kaslo/synapse
1
0
Fork 0
Code Wiki Activity
25,568 Commits 1,048 Branches 805 Tags
2c73e8daef1c50abe9741f1fa321a34f9fdc5909
Commit Graph

25568 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Erik Johnston
2c73e8daef Allow long lived syncs to be cancelled if client has gone away (#19499) 2026-02-26 21:41:06 +00:00
Hugh Nimmo-Smith
f78d011df1 Experimental implementation of unstable MSC4388 for Sign in with QR (#19127) 
Co-authored-by: Olivier 'reivilibre' <oliverw@element.io>
 2026-02-25 17:41:51 +00:00
Eric Eastwood
ac3a115511 Log if we ever gc.freeze() (#19440) 
Spawning from
https://github.com/element-hq/synapse-small-hosts/issues/348 where some
test appears to be flaky because some homeserver objects are frozen in
the garbage collector.

We set
[`freeze=False`](a9a6869aa9/multi_synapse/app/shard.py (L319-L321))
in the [Synapse Pro for small
hosts](https://docs.element.io/latest/element-server-suite-pro/synapse-pro-for-small-hosts/overview/)
code but I just want to use this log to make extra sure this isn't being
run somehow. The follow-up here would be to see what else would cause
something to be frozen in the garbage collector.
 2026-02-25 09:47:13 -06:00
Brad Murray
bc15ed3c62 DeviceHandler: Add a log line when we delete a device (#19496) 
Deleting devices should be fairly
rare, and if someone gets logged out it's helpful to grep logs for a
user id or device id and see where it died.
 2026-02-24 14:18:52 -06:00
Quentin Gliech
3d30735e79 Merge branch 'master' into develop 2026-02-24 15:29:24 +01:00
Quentin Gliech
b30607ccaf 1.148.0 2026-02-24 12:18:37 +01:00
Olivier 'reivilibre
16245f0550 Fix the 'Login as a user' Admin API not checking if the user exists before issuing an access token. (#18518) 
Fixes: #18503

---------

Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
Co-authored-by: Quentin Gliech <quenting@element.io>
 2026-02-20 15:52:29 +00:00
Olivier 'reivilibre
4500652459 Rename the test_disconnect test helper so that pytest doesn't see it as a test. (#19486) 
This fixes one of the 2 blockers to using pytest instead of Trial (which
is not formally-motivated, but sometimes seems like an interesting idea
because
pytest has seen a lot of developer experience features that Trial
hasn't. It would also removes one more coupling to the Twisted
framework.)

---

The `test_` prefix to this test helper makes it appear as a test to
pytest.

We *can* set a `__test__ = False` attribute on the test, but it felt
cleaner to just rename it (as I also thought it would be a test from
that name!).

This was previously reported as:
https://github.com/element-hq/synapse/issues/18665

---------

Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
 2026-02-20 15:37:34 +00:00
dependabot[bot]
9b738d2ec5 Bump the patches group with 2 updates (#19488) 
Bumps the patches group with 2 updates:
[anyhow](https://github.com/dtolnay/anyhow) and
[regex](https://github.com/rust-lang/regex).

Updates `anyhow` from 1.0.100 to 1.0.101
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dtolnay/anyhow/releases">anyhow's
releases</a>.</em></p>
<blockquote>
<h2>1.0.101</h2>
<ul>
<li>Add #[inline] to anyhow::Ok helper (<a
href="https://redirect.github.com/dtolnay/anyhow/issues/437">#437</a>,
thanks <a
href="https://github.com/Ibitier"><code>@​Ibitier</code></a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="80bfe291b1"><code>80bfe29</code></a>
Release 1.0.101</li>
<li><a
href="dff8c432f9"><code>dff8c43</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/anyhow/issues/437">#437</a>
from Ibitier/inline-ok-helper</li>
<li><a
href="85d9ea9a1c"><code>85d9ea9</code></a>
Add #[inline] to anyhow::Ok helper</li>
<li><a
href="54036cc289"><code>54036cc</code></a>
Update ui test suite to nightly-2026-01-21</li>
<li><a
href="cce0579d85"><code>cce0579</code></a>
Update actions/upload-artifact@v5 -&gt; v6</li>
<li><a
href="f2c598ca0e"><code>f2c598c</code></a>
Update actions/upload-artifact@v4 -&gt; v5</li>
<li><a
href="2c0bda4ce9"><code>2c0bda4</code></a>
Update to 2021 edition</li>
<li><a
href="0d82268129"><code>0d82268</code></a>
Remove rustc version requirement from readme</li>
<li><a
href="67df01216d"><code>67df012</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/anyhow/issues/436">#436</a>
from dtolnay/up</li>
<li><a
href="c8984880a8"><code>c898488</code></a>
Raise required compiler to Rust 1.68</li>
<li>Additional commits viewable in <a
href="https://github.com/dtolnay/anyhow/compare/1.0.100...1.0.101">compare
view</a></li>
</ul>
</details>
<br />

