v1.139.0rc3

Synapse 1.139.0rc3 (2025-09-25)

Bugfixes

• Fix a bug introduced in 1.139.0rc1 where run_coroutine_in_background(...) incorrectly handled logcontexts, resulting in partially broken logging. (#18964)

v1.138.2

Synapse 1.138.2 (2025-09-24)

Internal Changes

• Drop support for Ubuntu 24.10 Oracular Oriole, and add support for Ubuntu 25.04 Plucky Puffin. (#18962)

Synapse 1.138.1 (2025-09-24)

Bugfixes

• Fix a performance regression related to the experimental Delayed Events (MSC4140) feature. (#18926)

v1.139.0rc2

Synapse 1.139.0rc2 (2025-09-23)

Internal Changes

• Drop support for Ubuntu 24.10 Oracular Oriole, and add support for Ubuntu 25.04 Plucky Puffin. (#18962)

Synapse 1.139.0rc1 (2025-09-23)

Features

• Add experimental support for MSC4308: Thread Subscriptions extension to Sliding Sync when MSC4306: Thread Subscriptions and MSC4186: Simplified Sliding Sync are enabled. (#18695)
• Update push rules for experimental MSC4306: Thread Subscriptions to follow a newer draft. (#18846)
• Add get_media_upload_limits_for_user and on_media_upload_limit_exceeded module API callbacks to the media repository. (#18848)
• Support MSC4169 for backwards-compatible redaction sending using the /send endpoint. Contributed by @SpiritCroc @ Beeper. (#18898)
• Add an in-memory cache to _get_e2e_cross_signing_signatures_for_devices to reduce DB load. (#18899)
• Update MSC4190 support to return correct errors and allow appservices to reset cross-signing keys without user-interactive authentication. Contributed by @tulir @ Beeper. (#18946)

Bugfixes

• Ensure all PDUs sent via /send pass canonical JSON checks. (#18641)
• Fix bug where we did not send invite revocations over federation. (#18823)
• Fix prefixed support for MSC4133. (#18875)
• Fix open redirect in legacy SSO flow with the idp query parameter. (#18909)
• Fix a performance regression related to the experimental Delayed Events (MSC4140) feature. (#18926)

Updates to the Docker image

• Suppress "Applying schema" log noise bulk when SYNAPSE_LOG_TESTING is set. (#18878)

Improved Documentation

• Clarify Python dependency constraints in our deprecation policy. (#18856)
• Clarify necessary jwt_config parameter in OIDC documentation for authentik. Contributed by @maxkratz. (#18931)

Deprecations and Removals

• Remove obsolete and experimental /sync/e2ee endpoint. (#18583)

Internal Changes

• Fix LaterGauge metrics to collect from all servers. (#18791)
• Configure Synapse to run MSC4306: Thread Subscriptions Complement tests. (#18819)
• Remove sentinel logcontext usage where we log in setup, start and exit. (#18870)
• Use the Enum's value for the dictionary key when responding to an admin request for experimental features. (#18874)
• Start background tasks after we fork the process (daemonize). (#18886)
• Better explain how we manage the logcontext in run_in_background(...) and run_as_background_process(...). (#18900, #18906)
• Remove sentinel logcontext usage in Clock utilities like looping_call and call_later. (#18907)
• Replace usages of the deprecated pkg_resources interface in preparation of setuptools dropping it soon. (#18910)
• Split loading config from homeserver setup. (#18933)
• Fix run_in_background not being awaited properly in some tests causing LoggingContext problems. (#18937)
• Fix run_as_background_process not being awaited properly causing LoggingContext problems in experimental MSC4140: Delayed events implementation. (#18938)
• Introduce Clock.call_when_running(...) to wrap startup code in a logcontext, ensuring we can identify which server generated the logs. (#18944)
• Introduce Clock.add_system_event_trigger(...) to wrap system event callback code in a logcontext, ensuring we can identify which server generated the logs. (#18945)

