synapse/CHANGES.md

Synapse 1.131.0 (2025-06-03)

No significant changes since 1.131.0rc1.

Synapse 1.131.0rc1 (2025-05-28)

Features

• Add msc4263_limit_key_queries_to_users_who_share_rooms config option as per MSC4263. (#18180)
• Add option to allow registrations that begin with _. Contributed by _ (@hex5f). (#18262)
• Include room ID in response to the Room Deletion Status Admin API. (#18318)
• Add support for calling Policy Servers (MSC4284) to mark events as spam. (#18387)

Bugfixes

• Prevent race-condition in _maybe_retry_device_resync entrance. (#18391)
• Fix the tests.handlers.test_worker_lock.WorkerLockTestCase.test_lock_contention test which could spuriously time out on RISC-V architectures due to performance differences. (#18430)
• Fix admin redaction endpoint not redacting encrypted messages. (#18434)

Improved Documentation

• Update room_list_publication_rules docs to consider defaults that changed in v1.126.0. Contributed by @HarHarLinks. (#18286)
• Add advice for upgrading between major PostgreSQL versions to the database documentation. (#18445)

Internal Changes

• Fix a memory leak in _NotifierUserStream. (#18380)
• Fix a couple type annotations in the RootConfig/Config. (#18409)
• Explicitly enable PyPy builds in cibuildwheels config to avoid it being disabled on a future upgrade to cibuildwheel v3. (#18417)
• Update the PR review template to remove an erroneous line break from the final bullet point. (#18419)
• Explain why we flush_buffer() for Python print(...) output. (#18420)
• Add lint to ensure we don't add a CREATE/DROP INDEX in a schema delta. (#18440)
• Allow checking only for the existence of a field in an SSO provider's response, rather than requiring the value(s) to check. (#18454)
• Add unit tests for homeserver usage statistics. (#18463)
• Don't move invited users to new room when shutting down room. (#18471)

Updates to locked dependencies

• Bump actions/setup-python from 5.5.0 to 5.6.0. (#18398)
• Bump authlib from 1.5.1 to 1.5.2. (#18452)
• Bump docker/build-push-action from 6.15.0 to 6.17.0. (#18397, #18449)
• Bump lxml from 5.3.0 to 5.4.0. (#18480)
• Bump mypy-zope from 1.0.9 to 1.0.11. (#18428)
• Bump pyo3 from 0.23.5 to 0.24.2. (#18460)
• Bump pyo3-log from 0.12.3 to 0.12.4. (#18453)
• Bump pyopenssl from 25.0.0 to 25.1.0. (#18450)
• Bump ruff from 0.7.3 to 0.11.11. (#18451, #18482)
• Bump tornado from 6.4.2 to 6.5.0. (#18459)
• Bump setuptools from 72.1.0 to 78.1.1. (#18461)
• Bump types-jsonschema from 4.23.0.20241208 to 4.23.0.20250516. (#18481)
• Bump types-requests from 2.32.0.20241016 to 2.32.0.20250328. (#18427)

Synapse 1.130.0 (2025-05-20)

Bugfixes

• Fix startup being blocked on creating a new index that was introduced in v1.130.0rc1. (#18439)
• Fix the ordering of local messages in rooms that were affected by GHSA-v56r-hwv5-mxg6. (#18447)

Synapse 1.130.0rc1 (2025-05-13)

Features

• Add an Admin API endpoint GET /_synapse/admin/v1/scheduled_tasks to fetch scheduled tasks. (#18214)
• Add config option user_directory.exclude_remote_users which, when enabled, excludes remote users from user directory search results. (#18300)
• Add support for handling GET /devices/ on workers. (#18355)

Bugfixes

• Fix a longstanding bug where Synapse would immediately retry a failing push endpoint when a new event is received, ignoring any backoff timers. (#18363)
• Pass leave from remote invite rejection down Sliding Sync. (#18375)

Updates to the Docker image

• In configure_workers_and_start.py, use the same absolute path of Python in the interpreter shebang, and invoke child Python processes with sys.executable. (#18291)
• Optimize the build of the workers image. (#18292)
• In start_for_complement.sh, replace some external program calls with shell builtins. (#18293)
• When generating container scripts from templates, don't add a leading newline so that their shebangs may be handled correctly. (#18295)

