25478 commits

This branch

This branch

All branches

Author	SHA1	Message	Date
Devon Hudson	438aa7c876	1.145.0rc4	2026-01-08 12:09:01 -07:00
Devon Hudson	15700e0a32	Only exclude .so files for sdist packaging	2026-01-08 11:22:59 -07:00
Devon Hudson	ade89c4317	1.145.0rc3	2026-01-07 15:33:27 -07:00
Devon Hudson	66b1daa679	Limit maturin includes to sdist packaging	2026-01-07 15:23:00 -07:00
Devon Hudson	ecd67df49d	1.145.0rc2	2026-01-07 10:11:44 -07:00
Devon Hudson	13dff90b5b	Fix sdist include formatting for maturin	2026-01-07 10:08:03 -07:00
Devon Hudson	16bc8c78ba	Update changelog after reverting PR	2026-01-06 14:49:09 -07:00
Devon Hudson	6ac61e4be4	Revert "Add an Admin API endpoint for listing quarantined media (#19268)" (#19351) ... Fixes #19349 This reverts commit 3f636386a6 (https://github.com/element-hq/synapse/pull/19268) as the DB migration was taking too long and blocking media access while it happened. See https://github.com/element-hq/synapse/issues/19349 for further information. ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [X] Pull request is based on the develop branch * [X] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [X] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters)) --------- Co-authored-by: Travis Ralston <travpc@gmail.com>	2026-01-06 14:46:58 -07:00
Devon Hudson	d6d1404a8e	Add nifty titles to top level deprecations	2026-01-06 09:49:48 -07:00
Devon Hudson	39f80296c5	1.145.0rc1	2026-01-06 09:38:44 -07:00
Olivier 'reivilibre	cd252db3f5	Transform events with client metadata before serialising in /event response. (#19340) ... Fix /event/ endpoint not transforming event with per-requester metadata Pass notif_event through filter_events_for_client \ Not aware of an actual issue here, but seems silly to bypass it Call it filter_and_transform_events_for_client to make it more obvious --------- Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>	2026-01-06 15:53:13 +00:00
Mathieu Velten	444bc56cda	Add rate limit conf to user directory endpoint (#19291) ... The goal is to avoid that an user could scrape the user directory too quickly.	2026-01-05 13:35:11 -06:00
dependabot[bot]	6b755f964b	Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#19334) ... Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5.0.0 to 6.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h2>v6 - What's new</h2> <blockquote> <p>[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (<code>runs.using: node24</code>) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.</p> </blockquote> <h3>Node.js 24</h3> <p>This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.</p> <h2>What's Changed</h2> <ul> <li>Upload Artifact Node 24 support by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/719">actions/upload-artifact#719</a></li> <li>fix: update <code>@​actions/artifact</code> for Node.js 24 punycode deprecation by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/744">actions/upload-artifact#744</a></li> <li>prepare release v6.0.0 for Node.js 24 support by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/745">actions/upload-artifact#745</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0">https://github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="b7c566a772"><code>b7c566a</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/745">#745</a> from actions/upload-artifact-v6-release</li> <li><a href="e516bc8500"><code>e516bc8</code></a> docs: correct description of Node.js 24 support in README</li> <li><a href="ddc45ed9bc"><code>ddc45ed</code></a> docs: update README to correct action name for Node.js 24 support</li> <li><a href="615b319bd2"><code>615b319</code></a> chore: release v6.0.0 for Node.js 24 support</li> <li><a href="017748b48f"><code>017748b</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/744">#744</a> from actions/fix-storage-blob</li> <li><a href="38d4c7997f"><code>38d4c79</code></a> chore: rebuild dist</li> <li><a href="7d27270e0c"><code>7d27270</code></a> chore: add missing license cache files for <code>@​actions/core</code>, <code>@​actions/io</code>, and mi...</li> <li><a href="5f643d3c94"><code>5f643d3</code></a> chore: update license files for <code>@​actions/artifact</code><a href="https://github.com/5"><code>@​5</code></a>.0.1 dependencies</li> <li><a href="1df1684032"><code>1df1684</code></a> chore: update package-lock.json with <code>@​actions/artifact</code><a href="https://github.com/5"><code>@​5</code></a>.0.1</li> <li><a href="b5b1a91840"><code>b5b1a91</code></a> fix: update <code>@​actions/artifact</code> to ^5.0.0 for Node.js 24 punycode fix</li> <li>Additional commits viewable in <a href="https://github.com/actions/upload-artifact/compare/v5...v6">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Devon Hudson <devonhudson@librem.one>	2026-01-05 14:53:58 +00:00
dependabot[bot]	169d5b9590	Bump reqwest from 0.12.24 to 0.12.25 in the patches group (#19331) ... Bumps the patches group with 1 update: [reqwest](https://github.com/seanmonstar/reqwest). Updates `reqwest` from 0.12.24 to 0.12.25 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/seanmonstar/reqwest/releases">reqwest's releases</a>.</em></p> <blockquote> <h2>v0.12.25</h2> <h2>Highlights</h2> <ul> <li>Add <code>Error::is_upgrade()</code> to determine if the error was from an HTTP upgrade.</li> <li>Fix sending <code>Proxy-Authorization</code> if only username is configured.</li> <li>Fix sending <code>Proxy-Authorization</code> to HTTPS proxies when the target is HTTP.</li> <li>Refactor internal decompression handling to use tower-http.</li> </ul> <h2>What's Changed</h2> <ul> <li>tests: fix wasm timeout test with uncached response by <a href="https://github.com/seanmonstar"><code>@​seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2853">seanmonstar/reqwest#2853</a></li> <li>docs: document connection pooling behavior by <a href="https://github.com/vinzmyko"><code>@​vinzmyko</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2851">seanmonstar/reqwest#2851</a></li> <li>docs: document WASM client by <a href="https://github.com/vinzmyko"><code>@​vinzmyko</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2859">seanmonstar/reqwest#2859</a></li> <li>chore: minor improvement for docs by <a href="https://github.com/black5box"><code>@​black5box</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2862">seanmonstar/reqwest#2862</a></li> <li>fix: send <code>proxy-authorization</code> even with empty <code>password</code> by <a href="https://github.com/barjin"><code>@​barjin</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2868">seanmonstar/reqwest#2868</a></li> <li>feat(error): add <code>is_upgrade</code> method to detect protocol upgrade errors by <a href="https://github.com/0x676e67"><code>@​0x676e67</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2822">seanmonstar/reqwest#2822</a></li> <li>Use decompression from tower-http by <a href="https://github.com/ducaale"><code>@​ducaale</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2840">seanmonstar/reqwest#2840</a></li> <li>fix(proxy): forward Proxy-Authorization header to HTTPS proxies for HTTP targets by <a href="https://github.com/0x676e67"><code>@​0x676e67</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2872">seanmonstar/reqwest#2872</a></li> <li>v0.12.25 by <a href="https://github.com/seanmonstar"><code>@​seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2880">seanmonstar/reqwest#2880</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/vinzmyko"><code>@​vinzmyko</code></a> made their first contribution in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2851">seanmonstar/reqwest#2851</a></li> <li><a href="https://github.com/black5box"><code>@​black5box</code></a> made their first contribution in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2862">seanmonstar/reqwest#2862</a></li> <li><a href="https://github.com/barjin"><code>@​barjin</code></a> made their first contribution in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2868">seanmonstar/reqwest#2868</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/seanmonstar/reqwest/compare/v0.12.24...v0.12.25">https://github.com/seanmonstar/reqwest/compare/v0.12.24...v0.12.25</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md">reqwest's changelog</a>.</em></p> <blockquote> <h2>v0.12.25</h2> <ul> <li>Add <code>Error::is_upgrade()</code> to determine if the error was from an HTTP upgrade.</li> <li>Fix sending <code>Proxy-Authorization</code> if only username is configured.