Update all dependencies

[missingcharacter]

This PR contains the following updates:

Package	Update	Change
docker.io/postgres	minor	18.0-alpine3.22 → 18.1-alpine3.22
ghcr.io/element-hq/synapse	minor	v1.141.0 → v1.146.0

---

Release Notes

element-hq/synapse (ghcr.io/element-hq/synapse)

v1.146.0

Compare Source

Synapse 1.146.0 (2026-01-27)

No significant changes since 1.146.0rc1.

Deprecations and Removals

• MSC2697 (Dehydrated devices) has been removed, as the MSC is closed. Developers should migrate to MSC3814. (#​19346)
• Support for Ubuntu 25.04 (Plucky Puffin) has been dropped. Synapse no longer builds debian packages for Ubuntu 25.04.

Synapse 1.146.0rc1 (2026-01-20)

Features

• Add a new config option enable_local_media_storage which controls whether media is additionally stored locally when using configured media_storage_providers. Setting this to false allows off-site media storage without a local cache. Contributed by Patrice Brend'amour @​dr.allgood. (#​19204)
• Stabilise support for MSC4312's m.oauth User-Interactive Auth stage for resetting cross-signing identity with the OAuth 2.0 API. The old, unstable name (org.matrix.cross_signing_reset) is now deprecated and will be removed in a future release. (#​19273)
• Refactor Grafana dashboard to use server_name label (instead of instance). (#​19337)

Bugfixes

• Fix joining a restricted v12 room locally when no local room creator is present but local users with sufficient power levels are. Contributed by @​nexy7574. (#​19321)
• Fixed parallel calls to /_matrix/media/v1/create being ratelimited for appservices even if rate_limited: false was set in the registration. Contributed by @​tulir @​ Beeper. (#​19335)
• Fix a bug introduced in 1.61.0 where a user's membership in a room was accidentally ignored when considering access to historical state events in rooms with the "shared" history visibility. Contributed by Lukas Tautz. (#​19353)
• MSC4140: Store the JSON content of scheduled delayed events as text instead of a byte array. This fixes the inability to schedule a delayed event with non-ASCII characters in its content. (#​19360)
• Always rollback database transactions when retrying (avoid orphaned connections). (#​19372)
• Fix InFlightGauge typing to allow upgrading to prometheus_client 0.24. (#​19379)

Updates to the Docker image

• Add Prometheus HTTP service discovery endpoint for easy discovery of all workers when using the docker/Dockerfile-workers image (see the Metrics section of our Docker testing docs). (#​19336)

Improved Documentation

• Remove docs on legacy metric names (no longer in the codebase since 2022-12-06). (#​19341)
• Clarify how the estimated value of room complexity is calculated internally. (#​19384)

Internal Changes

• Add an internal cancel_task API to the task scheduler. (#​19310)
• Tweak docstrings and signatures of auth_types_for_event and get_catchup_room_event_ids. (#​19320)
• Replace usage of deprecated assertEquals with assertEqual in unit test code. (#​19345)
• Drop support for Ubuntu 25.04 'Plucky Puffin', add support for Ubuntu 25.10 'Questing Quokka'. (#​19348)
• Revert "Add an Admin API endpoint for listing quarantined media (#​19268)". (#​19351)
• Bump mdbook from 0.4.17 to 0.5.2 and remove our custom table-of-contents plugin in favour of the new default functionality. (#​19356)
• Replace deprecated usage of PyGitHub's GitRelease.title with .name in release script. (#​19358)
• Update the Element logo in Synapse's README to be an absolute URL, allowing it to render on other sites (such as PyPI). (#​19368)
• Apply minor tweaks to v1.145.0 changelog. (#​19376)
• Update Grafana dashboard syntax to use the latest from importing/exporting with Grafana 12.3.1. (#​19381)
• Warn about skipping reactor metrics when using unknown reactor type. (#​19383)
• Add support for reactor metrics with the ProxiedReactor used in worker Complement tests. (#​19385)

v1.145.0

Compare Source

Synapse 1.145.0 (2026-01-13)

No significant changes since 1.145.0rc4.