Improved Documentation

• Improve formatting of the README file. (#18218)
• Add documentation for configuring Pocket ID as an OIDC provider. (#18237)
• Fix typo in docs about the push config option. Contributed by @HarHarLinks. (#18320)
• Add /_matrix/federation/v1/version to list of federation endpoints that can be handled by workers. (#18377)
• Add an Admin API endpoint GET /_synapse/admin/v1/scheduled_tasks to fetch scheduled tasks. (#18384)

Internal Changes

• Return specific error code when adding an email address / phone number to account is not supported (MSC4178). (#17578)
• Stop auto-provisionning missing users & devices when delegating auth to Matrix Authentication Service. Requires MAS 0.13.0 or later. (#18181)
• Apply file hashing and existing quarantines to media downloaded for URL previews. (#18297)
• Allow a few admin APIs used by matrix-authentication-service to run on workers. (#18313)
• Apply should_drop_federated_event to federation invites. (#18330)
• Allow /rooms/ admin API to be run on workers. (#18360)
• Minor performance improvements to the notifier. (#18367)
• Slight performance increase when using the ratelimiter. (#18369)
• Don't validate the at_hash (access token hash) field in OIDC ID Tokens if we don't end up actually using the OIDC Access Token. (#18374, #18385)
• Fixed test failures when using authlib 1.5.2. (#18390)
• Refactor MSC4186 Simplified Sliding Sync room list tests to cover both new and fallback logic paths. (#18399)

Updates to locked dependencies

• Bump actions/add-to-project from 280af8ae1f83a494cfad2cb10f02f6d13529caa9 to 5b1a254a3546aef88e0a7724a77a623fa2e47c36. (#18365)
• Bump actions/download-artifact from 4.2.1 to 4.3.0. (#18364)
• Bump actions/setup-go from 5.4.0 to 5.5.0. (#18426)
• Bump anyhow from 1.0.97 to 1.0.98. (#18336)
• Bump packaging from 24.2 to 25.0. (#18393)
• Bump pillow from 11.1.0 to 11.2.1. (#18429)
• Bump pydantic from 2.10.3 to 2.11.4. (#18394)
• Bump pyo3-log from 0.12.2 to 0.12.3. (#18317)
• Bump pyopenssl from 24.3.0 to 25.0.0. (#18315)
• Bump sha2 from 0.10.8 to 0.10.9. (#18395)
• Bump sigstore/cosign-installer from 3.8.1 to 3.8.2. (#18366)
• Bump softprops/action-gh-release from 1 to 2. (#18264)
• Bump stefanzweifel/git-auto-commit-action from 5.1.0 to 5.2.0. (#18354)
• Bump txredisapi from 1.4.10 to 1.4.11. (#18392)
• Bump types-jsonschema from 4.23.0.20240813 to 4.23.0.20241208. (#18305)
• Bump types-psycopg2 from 2.9.21.20250121 to 2.9.21.20250318. (#18316)

Synapse 1.129.0 (2025-05-06)

No significant changes since 1.129.0rc2.

Synapse 1.129.0rc2 (2025-04-30)

Synapse 1.129.0rc1 was never formally released due to regressions discovered during the release process. 1.129.0rc2 fixes those regressions by reverting the affected PRs.

Internal Changes

• Revert the slow background update introduced by #18068 in v1.128.0. (#18372)
• Revert "Add total event, unencrypted message, and e2ee event counts to stats reporting", added in v1.129.0rc1. (#18373)

Synapse 1.129.0rc1 (2025-04-15)

Features

• Add passthrough_authorization_parameters in OIDC configuration to allow passing parameters to the authorization grant URL. (#18232)
• Add total_event_count, total_message_count, and total_e2ee_event_count fields to the homeserver usage statistics. (#18260)

Bugfixes

• Fix force_tracing_for_users config when using delegated auth. (#18334)
• Fix the token introspection cache logging access tokens when MAS integration is in use. (#18335)
• Stop caching introspection failures when delegating auth to MAS. (#18339)
• Fix ExternalIDReuse exception after migrating to MAS on workers with a high traffic. (#18342)
• Fix minor performance regression caused by tracking of room participation. Regressed in v1.128.0. (#18345)

Updates to the Docker image

• Optimize the build of the complement-synapse image. (#18294)

Internal Changes

• Disable statement timeout during room purge. (#18133)
• Add cache to storage functions used to auth requests when using delegated auth. (#18337)

Synapse 1.128.0 (2025-04-08)

No significant changes since 1.128.0rc1.