Updates `regex` from 1.12.2 to 1.12.3
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/rust-lang/regex/blob/master/CHANGELOG.md">regex's
changelog</a>.</em></p>
<blockquote>
<h1>1.12.3 (2025-02-03)</h1>
<p>This release excludes some unnecessary things from the archive
published to
crates.io. Specifically, fuzzing data and various shell scripts are now
excluded. If you run into problems, please file an issue.</p>
<p>Improvements:</p>
<ul>
<li><a
href="https://redirect.github.com/rust-lang/regex/pull/1319">#1319</a>:
Switch from a Cargo <code>exclude</code> list to an <code>include</code>
list, and exclude some
unnecessary stuff.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b028e4f40e"><code>b028e4f</code></a>
1.12.3</li>
<li><a
href="5e195de266"><code>5e195de</code></a>
regex-automata-0.4.14</li>
<li><a
href="a3433f6918"><code>a3433f6</code></a>
regex-syntax-0.8.9</li>
<li><a
href="0c07fae444"><code>0c07fae</code></a>
regex-lite-0.1.9</li>
<li><a
href="6a810068f0"><code>6a81006</code></a>
cargo: exclude development scripts and fuzzing data</li>
<li><a
href="4733e28ba4"><code>4733e28</code></a>
automata: fix <code>onepass::DFA::try_search_slots</code> panic when too
many slots are ...</li>
<li>See full diff in <a
href="https://github.com/rust-lang/regex/compare/1.12.2...1.12.3">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-20 15:14:46 +00:00
dependabot[bot]
0ac772f082 Bump pillow from 12.0.0 to 12.1.1 (#19454) 
Bumps [pillow](https://github.com/python-pillow/Pillow) from 12.0.0 to
12.1.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/python-pillow/Pillow/releases">pillow's
releases</a>.</em></p>
<blockquote>
<h2>12.1.1</h2>
<p><a
href="https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html">https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html</a></p>
<h2>Dependencies</h2>
<ul>
<li>Patch libavif for svt-av1 4.0 compatibility <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9413">#9413</a>
[<a href="https://github.com/hugovk"><code>@​hugovk</code></a>]</li>
</ul>
<h2>Other changes</h2>
<ul>
<li>Fix OOB Write with invalid tile extents <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9427">#9427</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
</ul>
<h2>12.1.0</h2>
<p><a
href="https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html">https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html</a></p>
<h2>Deprecations</h2>
<ul>
<li>Deprecate getdata(), in favour of new get_flattened_data() <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9292">#9292</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
</ul>
<h2>Documentation</h2>
<ul>
<li>Specify APNG duration type when opening <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9368">#9368</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Added release notes for <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9350">#9350</a>
<a
href="https://redirect.github.com/python-pillow/Pillow/issues/9366">#9366</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Update ImageMorph documentation <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9349">#9349</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Docs: update major bump cadence <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9334">#9334</a>
[<a href="https://github.com/hugovk"><code>@​hugovk</code></a>]</li>
<li>Add release notes for <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9070">#9070</a>
<a
href="https://redirect.github.com/python-pillow/Pillow/issues/9320">#9320</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Updated Ubuntu version <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9306">#9306</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Update macOS tested Pillow versions <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9265">#9265</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
</ul>
<h2>Dependencies</h2>
<ul>
<li>Update harfbuzz to 12.3.0 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9355">#9355</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Update xz to 5.8.2 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9343">#9343</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Updated libjpeg-turbo to 3.1.3 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9333">#9333</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Updated zlib-ng to 2.3.2 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9324">#9324</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Updated libpng to 1.6.53 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9325">#9325</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Update actions/checkout action to v6 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9323">#9323</a>
[@<a href="https://github.com/apps/renovate">renovate[bot]</a>]</li>
<li>Update dependency mypy to v1.19.0 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9322">#9322</a>
[@<a href="https://github.com/apps/renovate">renovate[bot]</a>]</li>
<li>Updated libpng to 1.6.51 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9305">#9305</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Updated brotli to 1.2.0 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9284">#9284</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Update libimagequant to 4.4.1 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9301">#9301</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Update zlib-ng to 2.3.1, except on manylinux2014 aarch64 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9312">#9312</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Updated harfbuzz to 12.2.0 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9289">#9289</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Update github-actions <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9277">#9277</a>
[@<a href="https://github.com/apps/renovate">renovate[bot]</a>]</li>
</ul>
<h2>Testing</h2>
<ul>
<li>Replace pre-commit with prek <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9360">#9360</a>
[<a href="https://github.com/hugovk"><code>@​hugovk</code></a>]</li>
<li>Test PyQt6 on Python 3.14 on Windows <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9353">#9353</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Test 32-bit Windows on Windows Server 2022 <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9345">#9345</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
<li>Correct variable type <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9335">#9335</a>
[<a
href="https://github.com/radarhere"><code>@​radarhere</code></a>]</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5158d98c80"><code>5158d98</code></a>
12.1.1 version bump</li>
<li><a
href="9000313cc5"><code>9000313</code></a>
Fix OOB Write with invalid tile extents (<a
href="https://redirect.github.com/python-pillow/Pillow/issues/9427">#9427</a>)</li>
<li><a
href="cd0111849f"><code>cd01118</code></a>
Patch libavif for svt-av1 4.0 compatibility</li>
<li><a
href="46f45f674d"><code>46f45f6</code></a>
12.1.0 version bump</li>
<li><a
href="c9ac097edb"><code>c9ac097</code></a>
Simplify band splitting (<a
href="https://redirect.github.com/python-pillow/Pillow/issues/9291">#9291</a>)</li>
<li><a
href="3baedf2648"><code>3baedf2</code></a>
Deprecate getdata(), in favour of new get_flattened_data() (<a
href="https://redirect.github.com/python-pillow/Pillow/issues/9292">#9292</a>)</li>
<li><a
href="b51a036685"><code>b51a036</code></a>
Specify APNG duration type when opening (<a
href="https://redirect.github.com/python-pillow/Pillow/issues/9368">#9368</a>)</li>
<li><a
href="8d08e31533"><code>8d08e31</code></a>
Add release notes for <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9348">#9348</a>
(<a
href="https://redirect.github.com/python-pillow/Pillow/issues/9369">#9369</a>)</li>
<li><a
href="432707ea81"><code>432707e</code></a>
Added release notes for <a
href="https://redirect.github.com/python-pillow/Pillow/issues/9348">#9348</a></li>
<li><a
href="2d589107fb"><code>2d58910</code></a>
Specify APNG duration type when opening</li>
<li>Additional commits viewable in <a
href="https://github.com/python-pillow/Pillow/compare/12.0.0...12.1.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pillow&package-manager=pip&previous-version=12.0.0&new-version=12.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Quentin Gliech <quenting@element.io>
 2026-02-20 15:42:16 +01:00
Eric Eastwood
04206aebdf Log docker system info in CI (#19480) 
Follow-up to
https://github.com/element-hq/synapse/pull/19460#discussion_r2819139638
and https://github.com/element-hq/synapse/pull/19475
 2026-02-19 09:57:25 -06:00
Eric Eastwood
b2778dae70 Fix Complement CI not running against the code from our PRs (remote images being chosen over local) (#19475) 
Fix remote images being chosen over the local ones we just built with
Complement in CI (any Docker environment using the `containerd` image
store). This problem means that Complement jobs in CI don't actually
test against the code from the PR (since 2026-02-10).

This PR approaches the problem the same way that @AndrewFerr proposed in
https://github.com/element-hq/synapse/pull/18210. This is better than
the alternative listed below as we can just make our code compatible
with whatever image store is being used.
### Problem

Spawning from
https://github.com/element-hq/synapse/pull/19460#discussion_r2818760635
where we found that our Complement jobs in CI don't actually test
against the code from the PR at the moment.

This is caused by a change in Docker Engine 29.0.0:

> `containerd` image store is now the default for **fresh installs**.
This doesn't apply to daemons configured with `userns-remap` (see
[moby#47377](https://github.com/moby/moby/issues/47377)).
>
> *-- 29.0.0 (2025-11-10),
https://docs.docker.com/engine/release-notes/29/#2900*

And our `ubuntu-latest` GitHub runner (`Current runner version:
'2.331.0'`)
[points](https://github.com/actions/runner-images/blob/ubuntu24/20260209.23/images/ubuntu/Ubuntu2404-Readme.md)
to using Docker client/server `29.1.5` 🎯

This Docker version bump happened on
416418df15
(2026-02-10) (`28.0.4` -> `29.1.5`). Specific PR:
https://github.com/actions/runner-images/pull/13633

---

I found this because I reviewed and remembered
https://github.com/element-hq/synapse/pull/18210 was a thing that
@AndrewFerr ran into. And then running `dockers system prune` also
revealed the problematic `containerd` in CI. Checking the Docker
changelogs, I found the new default culprit and then could trace down
where the GitHub runners made the dependency update.

---------

Co-authored-by: Andrew Ferrazzutti <andrewf@element.io>
 2026-02-18 11:37:09 -06:00
Quentin Gliech
3833eb49cf Merge branch 'release-v1.148' into develop 2026-02-17 23:53:04 +01:00
Eric Eastwood
b80774efb2 Better instrument JoinRoomAliasServlet with tracing (#19461) 
So we can better see why it decides to do a local vs remote join.

Spawning from [investigating a join issue on `matrix.org`](https://matrix.to/#/!SGNQGPGUwtcPBUotTL:matrix.org/$Odvd47QtkRscxilzkhcFOsDZWNvJUSEhSrD8GpukKWo?via=jki.re&via=element.io&via=matrix.org).
 2026-02-17 13:15:57 -06:00
Quentin Gliech
32c5f01bcb Minor reword 2026-02-17 18:33:08 +01:00
Quentin Gliech
40171d036a 1.148.0rc1 2026-02-17 17:44:37 +01:00
Quentin Gliech
bd0756c6ca Revert "Fix /sync missing membership in state_after" (#19474) 
Reverts element-hq/synapse#19463