</li> <li>Fix sending <code>Proxy-Authorization</code> to HTTPS proxies when the target is HTTP.</li> <li>Refactor internal decompression handling to use tower-http.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="f156a9ffa7"><code>f156a9f</code></a> v0.12.25</li> <li><a href="fc1ff4fc2b"><code>fc1ff4f</code></a> fix(proxy): forward Proxy-Authorization header to HTTPS proxies for HTTP targ...</li> <li><a href="b7c37121c3"><code>b7c3712</code></a> Use decompression from tower-http (<a href="https://redirect.github.com/seanmonstar/reqwest/issues/2840">#2840</a>)</li> <li><a href="74e6f84152"><code>74e6f84</code></a> feat(error): add <code>is_upgrade</code> method to detect protocol upgrade errors (<a href="https://redirect.github.com/seanmonstar/reqwest/issues/2822">#2822</a>)</li> <li><a href="c0c06b7aef"><code>c0c06b7</code></a> fix: send <code>proxy-authorization</code> even with empty <code>password</code> (<a href="https://redirect.github.com/seanmonstar/reqwest/issues/2868">#2868</a>)</li> <li><a href="a2aa5a34e4"><code>a2aa5a3</code></a> chore: minor improvement for docs (<a href="https://redirect.github.com/seanmonstar/reqwest/issues/2862">#2862</a>)</li> <li><a href="9c4999d607"><code>9c4999d</code></a> docs: document WASM client (<a href="https://redirect.github.com/seanmonstar/reqwest/issues/2859">#2859</a>)</li> <li><a href="a97e1956dd"><code>a97e195</code></a> docs: document connection pooling behavior (<a href="https://redirect.github.com/seanmonstar/reqwest/issues/2851">#2851</a>)</li> <li><a href="e3093edad8"><code>e3093ed</code></a> tests: fix wasm timeout test with uncached response (<a href="https://redirect.github.com/seanmonstar/reqwest/issues/2853">#2853</a>)</li> <li>See full diff in <a href="https://github.com/seanmonstar/reqwest/compare/v0.12.24...v0.12.25">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-05 14:15:00 +00:00
dependabot[bot]	691e43bac9	Bump actions/cache from 4.3.0 to 5.0.1 (#19332) ... Bumps [actions/cache](https://github.com/actions/cache) from 4.3.0 to 5.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v5.0.1</h2> <blockquote> <p>[!IMPORTANT] <strong><code>actions/cache@v5</code> runs on the Node.js 24 runtime and requires a minimum Actions Runner version of <code>2.327.1</code>.</strong></p> <p>If you are using self-hosted runners, ensure they are updated before upgrading.</p> </blockquote> <hr /> <h1>v5.0.1</h1> <h2>What's Changed</h2> <ul> <li>fix: update <code>@​actions/cache</code> for Node.js 24 punycode deprecation by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1685">actions/cache#1685</a></li> <li>prepare release v5.0.1 by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1686">actions/cache#1686</a></li> </ul> <h1>v5.0.0</h1> <h2>What's Changed</h2> <ul> <li>Upgrade to use node24 by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1630">actions/cache#1630</a></li> <li>Prepare v5.0.0 release by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1684">actions/cache#1684</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v5...v5.0.1">https://github.com/actions/cache/compare/v5...v5.0.1</a></p> <h2>v5.0.0</h2> <blockquote> <p>[!IMPORTANT] <strong><code>actions/cache@v5</code> runs on the Node.js 24 runtime and requires a minimum Actions Runner version of <code>2.327.1</code>.</strong></p> <p>If you are using self-hosted runners, ensure they are updated before upgrading.</p> </blockquote> <hr /> <h2>What's Changed</h2> <ul> <li>Upgrade to use node24 by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1630">actions/cache#1630</a></li> <li>Prepare v5.0.0 release by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1684">actions/cache#1684</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v4.3.0...v5.0.0">https://github.com/actions/cache/compare/v4.3.0...v5.0.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h2>Changelog</h2> <h3>5.0.1</h3> <ul> <li>Update <code>@azure/storage-blob</code> to <code>^12.29.1</code> via <code>@actions/cache@5.0.1</code> <a href="https://redirect.github.com/actions/cache/pull/1685">#1685</a></li> </ul> <h3>5.0.0</h3> <blockquote> <p>[!IMPORTANT] <code>actions/cache@v5</code> runs on the Node.js 24 runtime and requires a minimum Actions Runner version of <code>2.327.1</code>. If you are using self-hosted runners, ensure they are updated before upgrading.</p> </blockquote> <h3>4.3.0</h3> <ul> <li>Bump <code>@actions/cache</code> to <a href="https://redirect.github.com/actions/toolkit/pull/2132">v4.1.0</a></li> </ul> <h3>4.2.4</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.5</li> </ul> <h3>4.2.3</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.3 (obfuscates SAS token in debug logs for cache entries)</li> </ul> <h3>4.2.2</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.2</li> </ul> <h3>4.2.1</h3> <ul> <li>Bump <code>@actions/cache</code> to v4.0.1</li> </ul> <h3>4.2.0</h3> <p>TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. <a href="https://github.com/actions/cache">actions/cache</a> now integrates with the new cache service (v2) APIs.</p> <p>The new service will gradually roll out as of <strong>February 1st, 2025</strong>. The legacy service will also be sunset on the same date. Changes in these release are <strong>fully backward compatible</strong>.</p> <p><strong>We are deprecating some versions of this action</strong>. We recommend upgrading to version <code>v4</code> or <code>v3</code> as soon as possible before <strong>February 1st, 2025.</strong> (Upgrade instructions below).</p> <p>If you are using pinned SHAs, please use the SHAs of versions <code>v4.2.0</code> or <code>v3.4.0</code></p> <p>If you do not upgrade, all workflow runs using any of the deprecated <a href="https://github.com/actions/cache">actions/cache</a> will fail.</p> <p>Upgrading to the recommended versions will not break your workflows.</p> <h3>4.1.2</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="9255dc7a25"><code>9255dc7</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1686">#1686</a> from actions/cache-v5.0.1-release</li> <li><a href="8ff5423e8b"><code>8ff5423</code></a> chore: release v5.0.1</li> <li><a href="9233019a15"><code>9233019</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1685">#1685</a> from salmanmkc/node24-storage-blob-fix</li> <li><a href="b975f2bb84"><code>b975f2b</code></a> fix: add peer property to package-lock.json for dependencies</li> <li><a href="d0a0e18134"><code>d0a0e18</code></a> fix: update license files for <code>@​actions/cache</code>, fast-xml-parser, and strnum</li> <li><a href="74de208dcf"><code>74de208</code></a> fix: update <code>@​actions/cache</code> to ^5.0.1 for Node.js 24 punycode fix</li> <li><a href="ac7f1152ea"><code>ac7f115</code></a> peer</li> <li><a href="b0f846b50b"><code>b0f846b</code></a> fix: update <code>@​actions/cache</code> with storage-blob fix for Node.js 24 punycode depr...</li> <li><a href="a783357455"><code>a783357</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1684">#1684</a> from actions/prepare-cache-v5-release</li> <li><a href="3bb0d78750"><code>3bb0d78</code></a> docs: highlight v5 runner requirement in releases</li> <li>Additional commits viewable in <a href="0057852bfa...9255dc7a25">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-05 14:00:05 +00:00