Synapse 1.128.0rc1 (2025-04-01)

Features

• Add an access token introspection cache to make Matrix Authentication Service integration (MSC3861) more efficient. (#18231)
• Add background job to clear unreferenced state groups. (#18254)
• Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. (#18277, #18302, #18296)

Bugfixes

• Add index to sliding sync (MSC4186) membership snapshot table, to fix a performance issue. (#18074)

Updates to the Docker image

• Specify the architecture of installed packages via an APT config option, which is more reliable than appending package names with :{arch}. (#18271)
• Always specify base image debian versions with a build argument. (#18272)
• Allow passing arguments to start_for_complement.sh (to be sent to configure_workers_and_start.py). (#18273)
• Make some improvements to the prefix-log script in the workers image. (#18274)
• Use uv pip to install supervisor in the worker image. (#18275)
• Avoid needing to download & use rsync in a build layer. (#18287)

Improved Documentation

• Fix how to obtain access token and change naming from riot to element (#18225)
• Correct a small typo in the SSO mapping providers documentation. (#18276)
• Add docs for how to clear out the Poetry wheel cache. (#18283)

Internal Changes

• Add a column participant to room_memberships table. (#18068)
• Update Poetry to 2.1.1, including updating the lock file version. (#18251)
• Pin GitHub Actions dependencies by commit hash. (#18255)
• Add DB delta to remove the old state group deletion job. (#18284)

Updates to locked dependencies

• Bump actions/add-to-project from f5473ace9aeee8b97717b281e26980aa5097023f to 280af8ae1f83a494cfad2cb10f02f6d13529caa9. (#18303)
• Bump actions/cache from 4.2.2 to 4.2.3. (#18266)
• Bump actions/download-artifact from 4.2.0 to 4.2.1. (#18268)
• Bump actions/setup-python from 5.4.0 to 5.5.0. (#18298)
• Bump actions/upload-artifact from 4.6.1 to 4.6.2. (#18304)
• Bump authlib from 1.4.1 to 1.5.1. (#18306)
• Bump dawidd6/action-download-artifact from 8 to 9. (#18204)
• Bump jinja2 from 3.1.5 to 3.1.6. (#18223)
• Bump log from 0.4.26 to 0.4.27. (#18267)
• Bump phonenumbers from 8.13.50 to 9.0.2. (#18299)
• Bump pygithub from 2.5.0 to 2.6.1. (#18243)
• Bump pyo3-log from 0.12.1 to 0.12.2. (#18269)

Synapse 1.127.1 (2025-03-26)

Security

• Fix CVE-2025-30355 / GHSA-v56r-hwv5-mxg6. High severity vulnerability affecting federation. The vulnerability has been exploited in the wild.

Synapse 1.127.0 (2025-03-25)

No significant changes since 1.127.0rc1.

Synapse 1.127.0rc1 (2025-03-18)

Features

• Update MSC4140 implementation to no longer cancel a user's own delayed state events with an event type & state key that match a more recent state event sent by that user. (#17810)

Improved Documentation

• Fixed a minor typo in the Synapse documentation. Contributed by @karuto12. (#18224)

Internal Changes

• Remove undocumented SYNAPSE_USE_FROZEN_DICTS environment variable. (#18123)
• Fix detection of workflow failures in the release script. (#18211)
• Add caching support to media endpoints. (#18235)

Updates to locked dependencies

• Bump anyhow from 1.0.96 to 1.0.97. (#18201)
• Bump bcrypt from 4.2.1 to 4.3.0. (#18207)
• Bump bytes from 1.10.0 to 1.10.1. (#18227)
• Bump http from 1.2.0 to 1.3.1. (#18245)
• Bump sentry-sdk from 2.19.2 to 2.22.0. (#18205)
• Bump serde from 1.0.218 to 1.0.219. (#18228)
• Bump serde_json from 1.0.139 to 1.0.140. (#18202)
• Bump ulid from 1.2.0 to 1.2.1. (#18246)

Synapse 1.126.0 (2025-03-11)

Administrators using the Debian/Ubuntu packages from packages.matrix.org, please check the relevant section in the upgrade notes as we have recently updated the expiry date on the repository's GPG signing key. The old version of the key will expire on 2025-03-15.