The complement tests haven't been reviewed and require more testing.
Discussed in the internal [backend team
lobby](https://matrix.to/#/!SGNQGPGUwtcPBUotTL:matrix.org/$XDARK2u2iLL5wWaxiL6tJYkLg80Sn6yWWEQib8ahl5Q?via=jki.re&via=element.io&via=matrix.org)
room.
 2026-02-17 17:41:14 +01:00
Erik Johnston
e627b08786 Add cargo.lock to Rust build hash (#19470) 
This is so that when we update dependencies etc we correctly ensure that
the Rust library has been rebuilt.
 2026-02-17 13:48:59 +00:00
dependabot[bot]
3669d6e3df Bump reqwest from 0.12.26 to 0.12.28 (#19444) 
Bumps [reqwest](https://github.com/seanmonstar/reqwest) from 0.12.26 to
0.12.28.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/seanmonstar/reqwest/releases">reqwest's
releases</a>.</em></p>
<blockquote>
<h2>v0.12.28</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: correctly import TokioIo on Windows by <a
href="https://github.com/seanmonstar"><code>@​seanmonstar</code></a> in
<a
href="https://redirect.github.com/seanmonstar/reqwest/pull/2896">seanmonstar/reqwest#2896</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/seanmonstar/reqwest/compare/v0.12.27...v0.12.28">https://github.com/seanmonstar/reqwest/compare/v0.12.27...v0.12.28</a></p>
<h2>v0.12.27</h2>
<h2>tl;dr</h2>
<ul>
<li>Add <code>ClientBuilder::windows_named_pipe(name)</code> option that
will force all requests over that Windows Named Pipe.</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>chore: Disable unused tokio-util codec feature by <a
href="https://github.com/tottoto"><code>@​tottoto</code></a> in <a
href="https://redirect.github.com/seanmonstar/reqwest/pull/2893">seanmonstar/reqwest#2893</a></li>
<li>chore: Use http_body_util::BodyDataStream by <a
href="https://github.com/tottoto"><code>@​tottoto</code></a> in <a
href="https://redirect.github.com/seanmonstar/reqwest/pull/2892">seanmonstar/reqwest#2892</a></li>
<li>feat: add windows_named_pipe() option to client builder by <a
href="https://github.com/seanmonstar"><code>@​seanmonstar</code></a> in
<a
href="https://redirect.github.com/seanmonstar/reqwest/pull/2789">seanmonstar/reqwest#2789</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/seanmonstar/reqwest/compare/v0.12.26...v0.12.27">https://github.com/seanmonstar/reqwest/compare/v0.12.26...v0.12.27</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md">reqwest's
changelog</a>.</em></p>
<blockquote>
<h2>v0.12.28</h2>
<ul>
<li>Fix compiling on Windows if TLS and SOCKS features are not
enabled.</li>
</ul>
<h2>v0.12.27</h2>
<ul>
<li>Add <code>ClientBuilder::windows_named_pipe(name)</code> option that
will force all requests over that Windows Named Piper.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d97859910c"><code>d978599</code></a>
v0.12.28</li>
<li><a
href="ef2768a823"><code>ef2768a</code></a>
fix: correctly import TokioIo on Windows (<a
href="https://redirect.github.com/seanmonstar/reqwest/issues/2896">#2896</a>)</li>
<li><a
href="1bf6441b68"><code>1bf6441</code></a>
v0.12.27</li>
<li><a
href="4967b1b4e2"><code>4967b1b</code></a>
feat: add windows_named_pipe() option to client builder (<a
href="https://redirect.github.com/seanmonstar/reqwest/issues/2789">#2789</a>)</li>
<li><a
href="ef5b239cba"><code>ef5b239</code></a>
chore: Use http_body_util::BodyDataStream (<a
href="https://redirect.github.com/seanmonstar/reqwest/issues/2892">#2892</a>)</li>
<li><a
href="a810004797"><code>a810004</code></a>
chore: Disable unused tokio-util codec feature (<a
href="https://redirect.github.com/seanmonstar/reqwest/issues/2893">#2893</a>)</li>
<li>See full diff in <a
href="https://github.com/seanmonstar/reqwest/compare/v0.12.26...v0.12.28">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=reqwest&package-manager=cargo&previous-version=0.12.26&new-version=0.12.28)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Quentin Gliech <quenting@element.io>
 2026-02-17 14:43:41 +01:00
Devon Hudson
69b931f305 Push Synapse docker images to Element OCI Registry (#19420) 
Part of https://github.com/element-hq/serverproduct-internal/issues/1153

Pushes Synapse docker images to the Element OCI Registry in addition to
the dockerhub and ghcr registries.

Ready for review despite Draft status. See
https://github.com/element-hq/synapse/pull/19420#issuecomment-3848866071

### Pull Request Checklist

<!-- Please read
https://element-hq.github.io/synapse/latest/development/contributing_guide.html
before submitting your pull request -->

* [X] Pull request is based on the develop branch
* [X] Pull request includes a [changelog
file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog).
The entry should:
- Be a short description of your change which makes sense to users.
"Fixed a bug that prevented receiving messages from other servers."
instead of "Moved X method from `EventStore` to `EventWorkerStore`.".
  - Use markdown where necessary, mostly for `code blocks`.
  - End with either a period (.) or an exclamation mark (!).
  - Start with a capital letter.
- Feel free to credit yourself, by adding a sentence "Contributed by
@github_username." or "Contributed by [Your Name]." to the end of the
entry.
* [X] [Code
style](https://element-hq.github.io/synapse/latest/code_style.html) is
correct (run the
[linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))

---------

Co-authored-by: Quentin Gliech <quenting@element.io>
 2026-02-17 14:35:38 +01:00
Eric Eastwood
b0b4203cb6 Fix /sync missing membership in state_after (#19463) 2026-02-17 13:04:17 +00:00
dependabot[bot]
7a765c4819 Bump the minor-and-patches group across 1 directory with 3 updates (#19469) 
Bumps the minor-and-patches group with 3 updates in the / directory:
[docker/login-action](https://github.com/docker/login-action),
[actions/setup-python](https://github.com/actions/setup-python) and
[actions/cache](https://github.com/actions/cache).

