQLite and PostgreSQL support it. (#​19047)
• Move oidc.load_metadata() startup into _base.start(). (#​19056)
• Remove logcontext problems caused by awaiting raw deferLater(...). (#​19058)
• Prevent duplicate logging setup when running multiple Synapse instances. (#​19067)
• Be mindful of other logging context filters in 3rd-party code and avoid overwriting log record fields unless we know the log record is relevant to Synapse. (#​19068)
• Update pydantic to v2. (#​19071)
• Update deprecated code in the release script to prevent a warning message from being printed. (#​19080)
• Update the deprecated poetry development dependencies group name in pyproject.toml. (#​19081)
• Remove pp38* skip selector from cibuildwheel to silence warning. (#​19085)
• Don't immediately exit the release script if the checkout is dirty. Instead, allow the user to clear the dirty changes and retry. (#​19088)
• Update the release script's generated announcement text to include a title and extra text for RC's. (#​19089)
• Fix lints on main branch. (#​19092)
• Use cheaper random string function in logcontext utilities. (#​19094)
• Avoid clobbering other SIGHUP handlers in 3rd-party code. (#​19095)
• Prevent duplicate GitHub draft releases being created during the Synapse release process. (#​19096)
• Use Pillow's Image.getexif method instead of the experimental Image._getexif. (#​19098)
• Prevent uv /usr/local/.lock file from appearing in built Synapse docker images. (#​19107)
• Allow Synapse's runtime dependency checking code to take packaging markers (i.e. python <= 3.14) into account when checking dependencies. (#​19110)
• Move exception handling up the stack (avoid exit(1) in our composable functions). (#​19116)
• Fix a lint error related to lifetimes in Rust 1.90. (#​19118)
• Refactor and align app entrypoints (avoid exit(1) in our composable functions). (#​19121, #​19131)
• Speed up pruning of ratelimiters. (#​19129)

Updates to locked dependencies

• Bump actions/download-artifact from 5.0.0 to 6.0.0. (#​19102)
• Bump actions/upload-artifact from 4 to 5. (#​19106)
• Bump hiredis from 3.2.1 to 3.3.0. (#​19103)
• Bump icu_segmenter from 2.0.0 to 2.0.1. (#​19126)
• Bump idna from 3.10 to 3.11. (#​19053)
• Bump ijson from 3.4.0 to 3.4.0.post0. (#​19051)
• Bump markdown-it-py from 3.0.0 to 4.0.0. (#​19123)
• Bump msgpack from 1.1.1 to 1.1.2. (#​19050)
• Bump psycopg2 from 2.9.10 to 2.9.11. (#​19125)
• Bump pyyaml from 6.0.2 to 6.0.3. (#​19105)
• Bump regex from 1.11.3 to 1.12.2. (#​19074)
• Bump reqwest from 0.12.23 to 0.12.24. (#​19077)
• Bump ruff from 0.12.10 to 0.14.3. (#​19124)
• Bump sigstore/cosign-installer from 3.10.0 to 4.0.0. (#​19075)
• Bump stefanzweifel/git-auto-commit-action from 6.0.1 to 7.0.0. (#​19052)
• Bump tokio from 1.47.1 to 1.48.0. (#​19076)
• Bump types-psycopg2 from 2.9.21.20250915 to 2.9.21.20251012. (#​19054)

v1.141.0

Compare Source

Synapse 1.141.0 (2025-10-29)

Deprecation of MacOS Python wheels

The team has decided to deprecate and eventually stop publishing python wheels
for MacOS. This is a burden on the team, and we're not aware of any parties
that use them. Synapse docker images will continue to work on MacOS, as will
building Synapse from source (though note this requires a Rust compiler).

Publishing MacOS Python wheels will continue for the next few releases. If you
do make use of these wheels downstream, please reach out to us in
#synapse-dev:matrix.org. We'd love to hear from you!

Docker images now based on Debian trixie with Python 3.13

The Docker images are now based on Debian trixie and use Python 3.13. If you
are using the Docker images as a base image you may need to e.g. adjust the
paths you mount any additional Python packages at.

No significant changes since 1.141.0rc2.