No significant changes since 1.126.0rc3.

Synapse 1.126.0rc3 (2025-03-07)

Bugfixes

• Revert the background job to clear unreferenced state groups (that was introduced in v1.126.0rc1), due to a suspected issue that causes increased disk usage. (#18222)

Synapse 1.126.0rc2 (2025-03-05)

Internal Changes

• Fix wheel building configuration in CI by installing libatomic1. (#18212, #18213)

Synapse 1.126.0rc1 (2025-03-04)

Synapse 1.126.0rc1 was not fully released due to an error in CI.

Features

• Define ratelimit configuration for delayed event management. (#18019)
• Add form_secret_path config option. (#18090)
• Add the --no-secrets-in-config command line option. (#18092)
• Add background job to clear unreferenced state groups. (#18154)
• Add support for specifying/overriding id_token_signing_alg_values_supported for an OpenID identity provider. (#18177)
• Add worker_replication_secret_path config option. (#18191)
• Add support for specifying/overriding redirect_uri in the authorization and token requests against an OpenID identity provider. (#18197)

Bugfixes

• Make sure we advertise registration as disabled when MSC3861 is enabled. (#17661)
• Prevent suspended users from sending encrypted messages. (#18157)
• Cleanup deleted state group references. (#18165)
• Fix MSC4108 QR-code login not working with some reverse-proxy setups. (#18178)
• Support device IDs that can't be represented in a scope when delegating auth to Matrix Authentication Service 0.15.0+. (#18174)

Updates to the Docker image

• Speed up the building of the Docker image. (#18038)

Improved Documentation

• Move incorrectly placed version indicator in User Event Redaction Admin API docs. (#18152)
• Document suspension Admin API. (#18162)

Deprecations and Removals

• Disable room list publication by default. (#18175)

Updates to locked dependencies

• Bump anyhow from 1.0.95 to 1.0.96. (#18187)
• Bump authlib from 1.4.0 to 1.4.1. (#18190)
• Bump click from 8.1.7 to 8.1.8. (#18189)
• Bump log from 0.4.25 to 0.4.26. (#18184)
• Bump pyo3-log from 0.12.0 to 0.12.1. (#18046)
• Bump serde from 1.0.217 to 1.0.218. (#18183)
• Bump serde_json from 1.0.138 to 1.0.139. (#18186)
• Bump sigstore/cosign-installer from 3.8.0 to 3.8.1. (#18185)
• Bump types-psycopg2 from 2.9.21.20241019 to 2.9.21.20250121. (#18188)

Synapse 1.125.0 (2025-02-25)

No significant changes since 1.125.0rc1.

Synapse 1.125.0rc1 (2025-02-18)

Features

• Add functionality to be able to use multiple values in SSO feature attribute_requirements. (#17949)
• Add experimental config options admin_token_path and client_secret_path for MSC3861. (#18004)
• Add get_current_time_msec() method to the module API for sound time comparisons with Synapse. (#18144)

Bugfixes

• Update the response when a client attempts to add an invalid email address to the user's account from a 500, to a 400 with error text. (#18125)
• Fix user directory search when using a legacy module with a check_username_for_spam callback. Broke in v1.122.0. (#18135)

Updates to the Docker image

• Add SYNAPSE_HTTP_PROXY/SYNAPSE_HTTPS_PROXY/SYNAPSE_NO_PROXY environment variables to pass through specifically to the Synapse process (instead of needing to apply http_proxy/https_proxy/no_proxy globally). (#18158)

Improved Documentation

• Add Oracle Linux 8 and 9 installation instructions. (#17436)
• Document missing server config options (daemonize, print_pidfile, user_agent_suffix, use_frozen_dicts, manhole). (#18122)
• Document consequences of replacing secrets. (#18138)
• Make burst_count field an integer in rc_presence config documentation example. (#18159)