Updates `docker/login-action` from 3.6.0 to 3.7.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/login-action/releases">docker/login-action's
releases</a>.</em></p>
<blockquote>
<h2>v3.7.0</h2>
<ul>
<li>Add <code>scope</code> input to set scopes for the authentication
token by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/login-action/pull/912">docker/login-action#912</a></li>
<li>Add support for AWS European Sovereign Cloud ECR by <a
href="https://github.com/dphi"><code>@​dphi</code></a> in <a
href="https://redirect.github.com/docker/login-action/pull/914">docker/login-action#914</a></li>
<li>Ensure passwords are redacted with <code>registry-auth</code> input
by <a href="https://github.com/crazy-max"><code>@​crazy-max</code></a>
in <a
href="https://redirect.github.com/docker/login-action/pull/911">docker/login-action#911</a></li>
<li>build(deps): bump lodash from 4.17.21 to 4.17.23 in <a
href="https://redirect.github.com/docker/login-action/pull/915">docker/login-action#915</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/login-action/compare/v3.6.0...v3.7.0">https://github.com/docker/login-action/compare/v3.6.0...v3.7.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c94ce9fb46"><code>c94ce9f</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/915">#915</a>
from docker/dependabot/npm_and_yarn/lodash-4.17.23</li>
<li><a
href="8339c958ce"><code>8339c95</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/912">#912</a>
from docker/scope</li>
<li><a
href="c83e9320c8"><code>c83e932</code></a>
build(deps): bump lodash from 4.17.21 to 4.17.23</li>
<li><a
href="b268aa57e3"><code>b268aa5</code></a>
chore: update generated content</li>
<li><a
href="a603229278"><code>a603229</code></a>
documentation for scope input</li>
<li><a
href="7567f92a74"><code>7567f92</code></a>
Add scope input to set scopes for the authentication token</li>
<li><a
href="0567fa5ae8"><code>0567fa5</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/914">#914</a>
from dphi/add-support-for-amazonaws.eu</li>
<li><a
href="f6ef577545"><code>f6ef577</code></a>
feat: add support for AWS European Sovereign Cloud ECR registries</li>
<li><a
href="916386b000"><code>916386b</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/login-action/issues/911">#911</a>
from crazy-max/ensure-redact</li>
<li><a
href="5b3f94a294"><code>5b3f94a</code></a>
chore: update generated content</li>
<li>Additional commits viewable in <a
href="5e57cd1181...c94ce9fb46">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/setup-python` from 6.1.0 to 6.2.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/setup-python/releases">actions/setup-python's
releases</a>.</em></p>
<blockquote>
<h2>v6.2.0</h2>
<h2>What's Changed</h2>
<h3>Dependency Upgrades</h3>
<ul>
<li>Upgrade dependencies to Node 24 compatible versions by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/setup-python/pull/1259">actions/setup-python#1259</a></li>
<li>Upgrade urllib3 from 2.5.0 to 2.6.3 in <code>/__tests__/data</code>
by <a href="https://github.com/dependabot"><code>@​dependabot</code></a>
in <a
href="https://redirect.github.com/actions/setup-python/pull/1253">actions/setup-python#1253</a>
and <a
href="https://redirect.github.com/actions/setup-python/pull/1264">actions/setup-python#1264</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/setup-python/compare/v6...v6.2.0">https://github.com/actions/setup-python/compare/v6...v6.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="a309ff8b42"><code>a309ff8</code></a>
Bump urllib3 from 2.6.0 to 2.6.3 in /<strong>tests</strong>/data (<a
href="https://redirect.github.com/actions/setup-python/issues/1264">#1264</a>)</li>
<li><a
href="bfe8cc55a7"><code>bfe8cc5</code></a>
Upgrade <a href="https://github.com/actions"><code>@​actions</code></a>
dependencies to Node 24 compatible versions (<a
href="https://redirect.github.com/actions/setup-python/issues/1259">#1259</a>)</li>
<li><a
href="4f41a90a1f"><code>4f41a90</code></a>
Bump urllib3 from 2.5.0 to 2.6.0 in /<strong>tests</strong>/data (<a
href="https://redirect.github.com/actions/setup-python/issues/1253">#1253</a>)</li>
<li>See full diff in <a
href="83679a892e...a309ff8b42">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/cache` from 5.0.1 to 5.0.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/cache/releases">actions/cache's
releases</a>.</em></p>
<blockquote>
<h2>v5.0.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a
href="https://github.com/actions/cache/security/dependabot/33">https://github.com/actions/cache/security/dependabot/33</a>)</li>
<li>Bump <code>@actions/core</code> to v2.0.3</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/cache/compare/v5...v5.0.3">https://github.com/actions/cache/compare/v5...v5.0.3</a></p>
<h2>v.5.0.2</h2>
<h1>v5.0.2</h1>
<h2>What's Changed</h2>
<p>When creating cache entries, 429s returned from the cache service
will not be retried.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's
changelog</a>.</em></p>
<blockquote>
<h1>Releases</h1>
<h2>How to prepare a release</h2>
<blockquote>
<p>[!NOTE]<br />
Relevant for maintainers with write access only.</p>
</blockquote>
<ol>
<li>Switch to a new branch from <code>main</code>.</li>
<li>Run <code>npm test</code> to ensure all tests are passing.</li>
<li>Update the version in <a
href="https://github.com/actions/cache/blob/main/package.json"><code>https://github.com/actions/cache/blob/main/package.json</code></a>.</li>
<li>Run <code>npm run build</code> to update the compiled files.</li>
<li>Update this <a
href="https://github.com/actions/cache/blob/main/RELEASES.md"><code>https://github.com/actions/cache/blob/main/RELEASES.md</code></a>
with the new version and changes in the <code>## Changelog</code>
section.</li>
<li>Run <code>licensed cache</code> to update the license report.</li>
<li>Run <code>licensed status</code> and resolve any warnings by
updating the <a
href="https://github.com/actions/cache/blob/main/.licensed.yml"><code>https://github.com/actions/cache/blob/main/.licensed.yml</code></a>
file with the exceptions.</li>
<li>Commit your changes and push your branch upstream.</li>
<li>Open a pull request against <code>main</code> and get it reviewed
and merged.</li>
<li>Draft a new release <a
href="https://github.com/actions/cache/releases">https://github.com/actions/cache/releases</a>
use the same version number used in <code>package.json</code>
<ol>
<li>Create a new tag with the version number.</li>
<li>Auto generate release notes and update them to match the changes you
made in <code>RELEASES.md</code>.</li>
<li>Toggle the set as the latest release option.</li>
<li>Publish the release.</li>
</ol>
</li>
<li>Navigate to <a
href="https://github.com/actions/cache/actions/workflows/release-new-action-version.yml">https://github.com/actions/cache/actions/workflows/release-new-action-version.yml</a>
<ol>
<li>There should be a workflow run queued with the same version
number.</li>
<li>Approve the run to publish the new version and update the major tags
for this action.</li>
</ol>
</li>
</ol>
<h2>Changelog</h2>
<h3>5.0.3</h3>
<ul>
<li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a
href="https://github.com/actions/cache/security/dependabot/33">https://github.com/actions/cache/security/dependabot/33</a>)</li>
<li>Bump <code>@actions/core</code> to v2.0.3</li>
</ul>
<h3>5.0.2</h3>
<ul>
<li>Bump <code>@actions/cache</code> to v5.0.3 <a
href="https://redirect.github.com/actions/cache/pull/1692">#1692</a></li>
</ul>
<h3>5.0.1</h3>
<ul>
<li>Update <code>@azure/storage-blob</code> to <code>^12.29.1</code> via
<code>@actions/cache@5.0.1</code> <a
href="https://redirect.github.com/actions/cache/pull/1685">#1685</a></li>
</ul>
<h3>5.0.0</h3>
<blockquote>
<p>[!IMPORTANT]
<code>actions/cache@v5</code> runs on the Node.js 24 runtime and
requires a minimum Actions Runner version of <code>2.327.1</code>.
If you are using self-hosted runners, ensure they are updated before
upgrading.</p>
</blockquote>
<h3>4.3.0</h3>
<ul>
<li>Bump <code>@actions/cache</code> to <a
href="https://redirect.github.com/actions/toolkit/pull/2132">v4.1.0</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="cdf6c1fa76"><code>cdf6c1f</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/cache/issues/1695">#1695</a>
from actions/Link-/prepare-5.0.3</li>
<li><a
href="a1bee22673"><code>a1bee22</code></a>
Add review for the <code>@​actions/http-client</code> license</li>
<li><a
href="46957638dc"><code>4695763</code></a>
Add licensed output</li>
<li><a
href="dc73bb9f7b"><code>dc73bb9</code></a>
Upgrade dependencies and address security warnings</li>
<li><a
href="345d5c2f76"><code>345d5c2</code></a>
Add 5.0.3 builds</li>
<li><a
href="8b402f58fb"><code>8b402f5</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/cache/issues/1692">#1692</a>
from GhadimiR/main</li>
<li><a
href="304ab5a070"><code>304ab5a</code></a>
license for httpclient</li>
<li><a
href="609fc19e67"><code>609fc19</code></a>
Update licensed record for cache</li>
<li><a
href="b22231e43d"><code>b22231e</code></a>
Build</li>
<li><a
href="93150cdfb3"><code>93150cd</code></a>
Add PR link to releases</li>
<li>Additional commits viewable in <a
href="9255dc7a25...cdf6c1fa76">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-17 13:59:16 +01:00
dependabot[bot]
1592afba8d Bump github.com/docker/docker from 28.2.2+incompatible to 28.3.3+incompatible in /complement (#19436) 
Bumps [github.com/docker/docker](https://github.com/docker/docker) from
28.2.2+incompatible to 28.3.3+incompatible.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/docker/releases">github.com/docker/docker's
releases</a>.</em></p>
<blockquote>
<h2>v28.3.3</h2>
<h2>28.3.3</h2>
<p>For a full list of pull requests and changes in this release, refer
to the relevant GitHub milestones:</p>
<ul>
<li><a
href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A28.3.3">docker/cli,
28.3.3 milestone</a></li>
<li><a
href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A28.3.3">moby/moby,
28.3.3 milestone</a></li>
</ul>
<h3>Security</h3>
<p>This release fixes an issue where, after a firewalld reload,
published container ports could be accessed directly from the local
network, even when they were intended to be accessible only via a
loopback address. <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54388">CVE-2025-54388</a>
/ <a
href="https://github.com/moby/moby/security/advisories/GHSA-x4rx-4gw3-53p4">GHSA-x4rx-4gw3-53p4</a>
/ <a
href="https://redirect.github.com/moby/moby/pull/50506">moby/moby#50506</a>.</p>
<h3>Packaging updates</h3>
<ul>
<li>Update Buildx to <a
href="https://github.com/docker/buildx/releases/tag/v0.26.1">v0.26.1</a>.
<a
href="https://redirect.github.com/docker/docker-ce-packaging/pull/1230">docker/docker-ce-packaging#1230</a></li>
<li>Update Compose to <a
href="https://github.com/docker/compose/releases/tag/v2.39.1">v2.39.1</a>.
<a
href="https://redirect.github.com/docker/docker-ce-packaging/pull/1234">docker/docker-ce-packaging#1234</a></li>
<li>Update Docker Model CLI plugin to <a
href="https://github.com/docker/model-cli/releases/tag/v0.1.36">v0.1.36</a>.
<a
href="https://redirect.github.com/docker/docker-ce-packaging/pull/1233">docker/docker-ce-packaging#1233</a></li>
</ul>
<h3>Go SDK</h3>
<ul>
<li>cli/command/formatter: add <code>TrunateID()</code> utility as
alternative for
<code>github.com/docker/docker/pkg/stringid.TrunateID()</code>. <a
href="https://redirect.github.com/docker/cli/pull/6180">docker/cli#6180</a></li>
</ul>
<h2>28.3.2</h2>
<p>For a full list of pull requests and changes in this release, refer
to the relevant GitHub milestones:</p>
<ul>
<li><a
href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A28.3.2">docker/cli,
28.3.2 milestone</a></li>
<li><a
href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A28.3.2">moby/moby,
28.3.2 milestone</a></li>
<li>Deprecated and removed features, see <a
href="https://github.com/docker/cli/blob/v28.3.2/docs/deprecated.md">Deprecated
Features</a>.</li>
<li>Changes to the Engine API, see <a
href="https://github.com/moby/moby/blob/v28.3.2/docs/api/version-history.md">API
version history</a>.</li>
</ul>
<h3>Bug fixes and enhancements</h3>
<ul>
<li>Fix <code>--use-api-socket</code> not working correctly when
targeting a remote daemon. <a
href="https://redirect.github.com/docker/cli/pull/6157">docker/cli#6157</a></li>
<li>Fix stray &quot;otel error&quot; logs being printed if debug logging
is enabled. <a
href="https://redirect.github.com/docker/cli/pull/6160">docker/cli#6160</a></li>
<li>Quote SSH arguments when connecting to a remote daemon over an SSH
connection to avoid unexpected expansion. <a
href="https://redirect.github.com/docker/cli/pull/6147">docker/cli#6147</a></li>
<li>Warn when <code>DOCKER_AUTH_CONFIG</code> is set during <code>docker
login</code> and <code>docker logout</code>. <a
href="https://redirect.github.com/docker/cli/pull/6163">docker/cli#6163</a></li>
</ul>
<h3>Packaging updates</h3>
<ul>
<li>Update Compose to <a
href="https://github.com/docker/compose/releases/tag/v2.38.2">v2.38.2</a>.
<a
href="https://redirect.github.com/docker/docker-ce-packaging/pull/1225">docker/docker-ce-packaging#1225</a></li>
<li>Update Docker Model CLI plugin to <a
href="https://github.com/docker/model-cli/releases/tag/v0.1.33">v0.1.33</a>.
<a
href="https://redirect.github.com/docker/docker-ce-packaging/pull/1227">docker/docker-ce-packaging#1227</a></li>
<li>Update Go runtime to 1.24.5. <a
href="https://redirect.github.com/moby/moby/pull/50354">moby/moby#50354</a></li>
</ul>
<h2>28.3.1</h2>
<p>For a full list of pull requests and changes in this release, refer
to the relevant GitHub milestones:</p>
<ul>
<li><a
href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A28.3.1">docker/cli,
28.3.1 milestone</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="bea959c7b7"><code>bea959c</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/50506">#50506</a>
from robmry/backport-28.x/fix_firewalld_reload</li>
<li><a
href="3e9ff78b94"><code>3e9ff78</code></a>
bridge: Reapply endpoint iptables rules on firewalld reload</li>
<li><a
href="29ed80aa86"><code>29ed80a</code></a>
bridge: Trigger firewalld reload during bridge integration tests</li>
<li><a
href="da489a11d4"><code>da489a1</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/50478">#50478</a>
from thaJeztah/28.x_backport_gha_bump_bk</li>
<li><a
href="f173e45ae9"><code>f173e45</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/50480">#50480</a>
from austinvazquez/cherry-pick-ea29dffaa541289591aa...</li>
<li><a
href="e4b1f89996"><code>e4b1f89</code></a>
daemon/server: remove compatibility with API v1.4 auth-config on
push</li>
<li><a
href="0c9e14dcce"><code>0c9e14d</code></a>
hack/buildkit-ref: temporarily bump BuildKit to head of v0.23
branch</li>
<li><a
href="bf6d688157"><code>bf6d688</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/50471">#50471</a>
from austinvazquez/cherry-pick-b1ce0c89f0214cc6711c...</li>
<li><a
href="4205776b85"><code>4205776</code></a>
client: always send (empty) body on push</li>
<li><a
href="e77ff99ede"><code>e77ff99</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/50354">#50354</a>
from vvoland/50353-28.x</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/docker/compare/v28.2.2...v28.3.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/docker/docker&package-manager=go_modules&previous-version=28.2.2+incompatible&new-version=28.3.3+incompatible)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-17 13:58:10 +01:00
Quentin Gliech
5be475f5a2 Allow configuring the Rust HTTP client to use HTTP/2 only (#19457) 
This allows the Rust HTTP client to be configured to force HTTP/2 even
on plaintext connections. This is useful in contexts where the remote
server is known to server HTTP/2 over plain text.