dependabot[bot]	8f96a83d16	Bump actions/download-artifact from 6.0.0 to 7.0.0 (#19333) ... Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 6.0.0 to 7.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>v7 - What's new</h2> <blockquote> <p>[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (<code>runs.using: node24</code>) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.</p> </blockquote> <h3>Node.js 24</h3> <p>This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.</p> <h2>What's Changed</h2> <ul> <li>Update GHES guidance to include reference to Node 20 version by <a href="https://github.com/patrikpolyak"><code>@​patrikpolyak</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/440">actions/download-artifact#440</a></li> <li>Download Artifact Node24 support by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/415">actions/download-artifact#415</a></li> <li>fix: update <code>@​actions/artifact</code> to fix Node.js 24 punycode deprecation by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/451">actions/download-artifact#451</a></li> <li>prepare release v7.0.0 for Node.js 24 support by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/452">actions/download-artifact#452</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/patrikpolyak"><code>@​patrikpolyak</code></a> made their first contribution in <a href="https://redirect.github.com/actions/download-artifact/pull/440">actions/download-artifact#440</a></li> <li><a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/download-artifact/pull/415">actions/download-artifact#415</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v6.0.0...v7.0.0">https://github.com/actions/download-artifact/compare/v6.0.0...v7.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="37930b1c2a"><code>37930b1</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/452">#452</a> from actions/download-artifact-v7-release</li> <li><a href="72582b9e0a"><code>72582b9</code></a> doc: update readme</li> <li><a href="0d2ec9d4cb"><code>0d2ec9d</code></a> chore: release v7.0.0 for Node.js 24 support</li> <li><a href="fd7ae8fda6"><code>fd7ae8f</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/451">#451</a> from actions/fix-storage-blob</li> <li><a href="d484700543"><code>d484700</code></a> chore: restore minimatch.dep.yml license file</li> <li><a href="03a808050e"><code>03a8080</code></a> chore: remove obsolete dependency license files</li> <li><a href="56fe6d904b"><code>56fe6d9</code></a> chore: update <code>@​actions/artifact</code> license file to 5.0.1</li> <li><a href="8e3ebc4ab4"><code>8e3ebc4</code></a> chore: update package-lock.json with <code>@​actions/artifact</code><a href="https://github.com/5"><code>@​5</code></a>.0.1</li> <li><a href="1e3c4b4d49"><code>1e3c4b4</code></a> fix: update <code>@​actions/artifact</code> to ^5.0.0 for Node.js 24 punycode fix</li> <li><a href="458627d354"><code>458627d</code></a> chore: use local <code>@​actions/artifact</code> package for Node.js 24 testing</li> <li>Additional commits viewable in <a href="018cc2cf5b...37930b1c2a">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-05 13:59:36 +00:00
Eric Eastwood	803e4b4d88	Make it more clear how shared_extra_conf is combined in our Docker configuration scripts (#19323) ... For reference, this PR used to include this whole `shared_config` block in the diff. But https://github.com/element-hq/synapse/pull/19324 was merged first which introduced parts of it already. Here is what this code used to look like: 566670c363/docker/configure_workers_and_start.py (L865-L868) --- Original context for why it was changed this way: https://github.com/matrix-org/synapse/pull/14921#discussion_r1126257933 Previously, this code made me question two things: 1. Do we actually use `worker_config["shared_extra_conf"]` in the templates? - At first glance, I couldn't see why we're updating `shared_extra_conf` here. It's not used in the `worker.yaml.j2` template so all of this seemed a bit pointless. - Turns out, updating `shared_extra_conf` itself is pointless and it's being done as a convenient place to mix the objects to get things right in `shared_config` (confusing). 1. Does it actually do anything? - Because `shared_config` starts out as an empty object, my first glance made me think we we're just updating with an empty object and then just re-assigning. But because we're in a loop, we actually accumulate the `shared_extra_conf` from each worker. I'm not sure whether I'm capturing my confusion well enough here but basically, this made me spend time trying to figure out what/why we're doing things this way and we can use a more clear pattern to accomplish the same thing. --- This change is spawning from looking at the `docker/configure_workers_and_start.py` script in order to add a metrics listener ([upcoming PR](https://github.com/element-hq/synapse/pull/19324)).	2026-01-02 12:08:37 -06:00
Eric Eastwood	9dae6cc595	Add a way to expose metrics from the Docker image (SYNAPSE_ENABLE_METRICS) (#19324) ... Spawning from wanting to [run a load test](https://github.com/element-hq/synapse-rust-apps/pull/397) against the Complement Docker image of Synapse and see metrics from the homeserver. ### Why not just provide your own homeserver config? Probably possible but it gets tricky when you try to use the workers variant of the Docker image (`docker/Dockerfile-workers`). The way to workaround it would probably be to `yq` edit everything in a script and change `/data/homeserver.yaml` and `/conf/workers/*.yaml` to add the `metrics` listener. And then modify `/conf/workers/shared.yaml` to add `enable_metrics: true`. Doesn't spark much joy.	2026-01-01 14:00:00 -06:00
Eric Eastwood	bd94152e06	Stream Complement progress and format logs in a separate step after all tests are done (#19326) ... This way we can see what's happening as the tests run instead of nothing until the end. Also useful to split the test output from the formatting so we can take the raw test output before formatting gobbles it all up. Same thing I did in https://github.com/element-hq/synapse-rust-apps/pull/361	2025-12-31 14:43:04 -06:00
Eric Eastwood	7a24fafbc3	Auto-formatting .github/workflows/tests.yml from VSCode (#19327)	2025-12-29 12:20:58 -06:00
dependabot[bot]	f79acff862	Bump log from 0.4.28 to 0.4.29 in the patches group (#19318) ... Bumps the patches group with 1 update: [log](https://github.com/rust-lang/log). Updates `log` from 0.4.28 to 0.4.29 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/log/releases">log's releases</a>.</em></p> <blockquote> <h2>0.4.29</h2> <h2>MSRV</h2> <p>This release increases <code>log</code>'s MSRV from <code>1.61.0</code> to <code>1.68.0</code>.</p> <h2>What's Changed</h2> <ul> <li>docs: Add missing impls from README.md by <a href="https://github.com/AldaronLau"><code>@​AldaronLau</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/703">rust-lang/log#703</a></li> <li>Point to new URLs for favicon and logo by <a href="https://github.com/AldaronLau"><code>@​AldaronLau</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/704">rust-lang/log#704</a></li> <li>perf: reduce llvm-lines of FromStr for <code>Level</code> and <code>LevelFilter</code> by <a href="https://github.com/dishmaker"><code>@​dishmaker</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/709">rust-lang/log#709</a></li> <li>Replace serde with serde_core by <a href="https://github.com/Thomasdezeeuw"><code>@​Thomasdezeeuw</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/712">rust-lang/log#712</a></li> <li>Fix clippy lints by <a href="https://github.com/Thomasdezeeuw"><code>@​Thomasdezeeuw</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/713">rust-lang/log#713</a></li> <li>Use GitHub Actions to install Rust and cargo-hack by <a href="https://github.com/Thomasdezeeuw"><code>@​Thomasdezeeuw</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/715">rust-lang/log#715</a></li> <li>Exclude old unstable_kv features from testing matrix by <a href="https://github.com/Thomasdezeeuw"><code>@​Thomasdezeeuw</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/716">rust-lang/log#716</a></li> <li>Fix up CI by <a href="https://github.com/KodrAus"><code>@​KodrAus</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/718">rust-lang/log#718</a></li> <li>Prepare for 0.4.29 release by <a href="https://github.com/KodrAus"><code>@​KodrAus</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/719">rust-lang/log#719</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/AldaronLau"><code>@​AldaronLau</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/703">rust-lang/log#703</a></li> <li><a href="https://github.com/dishmaker"><code>@​dishmaker</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/709">rust-lang/log#709</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rust-lang/log/compare/0.4.28...0.4.29">https://github.com/rust-lang/log/compare/0.4.28...0.4.29</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/log/blob/master/CHANGELOG.md">log's changelog</a>.