Updates to locked dependencies

• Bump actions/setup-go from 5.5.0 to 6.0.0. (#18891)
• Bump actions/setup-python from 5.6.0 to 6.0.0. (#18890)
• Bump authlib from 1.6.1 to 1.6.3. (#18921)
• Bump jsonschema from 4.25.0 to 4.25.1. (#18897)
• Bump log from 0.4.27 to 0.4.28. (#18892)
• Bump phonenumbers from 9.0.12 to 9.0.13. (#18893)
• Bump pydantic from 2.11.7 to 2.11.9. (#18922)
• Bump serde from 1.0.219 to 1.0.223. (#18920)
• Bump serde_json from 1.0.143 to 1.0.145. (#18919)
• Bump sigstore/cosign-installer from 3.9.2 to 3.10.0. (#18917)
• Bump towncrier from 24.8.0 to 25.8.0. (#18894)
• Bump types-psycopg2 from 2.9.21.20250809 to 2.9.21.20250915. (#18918)
• Bump types-requests from 2.32.4.20250611 to 2.32.4.20250809. (#18895)
• Bump types-setuptools from 80.9.0.20250809 to 80.9.0.20250822. (#18924)

v1.138.0

Synapse 1.138.0 (2025-09-09)

No significant changes since 1.138.0rc1.

Synapse 1.138.0rc1 (2025-09-02)

Features

• Support for the stable endpoint and scopes of MSC3861 & co. (#18549)

Bugfixes

• Improve database performance of MSC4293 - Redact on Kick/Ban. (#18851)
• Do not throw an error when fetching a rejected delayed state event on startup. (#18858)

Improved Documentation

• Fix worker documentation incorrectly indicating all room Admin API requests were capable of being handled by workers. (#18853)

Internal Changes

• Instrument _ByteProducer with tracing to measure potential dead time while writing bytes to the request. (#18804)
• Switch to OpenTracing's ContextVarsScopeManager instead of our own custom LogContextScopeManager. (#18849)
• Trace how much work is being done while "recursively fetching redactions". (#18854)
• Link upstream Twisted bug tracking the problem that explains why we have to use a Producer to write bytes to the request. (#18855)
• Introduce EventPersistencePair type. (#18857)

Updates to locked dependencies

• Bump actions/add-to-project from c0c5949b017d0d4a39f7ba888255881bdac2a823 to 4515659e2b458b27365e167605ac44f219494b66. (#18863)
• Bump actions/checkout from 4.3.0 to 5.0.0. (#18834)
• Bump anyhow from 1.0.98 to 1.0.99. (#18841)
• Bump docker/login-action from 3.4.0 to 3.5.0. (#18835)
• Bump dtolnay/rust-toolchain from b3b07ba8b418998c39fb20f53e8b695cdcc8de1b to e97e2d8cc328f1b50210efc529dca0028893a2d9. (#18862)
• Bump phonenumbers from 9.0.11 to 9.0.12. (#18837)
• Bump regex from 1.11.1 to 1.11.2. (#18864)
• Bump reqwest from 0.12.22 to 0.12.23. (#18842)
• Bump ruff from 0.12.7 to 0.12.10. (#18865)
• Bump serde_json from 1.0.142 to 1.0.143. (#18866)
• Bump types-bleach from 6.2.0.20250514 to 6.2.0.20250809. (#18838)
• Bump types-jsonschema from 4.25.0.20250720 to 4.25.1.20250822. (#18867)
• Bump types-psycopg2 from 2.9.21.20250718 to 2.9.21.20250809. (#18836)

v1.138.0rc1

Synapse 1.138.0rc1 (2025-09-02)

Features

• Support for the stable endpoint and scopes of MSC3861 & co. (#18549)

Bugfixes

• Improve database performance of MSC4293 - Redact on Kick/Ban. (#18851)
• Do not throw an error when fetching a rejected delayed state event on startup. (#18858)

Improved Documentation

• Fix worker documentation incorrectly indicating all room Admin API requests were capable of being handled by workers. (#18853)

Internal Changes

• Instrument _ByteProducer with tracing to measure potential dead time while writing bytes to the request. (#18804)
• Switch to OpenTracing's ContextVarsScopeManager instead of our own custom LogContextScopeManager. (#18849)
• Trace how much work is being done while "recursively fetching redactions". (#18854)
• Link upstream Twisted bug tracking the problem that explains why we have to use a Producer to write bytes to the request. (#18855)
• Introduce EventPersistencePair type. (#18857)