Synapse 1.141.0rc2 (2025-10-28)

Bugfixes

• Fix users being unable to log in if their password, or the server's configured pepper, was too long. (#​19101)

Synapse 1.141.0rc1 (2025-10-21)

Features

• Allow using MSC4190 behavior without the opt-in registration flag. Contributed by @​tulir @​ Beeper. (#​19031)
• Stabilized support for MSC4326: Device masquerading for appservices. Contributed by @​tulir @​ Beeper. (#​19033)

Bugfixes

• Fix a bug introduced in 1.136.0 that would prevent Synapse from being able to be reload-ed more than once when running under systemd. (#​19060)
• Fix a bug introduced in 1.140.0 where an internal server error could be raised when hashing user passwords that are too long. (#​19078)

Updates to the Docker image

• Update docker image to use Debian trixie as the base and thus Python 3.13. (#​19064)

Internal Changes

• Move unique snowflake homeserver background tasks to start_background_tasks (the standard pattern for this kind of thing). (#​19037)
• Drop a deprecated field of the PyGitHub dependency in the release script and raise the dependency's minimum version to 1.59.0. (#​19039)
• Update TODO list of conflicting areas where we encounter metrics being clobbered (ApplicationService). (#​19040)

v1.140.0

Compare Source

Synapse 1.140.0 (2025-10-14)

Compatibility notice for users of synapse-s3-storage-provider

Deployments that make use of the synapse-s3-storage-provider module must upgrade to v1.6.0.

Using older versions of the module with this release of Synapse will prevent users from being able to upload or download media.

No significant changes since 1.140.0rc1.

Synapse 1.140.0rc1 (2025-10-10)

Features

• Add a new Media Query by ID Admin API that allows server admins to query and investigate the metadata of local or cached remote media via
  the origin/media_id identifier found in a Matrix Content URI. (#​18911)
• Add a new Fetch Event Admin API to fetch an event by ID. (#​18963)
• Update MSC4284: Policy Servers implementation to support signatures when available. (#​18934)
• Add experimental implementation of the GET /_matrix/client/v1/rtc/transports endpoint for the latest draft of MSC4143: MatrixRTC. (#​18967)
• Expose a defer_to_threadpool function in the Synapse Module API that allows modules to run a function on a separate thread in a custom threadpool. (#​19032)

Bugfixes

• Fix room upgrade room_config argument and documentation for user_may_create_room spam-checker callback. (#​18721)
• Compute a user's last seen timestamp from their devices' last seen timestamps instead of IPs, because the latter are automatically cleared according to user_ips_max_age. (#​18948)
• Fix bug where ephemeral events were not filtered by room ID. Contributed by @​frastefanini. (#​19002)
• Update Synapse main process version string to include git info. (#​19011)

Improved Documentation

• Explain how Deferred callbacks interact with logcontexts. (#​18914)
• Fix documentation for rc_room_creation and rc_reports to clarify that a per_user rate limit is not supported. (#​18998)

Deprecations and Removals

• Remove deprecated LoggingContext.set_current_context/LoggingContext.current_context methods which already have equivalent bare methods in synapse.logging.context. (#​18989)
• Drop support for unstable field names from the long-accepted MSC2732 (Olm fallback keys) proposal. (#​18996)

Internal Changes

• Cleanly shutdown SynapseHomeServer object, allowing artifacts of embedded small hosts to be properly garbage collected. (#​18828)
• Update OEmbed providers to use 'X' instead of 'Twitter' in URL previews, following a rebrand. Contributed by @​HammyHavoc. (#​18767)
• Fix server_name in logging context for multiple Synapse instances in one process. (#​18868)
• Wrap the Rust HTTP client with make_deferred_yieldable so it follows Synapse logcontext rules. (#​18903)
• Fix the GitHub Actions workflow that moves issues labeled "X-Needs-Info" to the "Needs info" column on the team's internal triage board. (#​18913)
• Disconnect background process work from request trace. (#​18932)
• Reduce overall number of calls to _get_e2e_cross_signing_signatures_for_devices by increasing the batch size of devices the query is called with, reducing DB load. (#​18939)
• Update error code used when an appservice tries to masquerade as an unknown device using MSC4326. Contributed by @​tulir @​ Beeper. (#​18947)
• Fix no active span when trying to log tracing error on startup (when OpenTracing is enabled). (#​18959)
• Fix run_coroutine_in_background(...) incorrectly handling logcontext. (#​18964)
• Add debug logs wherever we change current logcontext. (#​18966)
• Update dockerfile metadata to fix broken link; point to documentation website. (#​18971)
• Note that the code is additionally licensed under the Element Commercial license in SPDX expression field configs. (#​18973)
• Fix logcontext handling in timeout_deferred tests. (#​18974)
• Remove internal ReplicationUploadKeysForUserRestServlet as a follo

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 05:59 AM, only on Monday ( * 0-5 * * 1 ) in timezone Europe/Berlin, Automerge - Monday through Friday ( * * * * 1-5 ) in timezone Europe/Berlin.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

🦋 Changeset detected

Latest commit: 8f816e2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@nordeck/matrix-meetings-widget	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.