</em></p> <blockquote> <h2>[0.4.29] - 2025-12-02</h2> <h2>What's Changed</h2> <ul> <li>perf: reduce llvm-lines of FromStr for <code>Level</code> and <code>LevelFilter</code> by <a href="https://github.com/dishmaker"><code>@​dishmaker</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/709">rust-lang/log#709</a></li> <li>Replace serde with serde_core by <a href="https://github.com/Thomasdezeeuw"><code>@​Thomasdezeeuw</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/712">rust-lang/log#712</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/AldaronLau"><code>@​AldaronLau</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/703">rust-lang/log#703</a></li> <li><a href="https://github.com/dishmaker"><code>@​dishmaker</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/709">rust-lang/log#709</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rust-lang/log/compare/0.4.28...0.4.29">https://github.com/rust-lang/log/compare/0.4.28...0.4.29</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="b1e2df7bce"><code>b1e2df7</code></a> Merge pull request <a href="https://redirect.github.com/rust-lang/log/issues/719">#719</a> from rust-lang/cargo/0.4.29</li> <li><a href="3fe1a546dc"><code>3fe1a54</code></a> prepare for 0.4.29 release</li> <li><a href="7a432d9ab5"><code>7a432d9</code></a> Merge pull request <a href="https://redirect.github.com/rust-lang/log/issues/718">#718</a> from rust-lang/ci/msrv</li> <li><a href="0689d56847"><code>0689d56</code></a> rebump msrv to 1.68.0</li> <li><a href="46b448e2a7"><code>46b448e</code></a> try drop msrv back to 1.61.0</li> <li><a href="929ab3812e"><code>929ab38</code></a> fix up doc test feature gate</li> <li><a href="957cece478"><code>957cece</code></a> bump serde-dependent crates</li> <li><a href="bea40c847c"><code>bea40c8</code></a> bump msrv to 1.68.0</li> <li><a href="c540184ee9"><code>c540184</code></a> Merge pull request <a href="https://redirect.github.com/rust-lang/log/issues/716">#716</a> from rust-lang/ci-smaller-matrix2</li> <li><a href="c971e636c4"><code>c971e63</code></a> Merge branch 'master' into ci-smaller-matrix2</li> <li>Additional commits viewable in <a href="https://github.com/rust-lang/log/compare/0.4.28...0.4.29">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-22 16:37:16 +00:00
dependabot[bot]	50fabc48c3	Bump actions/checkout from 6.0.0 to 6.0.1 in the minor-and-patches group (#19319) ... Bumps the minor-and-patches group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6.0.0 to 6.0.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v6.0.1</h2> <h2>What's Changed</h2> <ul> <li>Update all references from v5 and v4 to v6 by <a href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2314">actions/checkout#2314</a></li> <li>Add worktree support for persist-credentials includeIf by <a href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li> <li>Clarify v6 README by <a href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2328">actions/checkout#2328</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6...v6.0.1">https://github.com/actions/checkout/compare/v6...v6.0.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="8e8c483db8"><code>8e8c483</code></a> Clarify v6 README (<a href="https://redirect.github.com/actions/checkout/issues/2328">#2328</a>)</li> <li><a href="033fa0dc0b"><code>033fa0d</code></a> Add worktree support for persist-credentials includeIf (<a href="https://redirect.github.com/actions/checkout/issues/2327">#2327</a>)</li> <li><a href="c2d88d3ecc"><code>c2d88d3</code></a> Update all references from v5 and v4 to v6 (<a href="https://redirect.github.com/actions/checkout/issues/2314">#2314</a>)</li> <li>See full diff in <a href="1af3b93b68...8e8c483db8">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-22 16:04:03 +00:00
Eric Eastwood	41938d6fd2	Log the original bind exception when encountering Failed to listen on 0.0.0.0, continuing because listening on [::] (#19297) ... **Before:** ``` WARNING - call_when_running - Failed to listen on 0.0.0.0, continuing because listening on [::] ``` **After:** ``` WARNING - call_when_running - Failed to listen on 0.0.0.0, continuing because listening on [::]. Original exception: CannotListenError: Couldn't listen on 0.0.0.0:8008: [Errno 98] Address already in use. ```	2025-12-19 14:29:04 -06:00
Andrew Ferrazzutti	f4320b5a49	Admin API: worker support for Query User Account (#19281)	2025-12-16 17:42:08 +00:00
Tulir Asokan	3989d22a37	Implement pagination for MSC2666 (#19279) ... Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>	2025-12-16 15:24:36 +00:00
Joshua Goins	0395b71e25	Fix Mastodon URL previews not showing anything useful (#19231) ... Fixes #18444. Inside of UrlPreviewer, we need to combine two dicts (one from oEmbed, and one from OpenGraph metadata in the HTML) and in Mastodon's case they were very different. Single Page Applications (SPAs) seem to sometimes provide better information in the OpenGraph tags than the oEmbed stubs, because the oEmbed stubs are filled in with JavaScript that Synapse does not execute. This change improves previews on Mastodon and YouTube (for the same reason). Tested to not regress previews of Twitter or GitHub.	2025-12-16 13:02:29 +00:00
Denis Kasak	29fd0116a5	Improve proxy support for the federation_client.py dev script (#19300) ... Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>	2025-12-16 11:06:07 +00:00
Travis Ralston	0f2b29511f	Allow admins to bypass the quarantine check on media downloads (#19275) ... Co-authored-by: turt2live <1190097+turt2live@users.noreply.github.com> Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>	2025-12-15 17:23:33 +00:00
Andre Klärner	466994743a	Document importance of public_baseurl for delegation and OIDC (#19270) ... I just stumbled across the fact that my config used delegation as recommended by the docs, and hosted Synapse on a subdomain. However my config never had `public_baseurl` set and worked without issues, until I just now tried to setup OIDC. OIDC is initialized by the client instructing to open a URL on the homeserver, and initially the correct URL is called, but Synapse does not recognize it without `public_baseurl` being set correctly. After changing this it immediately started working. So in order to prevent anybody from making the same mistake, this adds a small clarifying block in the OIDC docs.	2025-12-12 18:07:39 -06:00
Devon Hudson	df24e0f302	Fix support for older versions of zope-interface (#19274) ... Fixes #19269 Versions of zope-interface from RHEL, Ubuntu LTS 22 & 24 and OpenSuse don't support the new python union `X | Y` syntax for interfaces. This PR partially reverts the change over to fully use the new syntax, adds a minimum supported version of zope-interface to Synapse's dependency list, and removes the linter auto-upgrades which prefer the newer syntax. ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [X] Pull request is based on the develop branch * [X] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [X] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters)) --------- Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>	2025-12-12 15:34:13 +00:00
Andrew Morgan	048629dd13	minor grammar fix ... context: https://github.com/element-hq/synapse/pull/19260#discussion_r2614227743	2025-12-12 13:36:34 +00:00
Mathieu Velten	7347cc436e	Add memberships admin API (#19260) ... Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>	2025-12-12 13:35:46 +00:00
Travis Ralston	3f636386a6	Add an Admin API endpoint for listing quarantined media (#19268) ... Co-authored-by: turt2live <1190097+turt2live@users.noreply.github.com> Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>	2025-12-12 13:30:21 +00:00
Andrew Morgan	1f7f16477d	Unpin Rust from 1.82.0 (#19302)	2025-12-12 11:31:55 +00:00
Erik Johnston	dfd00a986f	Fix sliding sync performance slow down for long lived connections. (#19206) ... Fixes https://github.com/element-hq/synapse/issues/19175 This PR moves tracking of what lazy loaded membership we've sent to each room out of the required state table. This avoids that table from continuously growing, which massively helps performance as we pull out all matching rows for the connection when we receive a request. The new table is only read when we have data in a room to send, so we end up reading a lot fewer rows from the DB. Though we now read from that table for every room we have events to return in, rather than once at the start of the request. For an explanation of how the new table works, see the [comment](https://github.com/element-hq/synapse/blob/erikj/sss_better_membership_storage2/synapse/storage/schema/main/delta/93/02_sliding_sync_members.sql#L15-L38) on the table schema. The table is designed so that we can later prune old entries if we wish, but that is not implemented in this PR. Reviewable commit-by-commit. --------- Co-authored-by: Eric Eastwood <erice@element.io>	2025-12-12 10:02:57 +00:00