Updates to locked dependencies

• Bump actions/add-to-project from c0c5949b017d0d4a39f7ba888255881bdac2a823 to 4515659e2b458b27365e167605ac44f219494b66. (#18863)
• Bump actions/checkout from 4.3.0 to 5.0.0. (#18834)
• Bump anyhow from 1.0.98 to 1.0.99. (#18841)
• Bump docker/login-action from 3.4.0 to 3.5.0. (#18835)
• Bump dtolnay/rust-toolchain from b3b07ba8b418998c39fb20f53e8b695cdcc8de1b to e97e2d8cc328f1b50210efc529dca0028893a2d9. (#18862)
• Bump phonenumbers from 9.0.11 to 9.0.12. (#18837)
• Bump regex from 1.11.1 to 1.11.2. (#18864)
• Bump reqwest from 0.12.22 to 0.12.23. (#18842)
• Bump ruff from 0.12.7 to 0.12.10. (#18865)
• Bump serde_json from 1.0.142 to 1.0.143. (#18866)
• Bump types-bleach from 6.2.0.20250514 to 6.2.0.20250809. (#18838)
• Bump types-jsonschema from 4.25.0.20250720 to 4.25.1.20250822. (#18867)
• Bump types-psycopg2 from 2.9.21.20250718 to 2.9.21.20250809. (#18836)

v1.137.0

Synapse 1.137.0 (2025-08-26)

No significant changes since 1.137.0rc1.

Synapse 1.137.0rc1 (2025-08-19)

Bugfixes

• Fix a bug which could corrupt auth chains making it impossible to perform state resolution. (#18746)
• Fix error message in register_new_matrix_user utility script for empty registration_shared_secret. (#18780)
• Allow enabling MSC4108 when the stable Matrix Authentication Service integration is enabled. (#18832)

Improved Documentation

• Include IPv6 networks in denied-peer-ips of coturn setup. Contributed by @litetex. (#18781)

Internal Changes

• Update tests to ensure all database tables are emptied when purging a room. (#18794)
• Instrument the encode_response part of Sliding Sync requests for more complete traces in Jaeger. (#18815)
• Tag Sliding Sync traces when we wait_for_events. (#18816)
• Fix portdb CI by hardcoding the new pg_dump restrict key that was added due to CVE-2025-8714. (#18824)

Updates to locked dependencies

• Bump actions/add-to-project from 5b1a254a3546aef88e0a7724a77a623fa2e47c36 to 0c37450c4be3b6a7582b2fb013c9ebfd9c8e9300. (#18557)
• Bump actions/cache from 4.2.3 to 4.2.4. (#18799)
• Bump actions/checkout from 4.2.2 to 4.3.0. (#18800)
• Bump actions/download-artifact from 4.3.0 to 5.0.0. (#18801)
• Bump docker/metadata-action from 5.7.0 to 5.8.0. (#18773)
• Bump mypy from 1.16.1 to 1.17.1. (#18775)
• Bump phonenumbers from 9.0.10 to 9.0.11. (#18797)
• Bump pygithub from 2.6.1 to 2.7.0. (#18779)
• Bump serde_json from 1.0.141 to 1.0.142. (#18776)
• Bump slab from 0.4.10 to 0.4.11. (#18809)
• Bump tokio from 1.47.0 to 1.47.1. (#18774)
• Bump types-pyyaml from 6.0.12.20250516 to 6.0.12.20250809. (#18798)
• Bump types-setuptools from 80.9.0.20250529 to 80.9.0.20250809. (#18796)

v1.137.0rc1

Synapse 1.137.0rc1 (2025-08-19)

Bugfixes

• Fix a bug which could corrupt auth chains making it impossible to perform state resolution. (#18746)
• Fix error message in register_new_matrix_user utility script for empty registration_shared_secret. (#18780)
• Allow enabling MSC4108 when the stable Matrix Authentication Service integration is enabled. (#18832)

Improved Documentation

• Include IPv6 networks in denied-peer-ips of coturn setup. Contributed by @litetex. (#18781)

Internal Changes

• Update tests to ensure all database tables are emptied when purging a room. (#18794)
• Instrument the encode_response part of Sliding Sync requests for more complete traces in Jaeger. (#18815)
• Tag Sliding Sync traces when we wait_for_events. (#18816)
• Fix portdb CI by hardcoding the new pg_dump restrict key that was added due to CVE-2025-8714. (#18824)