Added because we use the Synapse Rust HTTP client with the Synapse Pro
`event-cache` module. We use this because it's independent from the
Python reactor which makes things slower than expected.

Currently, the Synapse Rust HTTP client uses HTTP/1 which means a new
connection for every request. With HTTP/2, we can share the connection
across requests.

We want to see if this will make a performance difference and less
stress on the database connection situation, see
https://github.com/element-hq/synapse-rust-apps/issues/452#issuecomment-3897717599

Here is the sibling PR for using HTTP/2 on the Synapse Pro `event-cache`
module side: https://github.com/element-hq/synapse-pro-modules/pull/35
 2026-02-17 13:57:14 +01:00
dependabot[bot]
27b2915606 Bump tokio from 1.48.0 to 1.49.0 (#19443) 
Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.48.0 to 1.49.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tokio-rs/tokio/releases">tokio's
releases</a>.</em></p>
<blockquote>
<h2>Tokio v1.49.0</h2>
<h1>1.49.0 (January 3rd, 2026)</h1>
<h3>Added</h3>
<ul>
<li>net: add support for <code>TCLASS</code> option on IPv6 (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7781">#7781</a>)</li>
<li>runtime: stabilize <code>runtime::id::Id</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7125">#7125</a>)</li>
<li>task: implement <code>Extend</code> for <code>JoinSet</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7195">#7195</a>)</li>
<li>task: stabilize the <code>LocalSet::id()</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7776">#7776</a>)</li>
</ul>
<h3>Changed</h3>
<ul>
<li>net: deprecate <code>{TcpStream,TcpSocket}::set_linger</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7752">#7752</a>)</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>macros: fix the hygiene issue of <code>join!</code> and
<code>try_join!</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7766">#7766</a>)</li>
<li>runtime: revert &quot;replace manual vtable definitions with
Wake&quot; (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7699">#7699</a>)</li>
<li>sync: return <code>TryRecvError::Disconnected</code> from
<code>Receiver::try_recv</code> after <code>Receiver::close</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7686">#7686</a>)</li>
<li>task: remove unnecessary trait bounds on the <code>Debug</code>
implementation (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7720">#7720</a>)</li>
</ul>
<h3>Unstable</h3>
<ul>
<li>fs: handle <code>EINTR</code> in <code>fs::write</code> for io-uring
(<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7786">#7786</a>)</li>
<li>fs: support io-uring with <code>tokio::fs::read</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7696">#7696</a>)</li>
<li>runtime: disable io-uring on <code>EPERM</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7724">#7724</a>)</li>
<li>time: add alternative timer for better multicore scalability (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7467">#7467</a>)</li>
</ul>
<h3>Documented</h3>
<ul>
<li>docs: fix a typos in <code>bounded.rs</code> and
<code>park.rs</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7817">#7817</a>)</li>
<li>io: add <code>SyncIoBridge</code> cross-references to
<code>copy</code> and <code>copy_buf</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7798">#7798</a>)</li>
<li>io: doc that <code>AsyncWrite</code> does not inherit from
<code>std::io::Write</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7705">#7705</a>)</li>
<li>metrics: clarify that <code>num_alive_tasks</code> is not strongly
consistent (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7614">#7614</a>)</li>
<li>net: clarify the cancellation safety of the
<code>TcpStream::peek</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7305">#7305</a>)</li>
<li>net: clarify the drop behavior of <code>unix::OwnedWriteHalf</code>
(<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7742">#7742</a>)</li>
<li>net: clarify the platform-dependent backlog in
<code>TcpSocket</code> docs (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7738">#7738</a>)</li>
<li>runtime: mention <code>LocalRuntime</code> in
<code>new_current_thread</code> docs (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7820">#7820</a>)</li>
<li>sync: add missing period to <code>mpsc::Sender::try_send</code> docs
(<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7721">#7721</a>)</li>
<li>sync: clarify the cancellation safety of
<code>oneshot::Receiver</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7780">#7780</a>)</li>
<li>sync: improve the docs for the <code>errors</code> of mpsc (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7722">#7722</a>)</li>
<li>task: add example for <code>spawn_local</code> usage on local
runtime (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7689">#7689</a>)</li>
</ul>
<p><a
href="https://redirect.github.com/tokio-rs/tokio/issues/7125">#7125</a>:
<a
href="https://redirect.github.com/tokio-rs/tokio/pull/7125">tokio-rs/tokio#7125</a>
<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7195">#7195</a>:
<a
href="https://redirect.github.com/tokio-rs/tokio/pull/7195">tokio-rs/tokio#7195</a>
<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7305">#7305</a>:
<a
href="https://redirect.github.com/tokio-rs/tokio/pull/7305">tokio-rs/tokio#7305</a>
<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7467">#7467</a>:
<a
href="https://redirect.github.com/tokio-rs/tokio/pull/7467">tokio-rs/tokio#7467</a>
<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7614">#7614</a>:
<a
href="https://redirect.github.com/tokio-rs/tokio/pull/7614">tokio-rs/tokio#7614</a>
<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7686">#7686</a>:
<a
href="https://redirect.github.com/tokio-rs/tokio/pull/7686">tokio-rs/tokio#7686</a>
<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7689">#7689</a>:
<a
href="https://redirect.github.com/tokio-rs/tokio/pull/7689">tokio-rs/tokio#7689</a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e3b89bbefa"><code>e3b89bb</code></a>
chore: prepare Tokio v1.49.0 (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7824">#7824</a>)</li>
<li><a
href="4f577b84e9"><code>4f577b8</code></a>
Merge 'tokio-1.47.3' into 'master'</li>
<li><a
href="f320197693"><code>f320197</code></a>
chore: prepare Tokio v1.47.3 (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7823">#7823</a>)</li>
<li><a
href="ea6b144cd1"><code>ea6b144</code></a>
ci: freeze rustc on nightly-2025-01-25 in <code>netlify.toml</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7652">#7652</a>)</li>
<li><a
href="264e703296"><code>264e703</code></a>
Merge <code>tokio-1.43.4</code> into <code>tokio-1.47.x</code> (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7822">#7822</a>)</li>
<li><a
href="dfb0f00838"><code>dfb0f00</code></a>
chore: prepare Tokio v1.43.4 (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7821">#7821</a>)</li>
<li><a
href="4a91f197b0"><code>4a91f19</code></a>
ci: fix wasm32-wasip1 tests (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7788">#7788</a>)</li>
<li><a
href="601c383ab6"><code>601c383</code></a>
ci: upgrade FreeBSD from 14.2 to 14.3 (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7758">#7758</a>)</li>
<li><a
href="484cb52d8d"><code>484cb52</code></a>
sync: return <code>TryRecvError::Disconnected</code> from
<code>Receiver::try_recv</code> after `Re...</li>
<li><a
href="16f20c34ed"><code>16f20c3</code></a>
rt: mention <code>LocalRuntime</code> in <code>new_current_thread</code>
docs (<a
href="https://redirect.github.com/tokio-rs/tokio/issues/7820">#7820</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/tokio-rs/tokio/compare/tokio-1.48.0...tokio-1.49.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tokio&package-manager=cargo&previous-version=1.48.0&new-version=1.49.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-17 13:55:06 +01:00
dependabot[bot]
a52ffd67e0 Bump cryptography from 46.0.3 to 46.0.5 (#19450) 
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.3
to 46.0.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>46.0.5 - 2026-02-10</p>
<pre><code>
* An attacker could create a malicious public key that reveals portions
of your
private key when using certain uncommon elliptic curves (binary curves).
This version now includes additional security checks to prevent this
attack.
This issue only affects binary elliptic curves, which are rarely used in
real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab
and
Atuin Automated Vulnerability Discovery Engine** for reporting the
issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
<p>.. v46-0-4:</p>
<p>46.0.4 - 2026-01-27<br />
</code></pre></p>
<ul>
<li><code>Dropped support for win_arm64 wheels</code>_.</li>
<li>Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
3.5.5.</li>
</ul>
<p>.. _v46-0-3:</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="06e120e682"><code>06e120e</code></a>
bump version for 46.0.5 release (<a
href="https://redirect.github.com/pyca/cryptography/issues/14289">#14289</a>)</li>
<li><a
href="0eebb9dbb6"><code>0eebb9d</code></a>
EC check key on cofactor &gt; 1 (<a
href="https://redirect.github.com/pyca/cryptography/issues/14287">#14287</a>)</li>
<li><a
href="bedf6e186b"><code>bedf6e1</code></a>
fix openssl version on 46 branch (<a
href="https://redirect.github.com/pyca/cryptography/issues/14220">#14220</a>)</li>
<li><a
href="e6f44fc8e6"><code>e6f44fc</code></a>
bump for 46.0.4 and drop win arm64 due to CI issues (<a
href="https://redirect.github.com/pyca/cryptography/issues/14217">#14217</a>)</li>
<li>See full diff in <a
href="https://github.com/pyca/cryptography/compare/46.0.3...46.0.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=cryptography&package-manager=pip&previous-version=46.0.3&new-version=46.0.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-17 13:53:39 +01:00
Quentin Gliech
7e4588ac4f Merge branch 'master' into develop 2026-02-12 17:23:37 +01:00
Quentin Gliech
7ff8687653 Fuxup changelog 2026-02-12 16:50:45 +01:00
Quentin Gliech
3fdeba35a6 1.147.1 2026-02-12 16:46:02 +01:00
Quentin Gliech
be362429de Refuse requests and events signed by banned signing keys (#19459) 
Co-authored-by: Devon Hudson <devonhudson@librem.one>
 2026-02-12 16:39:59 +01:00
Olivier 'reivilibre
52fb6e98ac Support sending and receiving MSC4354 Sticky Event metadata. (#19365) 
Part of: MSC4354 whose experimental feature tracking issue is
https://github.com/element-hq/synapse/issues/19409