Devon Hudson	cdf286d405	Use uv to test full set of minimum deps in CI (#19289) ... Stemming from #19274 this updates the `olddeps` CI to test against not just the minimum version of our explicit dependencies, but also the minimum version of all implicit (transitive) dependencies that are pulled in from the explicit dependencies themselves. ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [X] Pull request is based on the develop branch * [X] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [X] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))	2025-12-11 17:58:27 +00:00
Andrew Morgan	3aaa2e80b2	Switch the build backend from poetry-core to maturin (#19234)	2025-12-10 14:46:47 +00:00
dependabot[bot]	ba774e2311	Bump ruff from 0.14.5 to 0.14.6 in the minor-and-patches group across 1 directory (#19296) ... Bumps the minor-and-patches group with 1 update in the / directory: [ruff](https://github.com/astral-sh/ruff). Updates `ruff` from 0.14.5 to 0.14.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/astral-sh/ruff/releases">ruff's releases</a>.</em></p> <blockquote> <h2>0.14.6</h2> <h2>Release Notes</h2> <p>Released on 2025-11-21.</p> <h3>Preview features</h3> <ul> <li>[<code>flake8-bandit</code>] Support new PySNMP API paths (<code>S508</code>, <code>S509</code>) (<a href="https://redirect.github.com/astral-sh/ruff/pull/21374">#21374</a>)</li> </ul> <h3>Bug fixes</h3> <ul> <li>Adjust own-line comment placement between branches (<a href="https://redirect.github.com/astral-sh/ruff/pull/21185">#21185</a>)</li> <li>Avoid syntax error when formatting attribute expressions with outer parentheses, parenthesized value, and trailing comment on value (<a href="https://redirect.github.com/astral-sh/ruff/pull/20418">#20418</a>)</li> <li>Fix panic when formatting comments in unary expressions (<a href="https://redirect.github.com/astral-sh/ruff/pull/21501">#21501</a>)</li> <li>Respect <code>fmt: skip</code> for compound statements on a single line (<a href="https://redirect.github.com/astral-sh/ruff/pull/20633">#20633</a>)</li> <li>[<code>refurb</code>] Fix <code>FURB103</code> autofix (<a href="https://redirect.github.com/astral-sh/ruff/pull/21454">#21454</a>)</li> <li>[<code>ruff</code>] Fix false positive for complex conversion specifiers in <code>logging-eager-conversion</code> (<code>RUF065</code>) (<a href="https://redirect.github.com/astral-sh/ruff/pull/21464">#21464</a>)</li> </ul> <h3>Rule changes</h3> <ul> <li>[<code>ruff</code>] Avoid false positive on <code>ClassVar</code> reassignment (<code>RUF012</code>) (<a href="https://redirect.github.com/astral-sh/ruff/pull/21478">#21478</a>)</li> </ul> <h3>CLI</h3> <ul> <li>Render hyperlinks for lint errors (<a href="https://redirect.github.com/astral-sh/ruff/pull/21514">#21514</a>)</li> <li>Add a <code>ruff analyze</code> option to skip over imports in <code>TYPE_CHECKING</code> blocks (<a href="https://redirect.github.com/astral-sh/ruff/pull/21472">#21472</a>)</li> </ul> <h3>Documentation</h3> <ul> <li>Limit <code>eglot-format</code> hook to eglot-managed Python buffers (<a href="https://redirect.github.com/astral-sh/ruff/pull/21459">#21459</a>)</li> <li>Mention <code>force-exclude</code> in &quot;Configuration &gt; Python file discovery&quot; (<a href="https://redirect.github.com/astral-sh/ruff/pull/21500">#21500</a>)</li> </ul> <h3>Contributors</h3> <ul> <li><a href="https://github.com/ntBre"><code>@​ntBre</code></a></li> <li><a href="https://github.com/dylwil3"><code>@​dylwil3</code></a></li> <li><a href="https://github.com/gauthsvenkat"><code>@​gauthsvenkat</code></a></li> <li><a href="https://github.com/MichaReiser"><code>@​MichaReiser</code></a></li> <li><a href="https://github.com/thamer"><code>@​thamer</code></a></li> <li><a href="https://github.com/Ruchir28"><code>@​Ruchir28</code></a></li> <li><a href="https://github.com/thejcannon"><code>@​thejcannon</code></a></li> <li><a href="https://github.com/danparizher"><code>@​danparizher</code></a></li> <li><a href="https://github.com/chirizxc"><code>@​chirizxc</code></a></li> </ul> <h2>Install ruff 0.14.6</h2> <h3>Install prebuilt binaries via shell script</h3> <pre lang="sh"><code>curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/ruff/releases/download/0.14.6/ruff-installer.sh | sh &lt;/tr&gt;&lt;/table&gt; </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md">ruff's changelog</a>.</em></p> <blockquote> <h2>0.14.6</h2> <p>Released on 2025-11-21.</p> <h3>Preview features</h3> <ul> <li>[<code>flake8-bandit</code>] Support new PySNMP API paths (<code>S508</code>, <code>S509</code>) (<a href="https://redirect.github.com/astral-sh/ruff/pull/21374">#21374</a>)</li> </ul> <h3>Bug fixes</h3> <ul> <li>Adjust own-line comment placement between branches (<a href="https://redirect.github.com/astral-sh/ruff/pull/21185">#21185</a>)</li> <li>Avoid syntax error when formatting attribute expressions with outer parentheses, parenthesized value, and trailing comment on value (<a href="https://redirect.github.com/astral-sh/ruff/pull/20418">#20418</a>)</li> <li>Fix panic when formatting comments in unary expressions (<a href="https://redirect.github.com/astral-sh/ruff/pull/21501">#21501</a>)</li> <li>Respect <code>fmt: skip</code> for compound statements on a single line (<a href="https://redirect.github.com/astral-sh/ruff/pull/20633">#20633</a>)</li> <li>[<code>refurb</code>] Fix <code>FURB103</code> autofix (<a href="https://redirect.github.com/astral-sh/ruff/pull/21454">#21454</a>)</li> <li>[<code>ruff</code>] Fix false positive for complex conversion specifiers in <code>logging-eager-conversion</code> (<code>RUF065</code>) (<a href="https://redirect.github.com/astral-sh/ruff/pull/21464">#21464</a>)</li> </ul> <h3>Rule changes</h3> <ul> <li>[<code>ruff</code>] Avoid false positive on <code>ClassVar</code> reassignment (<code>RUF012</code>) (<a href="https://redirect.github.com/astral-sh/ruff/pull/21478">#21478</a>)</li> </ul> <h3>CLI</h3> <ul> <li>Render hyperlinks for lint errors (<a href="https://redirect.github.com/astral-sh/ruff/pull/21514">#21514</a>)</li> <li>Add a <code>ruff analyze</code> option to skip over imports in <code>TYPE_CHECKING</code> blocks (<a href="https://redirect.github.com/astral-sh/ruff/pull/21472">#21472</a>)</li> </ul> <h3>Documentation</h3> <ul> <li>Limit <code>eglot-format</code> hook to eglot-managed Python buffers (<a href="https://redirect.github.com/astral-sh/ruff/pull/21459">#21459</a>)</li> <li>Mention <code>force-exclude</code> in &quot;Configuration &gt; Python file discovery&quot; (<a href="https://redirect.github.com/astral-sh/ruff/pull/21500">#21500</a>)</li> </ul> <h3>Contributors</h3> <ul> <li><a href="https://github.com/ntBre"><code>@​ntBre</code></a></li> <li><a href="https://github.com/dylwil3"><code>@​dylwil3</code></a></li> <li><a href="https://github.com/gauthsvenkat"><code>@​gauthsvenkat</code></a></li> <li><a href="https://github.com/MichaReiser"><code>@​MichaReiser</code></a></li> <li><a href="https://github.com/thamer"><code>@​thamer</code></a></li> <li><a href="https://github.com/Ruchir28"><code>@​Ruchir28</code></a></li> <li><a href="https://github.com/thejcannon"><code>@​thejcannon</code></a></li> <li><a href="https://github.com/danparizher"><code>@​danparizher</code></a></li> <li><a href="https://github.com/chirizxc"><code>@​chirizxc</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="59c6cb521d"><code>59c6cb5</code></a> Bump 0.14.6 (<a href="https://redirect.github.com/astral-sh/ruff/issues/21558">#21558</a>)</li> <li><a href="54dba15088"><code>54dba15</code></a> [ty] Improve debug messages when imports fail (<a href="https://redirect.github.com/astral-sh/ruff/issues/21555">#21555</a>)</li> <li><a href="1af318534a"><code>1af3185</code></a> [ty] Add support for relative import completions</li> <li><a href="553e568624"><code>553e568</code></a> [ty] Refactor detection of import statements for completions</li> <li><a href="cdef3f5ab8"><code>cdef3f5</code></a> [ty] Use dedicated collector for completions</li> <li><a href="6178822427"><code>6178822</code></a> [ty] Attach subdiagnostics to <code>unresolved-import</code> errors for relative imports...</li> <li><a href="6b7adb0537"><code>6b7adb0</code></a> [ty] support PEP 613 type aliases (<a href="https://redirect.github.com/astral-sh/ruff/issues/21394">#21394</a>)</li> <li><a href="06941c1987"><code>06941c1</code></a> [ty] More low-hanging fruit for inlay hint goto-definition (<a href="https://redirect.github.com/astral-sh/ruff/issues/21548">#21548</a>)</li> <li><a href="eb7c098d6b"><code>eb7c098</code></a> [ty] implement <code>TypedDict</code> structural assignment (<a href="https://redirect.github.com/astral-sh/ruff/issues/21467">#21467</a>)</li> <li><a href="1b28fc1f14"><code>1b28fc1</code></a> [ty] Add more random TypeDetails and tests (<a href="https://redirect.github.com/astral-sh/ruff/issues/21546">#21546</a>)</li> <li>Additional commits viewable in <a href="https://github.com/astral-sh/ruff/compare/0.14.5...0.14.6">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-09 23:01:56 +00:00