Internal Changes

• Overload DatabasePool.simple_select_one_txn to return non-None when the allow_none parameter is False. (#17616)
• Python 3.8 EOL: compile native extensions with the 3.9 ABI and use typing hints from the standard library. (#17967)
• Add log message when worker lock timeouts get large. (#18124)
• Make it explicit that you can buy an AGPL-alternative commercial license from Element. (#18134)
• Fix the 'Fix linting' GitHub Actions workflow. (#18136)
• Do not log at the exception-level when clients provide empty since token to /sync API. (#18139)
• Reduce database load of user search when using large search terms. (#18172)

Updates to locked dependencies

• Bump bcrypt from 4.2.0 to 4.2.1. (#18127)
• Bump bytes from 1.9.0 to 1.10.0. (#18149)
• Bump gitpython from 3.1.43 to 3.1.44. (#18128)
• Bump hiredis from 3.0.0 to 3.1.0. (#18169)
• Bump serde_json from 1.0.137 to 1.0.138. (#18129)
• Bump service-identity from 24.1.0 to 24.2.0. (#18171)
• Bump sigstore/cosign-installer from 3.7.0 to 3.8.0. (#18147)
• Bump twine from 6.0.1 to 6.1.0. (#18170)
• Bump types-pyyaml from 6.0.12.20240917 to 6.0.12.20241230. (#18097)
• Bump ulid from 1.1.4 to 1.2.0. (#18148)

Synapse 1.124.0 (2025-02-11)

No significant changes since 1.124.0rc3.

Synapse 1.124.0rc3 (2025-02-07)

Bugfixes

• Fix regression in performance of sending events due to superfluous reads and locks. Introduced in v1.124.0rc1. (#18141)

Synapse 1.124.0rc2 (2025-02-05)

Bugfixes

• Fix regression where persisting events in some rooms could fail after a previous unclean shutdown. Introduced in v1.124.0rc1. (#18137)

Synapse 1.124.0rc1 (2025-02-04)

Bugfixes

• Add rate limit rc_presence.per_user. This prevents load from excessive presence updates sent by clients via sync api. Also rate limit /_matrix/client/v3/presence as per the spec. Contributed by @rda0. (#18000)
• Deactivated users will no longer automatically accept an invite when auto_accept_invites is enabled. (#18073)
• Fix join being denied after being invited over federation. Also fixes other out-of-band membership transitions. (#18075)
• Updates contributed docker-compose.yml file to PostgreSQL v15, as v12 is no longer supported by Synapse. Contributed by @maxkratz. (#18089)
• Fix rare edge case where state groups could be deleted while we are persisting new events that reference them. (#18107, #18130, #18131)
• Raise an error if someone is using an incorrect suffix in a config duration string. (#18112)
• Fix a bug where the Delete Room Admin API would fail if the block parameter was set to true and a worker other than the main process was configured to handle background tasks. (#18119)

Internal Changes

• Increase the length of the generated nonce parameter when perfoming OIDC logins to comply with the TI-Messenger spec. (#18109)

Updates to locked dependencies

• Bump dawidd6/action-download-artifact from 7 to 8. (#18108)
• Bump log from 0.4.22 to 0.4.25. (#18098)
• Bump python-multipart from 0.0.18 to 0.0.20. (#18096)
• Bump serde_json from 1.0.135 to 1.0.137. (#18099)
• Bump types-bleach from 6.1.0.20240331 to 6.2.0.20241123. (#18082)

Synapse 1.123.0 (2025-01-28)

No significant changes since 1.123.0rc1.

Synapse 1.123.0rc1 (2025-01-21)

Features

• Implement MSC4133 for custom profile fields. Contributed by @clokep. (#17488)
• Add a query parameter type to the Room State Admin API that filters the state event. (#18035)
• Support the new /auth_metadata endpoint defined in MSC2965. (#18093)

Bugfixes

• Fix membership caches not updating in state reset scenarios. (#17732)
• Fix rare race where on upgrade to v1.122.0 a long running database upgrade could lock out new events from being received or sent. (#18091)

Improved Documentation

• Document tls option for a worker instance in instance_map. (#18064)

Deprecations and Removals

• Remove the unstable MSC4151 implementation. The stable support remains, per Matrix 1.13. (#18052)