Follows: #19340 (a necessary bugfix for `/event/` to set this metadata)

Partially supersedes: #18968

This PR implements the first batch of work to support MSC4354 Sticky
Events.

Sticky events are events that have been configured with a finite
'stickiness' duration,
capped to 1 hour per current MSC draft.

Whilst an event is sticky, we provide stronger delivery guarantees for
the event, both to
our clients and to remote homeservers, essentially making it reliable
delivery as long as we
have a functional connection to the client/server and until the
stickiness expires.

This PR merely supports creating sticky events and receiving the sticky
TTL metadata in clients.
It is not suitable for trialling sticky events since none of the other
semantics are implemented.

Contains a temporary SQLite workaround due to a bug in our supported
version enforcement: https://github.com/element-hq/synapse/issues/19452

---------

Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
Co-authored-by: Eric Eastwood <erice@element.io>
 2026-02-11 12:41:38 +00:00
Quentin Gliech
1841ded737 Merge branch 'master' into develop 2026-02-10 14:41:13 +01:00
Quentin Gliech
a6152cec04 Fixup changelog 2026-02-10 13:41:53 +01:00
Quentin Gliech
d423ab0cd5 1.147.0 2026-02-10 13:40:56 +01:00
Eric Eastwood
46d235cd52 Add in-repo Complement tests (#19406) 
This is useful so we can test Synapse
specific behaviors like our admin API.

(see docs in PR, `complement/README.md`)
```
COMPLEMENT_DIR=../complement ./scripts-dev/complement.sh --in-repo
```

Complement calls these
["out-of-repo"](78c255edce/OUT-OF-REPO-TESTS.md)
tests but it's a bit of a misnomer once they're in your project. (just
depends on the perspective)

There has been [previous
desire](https://github.com/element-hq/synapse/pull/19021#discussion_r2453442191)
for this kind of thing but this is spawning from wanting to have some
tests for our purge history admin API
(https://github.com/element-hq/synapse-rust-apps/issues/430). There are
some Sytest tests ([`matrix-org/sytest` ->
`tests/48admin.pl#L91-L618`](1be04cce46/tests/48admin.pl (L91-L618)))
for this already but I'd much rather work in Complement instead of
Sytest. I'm wanting these tests to ensure that our new `event-cache`
rust app for Synapse Pro doesn't break these kind of erasure features
(https://github.com/element-hq/synapse-rust-apps/issues/366 and
https://github.com/element-hq/synapse-rust-apps/issues/153).

Interestingly, there is already [`matrix-org/complement` ->
`tests/csapi/admin_test.go`](78c255edce/tests/csapi/admin_test.go)
(added in https://github.com/matrix-org/complement/pull/322) in the
Complement repo iteslf that tests the
`/_synapse/admin/v1/send_server_notice` endpoint but it's a bit of an
interesting case as [Dendrite also supports this
endpoint](https://github.com/matrix-org/dendrite/pull/2180). I don't
think it's good practice to continually shove in more and more
Synapse-specific behavior into the Complement repo itself.