Devon Hudson	acafac3bb6	Merge branch 'master' into develop	2025-12-09 09:30:32 -07:00
Devon Hudson	1bfcc9acf1	Lift important notes to top of changelog	2025-12-09 08:36:59 -07:00
Devon Hudson	1aeb34a1e1	1.144.0	2025-12-09 08:32:23 -07:00
Devon Hudson	8b0083cad9	Respond with useful error codes when Content-Length header/s are invalid (#19212) ... Related to https://github.com/element-hq/synapse/issues/17035, when Synapse receives a request that is larger than the maximum size allowed, it aborts the connection without ever sending back a HTTP response. I dug into our usage of twisted and how best to try and report such an error and this is what I came up with. It would be ideal to be able to report the status from within `handleContentChunk` but that is called too early on in the twisted http handling code, before things have been setup enough to be able to properly write a response. I tested this change out locally (both with C-S and S-S apis) and they do receive a 413 response now in addition to the connection being closed. Hopefully this will aid in being able to quickly detect when https://github.com/element-hq/synapse/issues/17035 is occurring as the current situation makes it very hard to narrow things down to that specific issue without making a lot of assumptions. This PR also responds with more meaningful error codes now in the case of: - multiple `Content-Length` headers - invalid `Content-Length` header value - request content size being larger than the `Content-Length` value ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [X] Pull request is based on the develop branch * [X] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [X] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters)) --------- Co-authored-by: Eric Eastwood <erice@element.io>	2025-12-08 21:39:18 +00:00
dependabot[bot]	09fd2645c2	Bump urllib3 from 2.5.0 to 2.6.0 (#19282) ... Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.5.0 to 2.6.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.6.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <ul> <li>Fixed a security issue where streaming API could improperly handle highly compressed HTTP content (&quot;decompression bombs&quot;) leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by <a href="https://github.com/Cycloctane"><code>@​Cycloctane</code></a>, 8.9 High, GHSA-2xpw-w6gg-jr37)</li> <li>Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the <code>Content-Encoding</code> header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by <a href="https://github.com/illia-v"><code>@​illia-v</code></a>, 8.9 High, GHSA-gm62-xv2j-4w53)</li> </ul> <blockquote> <p>[!IMPORTANT]</p> <ul> <li>If urllib3 is not installed with the optional <code>urllib3[brotli]</code> extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using <code>urllib3[brotli]</code> to install a compatible Brotli package automatically.</li> <li>If you use custom decompressors, please make sure to update them to respect the changed API of <code>urllib3.response.ContentDecoder</code>.</li> </ul> </blockquote> <h2>Features</h2> <ul> <li>Enabled retrieval, deletion, and membership testing in <code>HTTPHeaderDict</code> using bytes keys. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3653">#3653</a>)</li> <li>Added host and port information to string representations of <code>HTTPConnection</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3666">#3666</a>)</li> <li>Added support for Python 3.14 free-threading builds explicitly. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3696">#3696</a>)</li> </ul> <h2>Removals</h2> <ul> <li>Removed the <code>HTTPResponse.getheaders()</code> method in favor of <code>HTTPResponse.headers</code>. Removed the <code>HTTPResponse.getheader(name, default)</code> method in favor of <code>HTTPResponse.headers.get(name, default)</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3622">#3622</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed redirect handling in <code>urllib3.PoolManager</code> when an integer is passed for the retries parameter. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3649">#3649</a>)</li> <li>Fixed <code>HTTPConnectionPool</code> when used in Emscripten with no explicit port. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3664">#3664</a>)</li> <li>Fixed handling of <code>SSLKEYLOGFILE</code> with expandable variables. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3700">#3700</a>)</li> </ul> <h2>Misc</h2> <ul> <li>Changed the <code>zstd</code> extra to install <code>backports.zstd</code> instead of <code>zstandard</code> on Python 3.13 and before. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3693">#3693</a>)</li> <li>Improved the performance of content decoding by optimizing <code>BytesQueueBuffer</code> class. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3710">#3710</a>)</li> <li>Allowed building the urllib3 package with newer setuptools-scm v9.x. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3652">#3652</a>)</li> <li>Ensured successful urllib3 builds by setting Hatchling requirement to ≥ 1.27.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3638">#3638</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.6.0 (2025-12-05)</h1> <h2>Security</h2> <ul> <li>Fixed a security issue where streaming API could improperly handle highly compressed HTTP content (&quot;decompression bombs&quot;) leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (<code>GHSA-2xpw-w6gg-jr37 &lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37&gt;</code>__)</li> <li>Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the <code>Content-Encoding</code> header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (<code>GHSA-gm62-xv2j-4w53 &lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53&gt;</code>__)</li> </ul> <p>.. caution::</p> <ul> <li> <p>If urllib3 is not installed with the optional <code>urllib3[brotli]</code> extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using <code>urllib3[brotli]</code> to install a compatible Brotli package automatically.</p> </li> <li> <p>If you use custom decompressors, please make sure to update them to respect the changed API of <code>urllib3.response.ContentDecoder</code>.</p> </li> </ul> <h2>Features</h2> <ul> <li>Enabled retrieval, deletion, and membership testing in <code>HTTPHeaderDict</code> using bytes keys. (<code>[#3653](https://github.com/urllib3/urllib3/issues/3653) &lt;https://github.com/urllib3/urllib3/issues/3653&gt;</code>__)</li> <li>Added host and port information to string representations of <code>HTTPConnection</code>. (<code>[#3666](https://github.com/urllib3/urllib3/issues/3666) &lt;https://github.com/urllib3/urllib3/issues/3666&gt;</code>__)</li> <li>Added support for Python 3.14 free-threading builds explicitly. (<code>[#3696](https://github.com/urllib3/urllib3/issues/3696) &lt;https://github.com/urllib3/urllib3/issues/3696&gt;</code>__)</li> </ul> <h2>Removals</h2> <ul> <li>Removed the <code>HTTPResponse.getheaders()</code> method in favor of <code>HTTPResponse.headers</code>. Removed the <code>HTTPResponse.getheader(name, default)</code> method in favor of <code>HTTPResponse.headers.get(name, default)</code>. (<code>[#3622](https://github.com/urllib3/urllib3/issues/3622) &lt;https://github.com/urllib3/urllib3/issues/3622&gt;</code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed redirect handling in <code>urllib3.PoolManager</code> when an integer is passed for the retries parameter. (<code>[#3649](https://github.com/urllib3/urllib3/issues/3649) &lt;https://github.com/urllib3/urllib3/issues/3649&gt;</code>__)</li> <li>Fixed <code>HTTPConnectionPool</code> when used in Emscripten with no explicit port. (<code>[#3664](https://github.com/urllib3/urllib3/issues/3664) &lt;https://github.com/urllib3/urllib3/issues/3664&gt;</code>__)</li> <li>Fixed handling of <code>SSLKEYLOGFILE</code> with expandable variables. (<code>[#3700](https://github.com/urllib3/urllib3/issues/3700) &lt;https://github.com/urllib3/urllib3/issues/3700&gt;</code>__)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="720f484b60"><code>720f484</code></a> Release 2.6.0</li> <li><a href="24d7b67eac"><code>24d7b67</code></a> Merge commit from fork</li> <li><a href="c19571de34"><code>c19571d</code></a> Merge commit from fork</li> <li><a href="816fcf0452"><code>816fcf0</code></a> Bump actions/setup-python from 6.0.0 to 6.1.