Updates to locked dependencies

• Bump actions/add-to-project from 5b1a254a3546aef88e0a7724a77a623fa2e47c36 to 0c37450c4be3b6a7582b2fb013c9ebfd9c8e9300. (#18557)
• Bump actions/cache from 4.2.3 to 4.2.4. (#18799)
• Bump actions/checkout from 4.2.2 to 4.3.0. (#18800)
• Bump actions/download-artifact from 4.3.0 to 5.0.0. (#18801)
• Bump docker/metadata-action from 5.7.0 to 5.8.0. (#18773)
• Bump mypy from 1.16.1 to 1.17.1. (#18775)
• Bump phonenumbers from 9.0.10 to 9.0.11. (#18797)
• Bump pygithub from 2.6.1 to 2.7.0. (#18779)
• Bump serde_json from 1.0.141 to 1.0.142. (#18776)
• Bump slab from 0.4.10 to 0.4.11. (#18809)
• Bump tokio from 1.47.0 to 1.47.1. (#18774)
• Bump types-pyyaml from 6.0.12.20250516 to 6.0.12.20250809. (#18798)
• Bump types-setuptools from 80.9.0.20250529 to 80.9.0.20250809. (#18796)

v1.136.0

Synapse 1.136.0 (2025-08-12)

Note: This release includes the security fixes from 1.135.2 and 1.136.0rc2, detailed below.

Please also check the relevant section in the upgrade notes for the changes to MAS support, metrics labels and the module API which may require your attention when upgrading.

Bugfixes

• Fix bug introduced in 1.135.2 and 1.136.0rc2 where the Make Room Admin API would not treat a room v12's creator power level as the highest in room. (#18805)

Synapse 1.136.0rc2 (2025-08-11)

This is the Synapse portion of the Matrix coordinated security release. This release includes support for room version 12 which fixes a number of security vulnerabilities, including CVE-2025-49090.

The default room version is not changed. Not all clients will support room version 12 immediately, and not all users will be using the latest version of their clients. Large, public rooms are advised to wait a few weeks before upgrading to room version 12 to allow users throughout the Matrix ecosystem to update their clients.

Note: release 1.135.1 was skipped due to issues discovered during the release process.

Two patched Synapse releases are now available:

• 1.135.2: stable release comprised of 1.135.0 + security patches
  • Upgrade to this release if you are currently running 1.135.0 or below.
• 1.136.0rc2: unstable release candidate comprised of 1.136.0rc1 + security patches.
  • Upgrade to this release only if you are on 1.136.0rc1.

Bugfixes

• Update MSC4293 redaction logic for room v12. (#80)

Internal Changes

• Add a parameter to upgrade_rooms(..) to allow auto join local users. (#83)

Synapse 1.136.0rc1 (2025-08-05)

Features

• Add configurable rate limiting for the creation of rooms. (#18514)
• Add support for MSC4293 - Redact on Kick/Ban. (#18540)
• When admins enable themselves to see soft-failed events, they will also see if the cause is due to the policy server flagging them as spam via unsigned. (#18585)
• Add ability to configure forward/outbound proxy via homeserver config instead of environment variables. See http_proxy, https_proxy, no_proxy_hosts. (#18686)
• Advertise experimental support for MSC4306 (Thread Subscriptions) through /_matrix/clients/versions if enabled. (#18722)
• Stabilise support for delegating authentication to Matrix Authentication Service. (#18759)
• Implement the push rules for experimental MSC4306: Thread Subscriptions. (#18762)

Bugfixes

• Allow return code 403 (allowed by C2S Spec since v1.2) when fetching profiles via federation. (#18696)
• Register the MSC4306 (Thread Subscriptions) endpoints in the CS API when the experimental feature is enabled. (#18726)
• Fix a long-standing bug where suspended users could not have server notices sent to them (a 403 was returned to the admin). (#18750)
• Fix an issue that could cause logcontexts to be lost on rate-limited requests. Found by @realtyem. (#18763)
• Fix invalidation of storage cache that was broken in 1.135.0. (#18786)

Improved Documentation

• Minor improvements to README. (#18700)
• Document that there can be multiple workers handling the receipts stream. (#18760)
• Improve worker documentation for some device paths. (#18761)

Deprecations and Removals

• Deprecate run_as_background_process exported as part of the module API interface in favor of ModuleApi.run_as_background_process. See the relevant section in the upgrade notes for more information. (#18737)