We already have success with other out-of-repo tests for projects like
the
[SBG](b76b05b53e/complement_tests),
[TI-Messenger
Proxy](c8fa87fecc/complement),
and our [Synapse Pro for small
hosts](c2ea7eabf3/complement).
 2026-02-05 17:11:55 -06:00
Olivier 'reivilibre
f6105b73f0 Remove support for MSC3244: Room version capabilities as the MSC was rejected. (#19429) 
Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
 2026-02-05 11:01:15 +00:00
Hugh Nimmo-Smith
8d4ebc27c2 Fix reference to the experimental_features section of config in the docs (#19435) 2026-02-04 17:50:47 +00:00
dependabot[bot]
292e1aabdd Bump bytes from 1.11.0 to 1.11.1 (#19432) 
Bumps [bytes](https://github.com/tokio-rs/bytes) from 1.11.0 to 1.11.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tokio-rs/bytes/releases">bytes's
releases</a>.</em></p>
<blockquote>
<h2>Bytes v1.11.1</h2>
<h1>1.11.1 (February 3rd, 2026)</h1>
<ul>
<li>Fix integer overflow in <code>BytesMut::reserve</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md">bytes's
changelog</a>.</em></p>
<blockquote>
<h1>1.11.1 (February 3rd, 2026)</h1>
<ul>
<li>Fix integer overflow in <code>BytesMut::reserve</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="417dccdeff"><code>417dccd</code></a>
Release bytes v1.11.1 (<a
href="https://redirect.github.com/tokio-rs/bytes/issues/820">#820</a>)</li>
<li><a
href="d0293b0e35"><code>d0293b0</code></a>
Merge commit from fork</li>
<li>See full diff in <a
href="https://github.com/tokio-rs/bytes/compare/v1.11.0...v1.11.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=bytes&package-manager=cargo&previous-version=1.11.0&new-version=1.11.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-03 22:27:18 +00:00
Devon Hudson
3048ff8b26 1.147.0rc1 2026-02-03 08:56:37 -07:00
Renaud Allard
98a540a41d Fix a typo in check_dependencies.py which makes setuptools_rust a running dependency (#19417) 
### Pull Request Checklist

<!-- Please read
https://element-hq.github.io/synapse/latest/development/contributing_guide.html
before submitting your pull request -->

* [x] Pull request is based on the develop branch
* [x] [Code
style](https://element-hq.github.io/synapse/latest/code_style.html) is
correct (run the
[linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))

There is a typo in check_dependencies.py which makes setuptools_rust a
runtime requirement, but there is no need for it at runtime. This patch
solves the typo. I tested starting 1.146.0 with this patch and without
setuptools_rust and it starts correctly
 2026-02-03 15:40:20 +00:00
Olivier 'reivilibre
84d591934b Add notes that new experimental features should have associated tracking issues. (#19410) 
Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
 2026-02-03 15:33:39 +00:00
dependabot[bot]
065ff194c2 Bump serde_json from 1.0.145 to 1.0.148 in the patches group across 1 directory (#19391) 
Bumps the patches group with 1 update in the / directory:
[serde_json](https://github.com/serde-rs/json).

Updates `serde_json` from 1.0.145 to 1.0.148
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/serde-rs/json/releases">serde_json's
releases</a>.</em></p>
<blockquote>
<h2>v1.0.148</h2>
<ul>
<li>Update <code>zmij</code> dependency to 1.0</li>
</ul>
<h2>v1.0.147</h2>
<ul>
<li>Switch float-to-string algorithm from Ryū to Żmij for better f32 and
f64 serialization performance (<a
href="https://redirect.github.com/serde-rs/json/issues/1304">#1304</a>)</li>
</ul>
<h2>v1.0.146</h2>
<ul>
<li>Set fast_arithmetic=64 for riscv64 (<a
href="https://redirect.github.com/serde-rs/json/issues/1305">#1305</a>,
thanks <a
href="https://github.com/Xeonacid"><code>@​Xeonacid</code></a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8b291c4c56"><code>8b291c4</code></a>
Release 1.0.148</li>
<li><a
href="1aefe15273"><code>1aefe15</code></a>
Update to zmij 1.0</li>
<li><a
href="62d6e8d615"><code>62d6e8d</code></a>
Release 1.0.147</li>
<li><a
href="fd829a65be"><code>fd829a6</code></a>
Merge pull request <a
href="https://redirect.github.com/serde-rs/json/issues/1304">#1304</a>
from dtolnay/zmij</li>
<li><a
href="e757a3d881"><code>e757a3d</code></a>
Switch from ryu -&gt; zmij for float formatting</li>
<li><a
href="75ad7e6b4e"><code>75ad7e6</code></a>
Release 1.0.146</li>
<li><a
href="bc6c8276d9"><code>bc6c827</code></a>
Merge pull request <a
href="https://redirect.github.com/serde-rs/json/issues/1305">#1305</a>
from Xeonacid/patch-1</li>
<li><a
href="a09210adf5"><code>a09210a</code></a>
Set fast_arithmetic=64 for riscv64</li>
<li><a
href="01182e54b5"><code>01182e5</code></a>
Update actions/upload-artifact@v5 -&gt; v6</li>
<li><a
href="383b13a45f"><code>383b13a</code></a>
Update actions/upload-artifact@v4 -&gt; v5</li>
<li>Additional commits viewable in <a
href="https://github.com/serde-rs/json/compare/v1.0.145...v1.0.148">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=serde_json&package-manager=cargo&previous-version=1.0.145&new-version=1.0.148)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Devon Hudson <devonhudson@librem.one>
 2026-02-03 00:19:25 +00:00
dependabot[bot]
e59e549094 Bump actions/setup-go from 6.1.0 to 6.2.0 in the minor-and-patches group (#19423) 
Bumps the minor-and-patches group with 1 update:
[actions/setup-go](https://github.com/actions/setup-go).

Updates `actions/setup-go` from 6.1.0 to 6.2.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/setup-go/releases">actions/setup-go's
releases</a>.</em></p>
<blockquote>
<h2>v6.2.0</h2>
<h2>What's Changed</h2>
<h3>Enhancements</h3>
<ul>
<li>Example for restore-only cache in documentation by <a
href="https://github.com/aparnajyothi-y"><code>@​aparnajyothi-y</code></a>
in <a
href="https://redirect.github.com/actions/setup-go/pull/696">actions/setup-go#696</a></li>
<li>Update Node.js version in action.yml by <a
href="https://github.com/ccoVeille"><code>@​ccoVeille</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/691">actions/setup-go#691</a></li>
<li>Documentation update of actions/checkout by <a
href="https://github.com/deining"><code>@​deining</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/683">actions/setup-go#683</a></li>
</ul>
<h3>Dependency updates</h3>
<ul>
<li>Upgrade js-yaml from 3.14.1 to 3.14.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/682">actions/setup-go#682</a></li>
<li>Upgrade <code>@​actions/cache</code> to v5 by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/695">actions/setup-go#695</a></li>
<li>Upgrade actions/checkout from 5 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/686">actions/setup-go#686</a></li>
<li>Upgrade qs from 6.14.0 to 6.14.1 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-go/pull/703">actions/setup-go#703</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/ccoVeille"><code>@​ccoVeille</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/setup-go/pull/691">actions/setup-go#691</a></li>
<li><a href="https://github.com/deining"><code>@​deining</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/setup-go/pull/683">actions/setup-go#683</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/setup-go/compare/v6...v6.2.0">https://github.com/actions/setup-go/compare/v6...v6.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7a3fe6cf4c"><code>7a3fe6c</code></a>
Bump qs from 6.14.0 to 6.14.1 (<a
href="https://redirect.github.com/actions/setup-go/issues/703">#703</a>)</li>
<li><a
href="b9adafd441"><code>b9adafd</code></a>
Bump actions/checkout from 5 to 6 (<a
href="https://redirect.github.com/actions/setup-go/issues/686">#686</a>)</li>
<li><a
href="d73f6bcfc2"><code>d73f6bc</code></a>
README.md: correct to actions/checkout@v6 (<a
href="https://redirect.github.com/actions/setup-go/issues/683">#683</a>)</li>
<li><a
href="ae252ee6fb"><code>ae252ee</code></a>
Bump <code>@​actions/cache</code> to v5 (<a
href="https://redirect.github.com/actions/setup-go/issues/695">#695</a>)</li>
<li><a
href="bf7446afaf"><code>bf7446a</code></a>
Bump js-yaml from 3.14.1 to 3.14.2 (<a
href="https://redirect.github.com/actions/setup-go/issues/682">#682</a>)</li>
<li><a
href="02aadfee7f"><code>02aadfe</code></a>
Fix Node.js version in action.yml (<a
href="https://redirect.github.com/actions/setup-go/issues/691">#691</a>)</li>
<li><a
href="4aaadf4266"><code>4aaadf4</code></a>
Example for restore-only cache in documentation (<a
href="https://redirect.github.com/actions/setup-go/issues/696">#696</a>)</li>
<li>See full diff in <a
href="4dc6199c7b...7a3fe6cf4c">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-go&package-manager=github_actions&previous-version=6.1.0&new-version=6.2.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-02 23:22:15 +00:00
Erik Johnston
0dfcffab0f Fix looping calls not getting GCed. (#19416) 
The `Clock` tracks looping calls to allow cancelling of all looping
calls. However, this stopped them from getting garbage collected.

This was introduced in https://github.com/element-hq/synapse/pull/18828

Fixes https://github.com/element-hq/synapse/issues/19392
 2026-01-30 10:26:53 +00:00
razvp
d02796fcc4 Bump pyo3 from 0.26.0 to 0.27.2 and pythonize from 0.26.0 to 0.27.0 (#19412) 
Hello,

I'm writing on behalf of the Citadel product developed by ERCOM.