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3725">#3725</a>)</li> <li><a href="18af0a10ef"><code>18af0a1</code></a> Improve speed of <code>BytesQueueBuffer.get()</code> by using memoryview (<a href="https://redirect.github.com/urllib3/urllib3/issues/3711">#3711</a>)</li> <li><a href="1f6abac3e6"><code>1f6abac</code></a> Bump versions of pre-commit hooks (<a href="https://redirect.github.com/urllib3/urllib3/issues/3716">#3716</a>)</li> <li><a href="1c8fbf787b"><code>1c8fbf7</code></a> Bump actions/checkout from 5.0.0 to 6.0.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3722">#3722</a>)</li> <li><a href="7784b9eee9"><code>7784b9e</code></a> Add Python 3.15 to CI (<a href="https://redirect.github.com/urllib3/urllib3/issues/3717">#3717</a>)</li> <li><a href="0241c9e728"><code>0241c9e</code></a> Updated docs to reflect change in optional zstd dependency from <code>zstandard</code> t...</li> <li><a href="7afcabb648"><code>7afcabb</code></a> Expand environment variable of SSLKEYLOGFILE (<a href="https://redirect.github.com/urllib3/urllib3/issues/3705">#3705</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.5.0...2.6.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/element-hq/synapse/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-05 23:51:29 +00:00
dependabot[bot]	891983f3f4	Bump the minor-and-patches group with 3 updates (#19280) ... Bumps the minor-and-patches group with 3 updates: [mypy](https://github.com/python/mypy), [mypy-zope](https://github.com/Shoobx/mypy-zope) and [phonenumbers](https://github.com/daviddrysdale/python-phonenumbers). Updates `mypy` from 1.17.1 to 1.18.2 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/python/mypy/blob/master/CHANGELOG.md">mypy's changelog</a>.</em></p> <blockquote> <h3>Mypy 1.18.2</h3> <ul> <li>Fix crash on recursive alias (Ivan Levkivskyi, PR <a href="https://redirect.github.com/python/mypy/pull/19845">19845</a>)</li> <li>Add additional guidance for stubtest errors when runtime is <code>object.__init__</code> (Stephen Morton, PR <a href="https://redirect.github.com/python/mypy/pull/19733">19733</a>)</li> <li>Fix handling of None values in f-string expressions in mypyc (BobTheBuidler, PR <a href="https://redirect.github.com/python/mypy/pull/19846">19846</a>)</li> </ul> <h3>Acknowledgements</h3> <p>Thanks to all mypy contributors who contributed to this release:</p> <ul> <li>Ali Hamdan</li> <li>Anthony Sottile</li> <li>BobTheBuidler</li> <li>Brian Schubert</li> <li>Chainfire</li> <li>Charlie Denton</li> <li>Christoph Tyralla</li> <li>CoolCat467</li> <li>Daniel Hnyk</li> <li>Emily</li> <li>Emma Smith</li> <li>Ethan Sarp</li> <li>Ivan Levkivskyi</li> <li>Jahongir Qurbonov</li> <li>Jelle Zijlstra</li> <li>Joren Hammudoglu</li> <li>Jukka Lehtosalo</li> <li>Marc Mueller</li> <li>Omer Hadari</li> <li>Piotr Sawicki</li> <li>PrinceNaroliya</li> <li>Randolf Scholz</li> <li>Robsdedude</li> <li>Saul Shanabrook</li> <li>Shantanu</li> <li>Stanislav Terliakov</li> <li>Stephen Morton</li> <li>wyattscarpenter</li> </ul> <p>I’d also like to thank my employer, Dropbox, for supporting mypy development.</p> <h2>Mypy 1.17</h2> <p>We’ve just uploaded mypy 1.17 to the Python Package Index (<a href="https://pypi.org/project/mypy/">PyPI</a>). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:</p> <pre><code>python3 -m pip install -U mypy </code></pre> <p>You can read the full documentation for this release on <a href="http://mypy.readthedocs.io">Read the Docs</a>.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="df05f05555"><code>df05f05</code></a> remove +dev from version</li> <li><a href="01a7a1285d"><code>01a7a12</code></a> Update changelog for 1.18.2 (<a href="https://redirect.github.com/python/mypy/issues/19873">#19873</a>)</li> <li><a href="ca5abf09f3"><code>ca5abf0</code></a> Typeshed cherry-pick: Make type of <code>unitest.mock.Any</code> a subclass of <code>Any</code> (<a href="https://redirect.github.com/python/mypy/issues/1">#1</a>...</li> <li><a href="9d794b57d9"><code>9d794b5</code></a> [mypyc] fix: inappropriate <code>None</code>s in f-strings (<a href="https://redirect.github.com/python/mypy/issues/19846">#19846</a>)</li> <li><a href="2c0510c848"><code>2c0510c</code></a> stubtest: additional guidance on errors when runtime is object.<strong>init</strong> (<a href="https://redirect.github.com/python/mypy/issues/19733">#19733</a>)</li> <li><a href="2f3f03c3e3"><code>2f3f03c</code></a> Bump version to 1.18.2+dev for point release</li> <li><a href="76698412bc"><code>7669841</code></a> Fix crash on recursive alias in indirection.py (<a href="https://redirect.github.com/python/mypy/issues/19845">#19845</a>)</li> <li><a href="03fbaa941b"><code>03fbaa9</code></a> bump version to 1.18.1 due to wheels failure</li> <li><a href="b44a1fbf0c"><code>b44a1fb</code></a> removed +dev from version</li> <li><a href="7197a99d1a"><code>7197a99</code></a> Removed Unreleased in the Changelog for Release 1.18 (<a href="https://redirect.github.com/python/mypy/issues/19827">#19827</a>)</li> <li>Additional commits viewable in <a href="https://github.com/python/mypy/compare/v1.17.1...v1.18.2">compare view</a></li> </ul> </details> <br /> Updates `mypy-zope` from 1.0.13 to 1.0.14 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Shoobx/mypy-zope/blob/master/CHANGELOG.md">mypy-zope's changelog</a>.</em></p> <blockquote> <h2>1.0.14 (2025-12-01)</h2> <hr /> <ul> <li>Support mypy-1.19</li> <li>Support mypy-1.18</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="38d22f3f4f"><code>38d22f3</code></a> Preparing release 1.0.14</li> <li><a href="76762ec861"><code>76762ec</code></a> Maintain changelog</li> <li><a href="4971d98ab8"><code>4971d98</code></a> Merge pull request <a href="https://redirect.github.com/Shoobx/mypy-zope/issues/134">#134</a> from Shoobx/dependabot/pip/mypy-gte-1.0.0-and-lt-1.20.0</li> <li><a href="47af89d2c7"><code>47af89d</code></a> Update mypy requirement from &lt;1.19.0,&gt;=1.0.0 to &gt;=1.0.0,&lt;1.20.0</li> <li><a href="0c596ff804"><code>0c596ff</code></a> Maintain changelog</li> <li><a href="dcaa27841d"><code>dcaa278</code></a> Merge pull request <a href="https://redirect.github.com/Shoobx/mypy-zope/issues/132">#132</a> from Shoobx/dependabot/pip/mypy-gte-1.0.0-and-lt-1.19.0</li> <li><a href="8f7b6778df"><code>8f7b677</code></a> Update mypy requirement from &lt;1.18.0,&gt;=1.0.0 to &gt;=1.0.0,&lt;1.19.0</li> <li><a href="91b275b364"><code>91b275b</code></a> Back to development: 1.0.14</li> <li>See full diff in <a href="https://github.com/Shoobx/mypy-zope/compare/1.0.13...1.0.14">compare view</a></li> </ul> </details> <br /> Updates `phonenumbers` from 9.0.18 to 9.0.19 <details> <summary>Commits</summary> <ul> <li><a href="38f2ffe1e8"><code>38f2ffe</code></a> Prep for 9.0.19 release</li> <li><a href="cd7f0cc64f"><code>cd7f0cc</code></a> Generated files for metadata</li> <li><a href="40ae18f50a"><code>40ae18f</code></a> Merge metadata changes from upstream 9.0.19</li> <li>See full diff in <a href="https://github.com/daviddrysdale/python-phonenumbers/compare/v9.0.18...v9.0.19">compare view</a></li> </ul> </details> <br /> **Does not** update `pysaml2` from 7.5.0 to 7.5.4 since this would downgrade pyOpenSSL <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/IdentityPython/pysaml2/releases">pysaml2's releases</a>.</em></p> <blockquote> <h2>Version v7.5.4</h2> <h2>v7.5.4 (2025-10-07)</h2> <ul> <li>Minor refactor to handle <code>shelve.open</code> and <code>dbm</code> errors</li> <li>Remove import of deprecated <code>cgi</code> module</li> <li>Replace deprecated <code>datetime.utcnow()</code> by <code>datetime.now(timezone.utc)</code></li> <li>deps: Remove the <code>importlib_metadata</code> dependency</li> <li>deps: Remove the <code>importlib_resources</code> dependency</li> <li>deps: Update dependency versions and lockfile</li> <li>build: Update pyproject and lockfile to be compatible with PEP 621</li> <li>docs: Correct spelling mistakes</li> <li>docs: Fix interal references/links</li> <li>docs: Clarify units for accepted_time_diff config param</li> <li>docs: Correct documentation for contact_person</li> </ul> <h2>Version 7.5.3</h2> <h2>7.5.3 (2025-10-04)</h2> <ul> <li><a href="https://redirect.github.com/IdentityPython/pysaml2/issues/973">#973</a> Fix prepare_for_negotiated_authenticate to avoid double signing redirect requests</li> </ul> <h2>Version 7.5.2</h2> <h2>7.5.2 (2025-02-10)</h2> <ul> <li>Include the XSD of the XML Encryption Syntax and Processing Version 1.1 to the schema validator</li> </ul> <h2>Version 7.5.1</h2> <h2>7.5.1 (2025-02-10)</h2> <ul> <li>deps: restrict pyOpenSSL up to v24.2.1 until it is replaced</li> <li>deps: update dependncies for the lockfile and examples</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/IdentityPython/pysaml2/blob/master/CHANGELOG.md">pysaml2's changelog</a>.