Internal Changes

• Add debug logging for HMAC digest verification failures when using the admin API to register users. (#18474)
• Speed up upgrading a room with large numbers of banned users. (#18574)
• Fix config documentation generation script on Windows by enforcing UTF-8. (#18580)
• Refactor cache, background process, Counter, LaterGauge, GaugeBucketCollector, Histogram, and Gauge metrics to be homeserver-scoped. (#18656, #18714, #18715, #18724, #18753, #18725, #18670, #18748, #18751)
• Reduce database usage in Sliding Sync by not querying for background update completion after the update is known to be complete. (#18718)
• Improve order of validation and ratelimiting in room creation. (#18723)
• Bump minimum version bound on Twisted to 21.2.0. (#18727, #18729)
• Use twisted.internet.testing module in tests instead of deprecated twisted.test.proto_helpers. (#18728)
• Remove obsolete /send_event replication endpoint. (#18730)
• Update metrics linting to be able to handle custom metrics. (#18733)
• Work around twisted.protocols.amp.TooLong error by reducing logging in some tests. (#18736)
• Prevent "Move labelled issues to correct projects" GitHub Actions workflow from failing when an issue is already on the project board. (#18755)
• Bump minimum supported Rust version (MSRV) to 1.82.0. Missed in #18553 (released in Synapse 1.134.0). (#18757)
• Make Clock.sleep(...) return a coroutine, so that mypy can catch places where we don't await on it. (#18772)
• Update implementation of MSC4306: Thread Subscriptions to include automatic subscription conflict prevention as introduced in later drafts. (#18756)

Updates to locked dependencies

• Bump gitpython from 3.1.44 to 3.1.45. (#18743)
• Bump mypy-zope from 1.0.12 to 1.0.13. (#18744)
• Bump phonenumbers from 9.0.9 to 9.0.10. (#18741)
• Bump ruff from 0.12.4 to 0.12.5. (#18742)
• Bump sentry-sdk from 2.32.0 to 2.33.2. (#18745)
• Bump tokio from 1.46.1 to 1.47.0. (#18740)
• Bump types-jsonschema from 4.24.0.20250708 to 4.25.0.20250720. (#18703)
• Bump types-psycopg2 from 2.9.21.20250516 to 2.9.21.20250718. (#18706)

v1.136.0rc2

Synapse 1.136.0rc2 (2025-08-11)

This is the Synapse portion of the Matrix coordinated security release. This release includes support for room version 12 which fixes a number of security vulnerabilities, including CVE-2025-49090.

The default room version is not changed. Not all clients will support room version 12 immediately, and not all users will be using the latest version of their clients. Large, public rooms are advised to wait a few weeks before upgrading to room version 12 to allow users throughout the Matrix ecosystem to update their clients.

Note: release 1.135.1 was skipped due to issues discovered during the release process.

Two patched Synapse releases are now available:

• 1.135.2: stable release comprised of 1.135.0 + security patches
  • Upgrade to this release if you are currently running 1.135.0 or below.
• 1.136.0rc2: unstable release candidate comprised of 1.136.0rc1 + security patches.
  • Upgrade to this release only if you are on 1.136.0rc1.

Bugfixes

• Update MSC4293 redaction logic for room v12. (#80)

Internal Changes

• Add a parameter to upgrade_rooms(..) to allow auto join local users. (#83)

v1.135.2

Synapse 1.135.2 (2025-08-11)

This is the Synapse portion of the Matrix coordinated security release. This release includes support for room version 12 which fixes a number of security vulnerabilities, including CVE-2025-49090.

The default room version is not changed. Not all clients will support room version 12 immediately, and not all users will be using the latest version of their clients. Large, public rooms are advised to wait a few weeks before upgrading to room version 12 to allow users throughout the Matrix ecosystem to update their clients.

Note: release 1.135.1 was skipped due to issues discovered during the release process.

Two patched Synapse releases are now available:

• 1.135.2: stable release comprised of 1.135.0 + security patches
  • Upgrade to this release if you are currently running 1.135.0 or below.
• 1.136.0rc2: unstable release candidate comprised of 1.136.0rc1 + security patches.
  • Upgrade to this release only if you are on 1.136.0rc1.

Bugfixes

• Fix invalidation of storage cache that was broken in 1.135.0. (#18786)

Internal Changes

• Add a parameter to upgrade_rooms(..) to allow auto join local users. (#82)
• Speed up upgrading a room with large numbers of banned users. (#18574)