This PR bumps `pyo3` from 0.26.0 to 0.27.2 and `pythonize` from 0.26.0
to 0.27.0.
For the code migration I followed the guide found here:
[link](https://pyo3.rs/v0.27.0/migration.html).
 2026-01-28 16:12:34 +00:00
dependabot[bot]
ede0f4f56b Bump python-multipart from 0.0.20 to 0.0.22 (#19411) 
Bumps [python-multipart](https://github.com/Kludex/python-multipart)
from 0.0.20 to 0.0.22.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/python-multipart/releases">python-multipart's
releases</a>.</em></p>
<blockquote>
<h2>Version 0.0.22</h2>
<h2>What's Changed</h2>
<ul>
<li>Drop directory path from filename in <code>File</code> <a
href="9433f4bbc9">9433f4b</a>.</li>
</ul>
<hr />
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/python-multipart/compare/0.0.21...0.0.22">https://github.com/Kludex/python-multipart/compare/0.0.21...0.0.22</a></p>
<h2>Version 0.0.21</h2>
<h2>What's Changed</h2>
<ul>
<li>Add support for Python 3.14 and drop EOL 3.8 and 3.9 by <a
href="https://github.com/hugovk"><code>@​hugovk</code></a> in <a
href="https://redirect.github.com/Kludex/python-multipart/pull/216">Kludex/python-multipart#216</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/waketzheng"><code>@​waketzheng</code></a> made
their first contribution in <a
href="https://redirect.github.com/Kludex/python-multipart/pull/203">Kludex/python-multipart#203</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/python-multipart/compare/0.0.20...0.0.21">https://github.com/Kludex/python-multipart/compare/0.0.20...0.0.21</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md">python-multipart's
changelog</a>.</em></p>
<blockquote>
<h2>0.0.22 (2026-01-25)</h2>
<ul>
<li>Drop directory path from filename in <code>File</code> <a
href="9433f4bbc9">9433f4b</a>.</li>
</ul>
<h2>0.0.21 (2025-12-17)</h2>
<ul>
<li>Add support for Python 3.14 and drop EOL 3.8 and 3.9 <a
href="https://redirect.github.com/Kludex/python-multipart/pull/216">#216</a>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="bea7bbb290"><code>bea7bbb</code></a>
Version 0.0.22 (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/222">#222</a>)</li>
<li><a
href="0fb59a9df0"><code>0fb59a9</code></a>
chore: add return type on test (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/221">#221</a>)</li>
<li><a
href="9433f4bbc9"><code>9433f4b</code></a>
Merge commit from fork</li>
<li><a
href="d5c91ecb0a"><code>d5c91ec</code></a>
Bump the github-actions group with 2 updates (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/219">#219</a>)</li>
<li><a
href="5a90631b48"><code>5a90631</code></a>
bump uv (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/218">#218</a>)</li>
<li><a
href="1f72955602"><code>1f72955</code></a>
Version 0.0.21 (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/217">#217</a>)</li>
<li><a
href="47ecfed353"><code>47ecfed</code></a>
Add support for Python 3.14 and drop EOL 3.8 and 3.9 (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/216">#216</a>)</li>
<li><a
href="f18b70941b"><code>f18b709</code></a>
Bump the github-actions group across 1 directory with 4 updates (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/214">#214</a>)</li>
<li><a
href="b388e9a7a8"><code>b388e9a</code></a>
chore: use depedency-groups in <code>pyproject.toml</code> (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/212">#212</a>)</li>
<li><a
href="6113e75097"><code>6113e75</code></a>
Bump the github-actions group across 1 directory with 3 updates (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/210">#210</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/Kludex/python-multipart/compare/0.0.20...0.0.22">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=python-multipart&package-manager=pip&previous-version=0.0.20&new-version=0.0.22)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/element-hq/synapse/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-01-27 23:08:00 +00:00
Devon Hudson
9ad3f0c80f Merge branch 'master' into develop 2026-01-27 09:13:04 -07:00
Devon Hudson
53e8a3c14a 1.146.0 2026-01-27 08:45:02 -07:00
dependabot[bot]
e7dd5d3cfb Bump actions/checkout from 6.0.1 to 6.0.2 in the minor-and-patches group (#19407) 
Bumps the minor-and-patches group with 1 update:
[actions/checkout](https://github.com/actions/checkout).

Updates `actions/checkout` from 6.0.1 to 6.0.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v6.0.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID
is set by <a
href="https://github.com/TingluoHuang"><code>@​TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2355">actions/checkout#2355</a></li>
<li>Fix tag handling: preserve annotations and explicit fetch-tags by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6.0.1...v6.0.2">https://github.com/actions/checkout/compare/v6.0.1...v6.0.2</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v6.0.2</h2>
<ul>
<li>Fix tag handling: preserve annotations and explicit fetch-tags by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li>
</ul>
<h2>v6.0.1</h2>
<ul>
<li>Add worktree support for persist-credentials includeIf by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li>
</ul>
<h2>v6.0.0</h2>
<ul>
<li>Persist creds to a separate file by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li>
<li>Update README to include Node.js 24 support details and requirements
by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li>
</ul>
<h2>v5.0.1</h2>
<ul>
<li>Port v6 cleanup to v5 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li>
</ul>
<h2>v5.0.0</h2>
<ul>
<li>Update actions checkout to use node 24 by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li>
</ul>
<h2>v4.3.1</h2>
<ul>
<li>Port v6 cleanup to v4 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li>
</ul>
<h2>v4.3.0</h2>
<ul>
<li>docs: update README.md by <a
href="https://github.com/motss"><code>@​motss</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li>
<li>Add internal repos for checking out multiple repositories by <a
href="https://github.com/mouismail"><code>@​mouismail</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li>
<li>Documentation update - add recommended permissions to Readme by <a
href="https://github.com/benwells"><code>@​benwells</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li>
<li>Adjust positioning of user email note and permissions heading by <a
href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li>
<li>Update README.md by <a
href="https://github.com/nebuk89"><code>@​nebuk89</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li>
<li>Update CODEOWNERS for actions by <a
href="https://github.com/TingluoHuang"><code>@​TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li>
<li>Update package dependencies by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li>
</ul>
<h2>v4.2.2</h2>
<ul>
<li><code>url-helper.ts</code> now leverages well-known environment
variables by <a href="https://github.com/jww3"><code>@​jww3</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li>
<li>Expand unit test coverage for <code>isGhes</code> by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li>
</ul>
<h2>v4.2.1</h2>
<ul>
<li>Check out other refs/* by commit if provided, fall back to ref by <a
href="https://github.com/orhantoy"><code>@​orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li>
</ul>
<h2>v4.2.0</h2>
<ul>
<li>Add Ref and Commit outputs by <a
href="https://github.com/lucacome"><code>@​lucacome</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li>
<li>Dependency updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>- <a
href="https://redirect.github.com/actions/checkout/pull/1777">actions/checkout#1777</a>,
<a
href="https://redirect.github.com/actions/checkout/pull/1872">actions/checkout#1872</a></li>
</ul>
<h2>v4.1.7</h2>
<ul>
<li>Bump the minor-npm-dependencies group across 1 directory with 4
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1739">actions/checkout#1739</a></li>
<li>Bump actions/checkout from 3 to 4 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1697">actions/checkout#1697</a></li>
<li>Check out other refs/* by commit by <a
href="https://github.com/orhantoy"><code>@​orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1774">actions/checkout#1774</a></li>
<li>Pin actions/checkout's own workflows to a known, good, stable
version. by <a href="https://github.com/jww3"><code>@​jww3</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1776">actions/checkout#1776</a></li>
</ul>
<h2>v4.1.6</h2>
<ul>
<li>Check platform to set archive extension appropriately by <a
href="https://github.com/cory-miller"><code>@​cory-miller</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1732">actions/checkout#1732</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="de0fac2e45"><code>de0fac2</code></a>
Fix tag handling: preserve annotations and explicit fetch-tags (<a
href="https://redirect.github.com/actions/checkout/issues/2356">#2356</a>)</li>
<li><a
href="064fe7f331"><code>064fe7f</code></a>
Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is
set (...</li>
<li>See full diff in <a
href="8e8c483db8...de0fac2e45">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=6.0.1&new-version=6.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-01-26 16:05:24 +00:00
Andrew Morgan
24df0edb5f Limit health endpoint to /health$ (#19405) 2026-01-26 12:27:26 +00:00