</em></p> <blockquote> <h2>v7.5.4 (2025-10-07)</h2> <ul> <li>Minor refactor to handle <code>shelve.open</code> and <code>dbm</code> errors</li> <li>Remove import of deprecated <code>cgi</code> module</li> <li>Replace deprecated <code>datetime.utcnow()</code> by <code>datetime.now(timezone.utc)</code></li> <li>deps: Remove the <code>importlib_metadata</code> dependency</li> <li>deps: Remove the <code>importlib_resources</code> dependency</li> <li>deps: Update dependency versions and lockfile</li> <li>build: Update pyproject and lockfile to be compatible with PEP 621</li> <li>docs: Correct spelling mistakes</li> <li>docs: Fix interal references/links</li> <li>docs: Clarify units for accepted_time_diff config param</li> <li>docs: Correct documentation for contact_person</li> </ul> <h2>7.5.3 (2025-10-04)</h2> <ul> <li><a href="https://redirect.github.com/IdentityPython/pysaml2/issues/973">#973</a> Fix prepare_for_negotiated_authenticate to avoid double signing redirect requests</li> </ul> <h2>7.5.2 (2025-02-10)</h2> <ul> <li>Include the XSD of the XML Encryption Syntax and Processing Version 1.1 to the schema validator</li> </ul> <h2>7.5.1 (2025-02-10)</h2> <ul> <li>deps: restrict pyOpenSSL up to v24.2.1 until it is replaced</li> <li>deps: update dependencies for the lockfile and examples</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="9cf71f7f9e"><code>9cf71f7</code></a> Release version 7.5.4</li> <li><a href="c3ec7199d1"><code>c3ec719</code></a> Refactor _shelve_compat</li> <li><a href="1d6ea6024e"><code>1d6ea60</code></a> Remove import of deprecated cgi module</li> <li><a href="c45eb9df82"><code>c45eb9d</code></a> Replace deprecated datetime.utcnow() by datetime.now(timezone.utc)</li> <li><a href="178f6d12b4"><code>178f6d1</code></a> Remove unneeded dependencies</li> <li><a href="1f0a25a5cf"><code>1f0a25a</code></a> remove importlib_metadata import</li> <li><a href="099f716ae7"><code>099f716</code></a> remove importlib_resources imports</li> <li><a href="3fa11ee15d"><code>3fa11ee</code></a> spelling updates.</li> <li><a href="4b7887f59a"><code>4b7887f</code></a> update link.</li> <li><a href="bc8d3b4ecc"><code>bc8d3b4</code></a> update link.</li> <li>Additional commits viewable in <a href="https://github.com/IdentityPython/pysaml2/compare/v7.5.0...v7.5.4">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Devon Hudson <devonhudson@librem.one>	2025-12-05 22:11:58 +00:00
Andrew Morgan	a096fba969	Group non-breaking dependabot PRs together to reduce review load (#18402)	2025-12-05 10:48:01 +00:00
Devon Hudson	e8710e7c5e	Don't include debug logs in Clock unless explicitly enabled (#19278) ... Fixes #19276 This log with stack traces results in a ton of noise in the logs and is confusing to users since it looks like it's an error in the logs. This PR removes the stack trace from the log. This can be re-enabled on demand if it is deemed necessary in the future. ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [X] Pull request is based on the develop branch * [X] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [X] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))	2025-12-04 23:49:24 +00:00
Devon Hudson	978ae0b080	Merge branch 'release-v1.144' into develop	2025-12-02 15:06:23 -07:00
dependabot[bot]	93e658bd13	Bump cryptography from 45.0.7 to 46.0.3 (#19266) ... Bumps [cryptography](https://github.com/pyca/cryptography) from 45.0.7 to 46.0.3. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's changelog</a>.</em></p> <blockquote> <p>46.0.3 - 2025-10-15</p> <pre><code> * Fixed compilation when using LibreSSL 4.2.0. <p>.. _v46-0-2:</p> <p>46.0.2 - 2025-09-30<br /> </code></pre></p> <ul> <li>Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.4.</li> </ul> <p>.. _v46-0-1:</p> <p>46.0.1 - 2025-09-16</p> <pre><code> * Fixed an issue where users installing via ``pip`` on Python 3.14 development versions would not properly install a dependency. * Fixed an issue building the free-threaded macOS 3.14 wheels. <p>.. _v46-0-0:</p> <p>46.0.0 - 2025-09-16<br /> </code></pre></p> <ul> <li><strong>BACKWARDS INCOMPATIBLE:</strong> Support for Python 3.7 has been removed.</li> <li>Support for OpenSSL &lt; 3.0 is deprecated and will be removed in the next release.</li> <li>Support for <code>x86_64</code> macOS (including publishing wheels) is deprecated and will be removed in two releases. We will switch to publishing an <code>arm64</code> only wheel for macOS.</li> <li>Support for 32-bit Windows (including publishing wheels) is deprecated and will be removed in two releases. Users should move to a 64-bit Python installation.</li> <li>Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.3.</li> <li>We now build <code>ppc64le</code> <code>manylinux</code> wheels and publish them to PyPI.</li> <li>We now build <code>win_arm64</code> (Windows on Arm) wheels and publish them to PyPI.</li> <li>Added support for free-threaded Python 3.14.</li> <li>Removed the deprecated <code>get_attribute_for_oid</code> method on :class:<code>~cryptography.x509.CertificateSigningRequest</code>. Users should use :meth:<code>~cryptography.x509.Attributes.get_attribute_for_oid</code> instead.</li> <li>Removed the deprecated <code>CAST5</code>, <code>SEED</code>, <code>IDEA</code>, and <code>Blowfish</code> classes from the cipher module. These are still available in :doc:<code>/hazmat/decrepit/index</code>.</li> <li>In X.509, when performing a PSS signature with a SHA-3 hash, it is now encoded with the official NIST SHA3 OID.</li> </ul> <p>.. _v45-0-7:</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="c0af4dd7b7"><code>c0af4dd</code></a> release 46.0.3 (<a href="https://redirect.github.com/pyca/cryptography/issues/13681">#13681</a>)</li> <li><a href="99efe5ad15"><code>99efe5a</code></a> bump version for 46.0.2 (<a href="https://redirect.github.com/pyca/cryptography/issues/13531">#13531</a>)</li> <li><a href="e735cfc275"><code>e735cfc</code></a> release 46.0.1 (<a href="https://redirect.github.com/pyca/cryptography/issues/13450">#13450</a>)</li> <li><a href="4e457ffba4"><code>4e457ff</code></a> Explicitly specify python in mac uv build invocation (<a href="https://redirect.github.com/pyca/cryptography/issues/13447">#13447</a>)</li> <li><a href="2726efdb6d"><code>2726efd</code></a> Depend on CFFI 2.0.0 or newer on Python &gt; 3.8 (<a href="https://redirect.github.com/pyca/cryptography/issues/13448">#13448</a>)</li> <li><a href="62230623d1"><code>6223062</code></a> release 46.0.0 (<a href="https://redirect.github.com/pyca/cryptography/issues/13446">#13446</a>)</li> <li><a href="563c4915b0"><code>563c491</code></a> Update comment for pyopenssl-release tag (<a href="https://redirect.github.com/pyca/cryptography/issues/13445">#13445</a>)</li> <li><a href="d2f6f7face"><code>d2f6f7f</code></a> Bump downstream dependencies in CI (<a href="https://redirect.github.com/pyca/cryptography/issues/13439">#13439</a>)</li> <li><a href="e7ab02bd67"><code>e7ab02b</code></a> we'll ship this with 3.5.3 why not (<a href="https://redirect.github.com/pyca/cryptography/issues/13442">#13442</a>)</li> <li><a href="0b68a4bffb"><code>0b68a4b</code></a> Another pair of bump dependencies fix (<a href="https://redirect.github.com/pyca/cryptography/issues/13444">#13444</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pyca/cryptography/compare/45.0.7...46.0.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-02 20:27:05 +00:00
Devon Hudson	989c4d2585	Update changelog	2025-12-02 13:11:50 -07:00
Devon Hudson	4cd05baaec	Fix bug where Duration was logged incorrectly (#19267) ... ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [X] Pull request is based on the develop branch * [X] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [X] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))	2025-12-02 13:09:44 -07:00