Internal Changes

• Increase invite rate limits (rc_invites.per_issuer) for Complement. (#18072)

Updates to locked dependencies

• Bump jinja2 from 3.1.4 to 3.1.5. (#18067)
• Bump mypy from 1.12.1 to 1.13.0. (#18083)
• Bump pillow from 11.0.0 to 11.1.0. (#18084)
• Bump pyo3 from 0.23.3 to 0.23.4. (#18079)
• Bump pyopenssl from 24.2.1 to 24.3.0. (#18062)
• Bump serde_json from 1.0.134 to 1.0.135. (#18081)
• Bump ulid from 1.1.3 to 1.1.4. (#18080)

Synapse 1.122.0 (2025-01-14)

Please note that this version of Synapse drops support for PostgreSQL 11 and 12. The minimum version of PostgreSQL supported is now version 13.

No significant changes since 1.122.0rc1.

Synapse 1.122.0rc1 (2025-01-07)

Deprecations and Removals

• Remove support for PostgreSQL 11 and 12. Contributed by @clokep. (#18034)

Features

• Added the email.tlsname config option. This allows specifying the domain name used to validate the SMTP server's TLS certificate separately from the email.smtp_host to connect to. (#17849)
• Module developers will have access to the user ID of the requester when adding check_username_for_spam callbacks to spam_checker_module_callbacks. Contributed by Wilson@Pangea.chat. (#17916)
• Add endpoints to the Admin API to fetch the number of invites the provided user has sent after a given timestamp, fetch the number of rooms the provided user has joined after a given timestamp, and get report IDs of event reports against a provided user (i.e. where the user was the sender of the reported event). (#17948)
• Support stable account suspension from MSC3823. (#17964)
• Add macaroon_secret_key_path config option. (#17983)

Bugfixes

• Fix bug when rejecting withdrew invite with a third_party_rules module, where the invite would be stuck for the client. (#17930)
• Properly purge state groups tables when purging a room with the Admin API. (#18024)
• Fix a bug preventing the admin redaction endpoint from working on messages from remote users. (#18029, #18043)

Improved Documentation

• Update synapse.app.generic_worker documentation to only recommend GET requests for stream writer routes by default, unless the worker is also configured as a stream writer. Contributed by @evoL. (#17954)
• Add documentation for the previously-undocumented last_seen_ts query parameter to the query user Admin API. (#17976)
• Improve documentation for the TaskScheduler class. (#17992)
• Fix example in reverse proxy docs to include server port. (#17994)
• Update Alpine Linux Synapse Package Maintainer within the installation instructions. (#17846)

Internal Changes

• Add RoomID & EventID rust types. (#17996)
• Fix various type errors across the codebase. (#17998)
• Disable DB statement timeout when doing a room purge since it can be quite long. (#18017)
• Remove some remaining uses of twisted.internet.defer.returnValue. Contributed by Colin Watson. (#18020)
• Refactor get_profile to no longer include fields with a value of None. (#18063)

Updates to locked dependencies

• Bump anyhow from 1.0.93 to 1.0.95. (#18012, #18045)
• Bump authlib from 1.3.2 to 1.4.0. (#18048)
• Bump dawidd6/action-download-artifact from 6 to 7. (#17981)
• Bump http from 1.1.0 to 1.2.0. (#18013)

• Bump mypy from 1.11.2 to 1.12.1. (#17999)

• Bump mypy-zope from 1.0.8 to 1.0.9. (#18047)
• Bump pillow from 10.4.0 to 11.0.0. (#18015)
• Bump pydantic from 2.9.2 to 2.10.3. (#18014)
• Bump pyicu from 2.13.1 to 2.14. (#18060)
• Bump pyo3 from 0.23.2 to 0.23.3. (#18001)
• Bump python-multipart from 0.0.16 to 0.0.18. (#17985)
• Bump sentry-sdk from 2.17.0 to 2.19.2. (#18061)
• Bump serde from 1.0.215 to 1.0.217. (#18031, #18059)
• Bump serde_json from 1.0.133 to 1.0.134. (#18044)
• Bump twine from 5.1.1 to 6.0.1. (#18049)

Changelogs for older versions can be found here.