End of Life of Ubuntu 25.04 Plucky Puffin

Ubuntu 25.04 (Plucky Puffin) will be end of life on Jan 17, 2026. Synapse will stop building packages for Ubuntu 25.04 shortly thereafter.

Updates to Locked Dependencies No Longer Included in Changelog

The "Updates to locked dependencies" section has been removed from the changelog due to lack of use and the maintenance burden. (#​19254)

Synapse 1.145.0rc4 (2026-01-08)

No significant changes since 1.145.0rc3.

This RC contains a fix specifically for openSUSE packaging and no other changes.

Synapse 1.145.0rc3 (2026-01-07)

No significant changes since 1.145.0rc2.

This RC strips out unnecessary files from the wheels that were added when fixing the source distribution packaging in the previous RC.

Synapse 1.145.0rc2 (2026-01-07)

No significant changes since 1.145.0rc1.

This RC fixes the source distribution packaging for uploading to PyPI.

Synapse 1.145.0rc1 (2026-01-06)

Features

• Add memberships endpoint to the admin API. This is useful for forensics and T&S purposes. (#​19260)
• Server admins can bypass the quarantine media check when downloading media by setting the admin_unsafely_bypass_quarantine query parameter to true on Client-Server API media download requests. (#​19275)
• Implemented pagination for the MSC2666 mutual rooms endpoint. Contributed by @​tulir @​ Beeper. (#​19279)
• Admin API: add worker support to GET /_synapse/admin/v2/users/<user_id>. (#​19281)
• Improve proxy support for the federation_client.py dev script. Contributed by Denis Kasak (@​dkasak). (#​19300)

Bugfixes

• Fix sliding sync performance slow down for long lived connections. (#​19206)
• Fix a bug where Mastodon posts (and possibly other embeds) have the wrong description for URL previews. (#​19231)
• Fix bug where Duration was logged incorrectly. (#​19267)
• Fix bug introduced in 1.143.0 that broke support for versions of zope-interface older than 6.2. (#​19274)
• Transform events with client metadata before serialising in /event response. (#​19340)

Updates to the Docker image

• Add a way to expose metrics from the Docker image (SYNAPSE_ENABLE_METRICS). (#​19324)

Improved Documentation

• Document the importance of public_baseurl when configuring OpenID Connect authentication. (#​19270)

Deprecations and Removals

• Ubuntu 25.04 (Plucky Puffin) will be end of life on Jan 17, 2026. Synapse will stop building packages for Ubuntu 25.04 shortly thereafter.
• Remove the "Updates to locked dependencies" section from the changelog due to lack of use and the maintenance burden. (#​19254)

Internal Changes

• Group together dependabot update PRs to reduce the review load. (#​18402)
• Fix HomeServer.shutdown() failing if the homeserver hasn't been setup yet. (#​19187)
• Respond with useful error codes with Content-Length header/s are invalid. (#​19212)
• Fix HomeServer.shutdown() failing if the homeserver failed to start. (#​19232)
• Switch the build backend from poetry-core to maturin. (#​19234)
• Raise the limit for concurrently-open non-security @​dependabot PRs from 5 to 10. (#​19253)
• Require 14 days to pass before pulling in general dependency updates to help mitigate upstream supply chain attacks. (#​19258)
• Drop the broken netlify documentation workflow until a new one is implemented. (#​19262)
• Don't include debug logs in Clock unless explicitly enabled. (#​19278)
• Use uv to test olddeps to ensure all transitive dependencies use minimum versions. (#​19289)
• Add a config to be able to rate limit search in the user directory. (#​19291)
• Log the original bind exception when encountering Failed to listen on 0.0.0.0, continuing because listening on [::]. (#​19297)
• Unpin the version of Rust we use to build Synapse wheels (was 1.82.0) now that MacOS support has been dropped. (#​19302)
• Make it more clear how shared_extra_conf is combined in our Docker configuration scripts. (#​19323)
• Update CI to stream Complement progress and format logs in a separate step after all tests are done. (#​19326)
• Format .github/workflows/tests.yml. (#​19327)

v1.144.0

Compare Source

Synapse 1.144.0 (2025-12-09)

Deprecation of MacOS Python wheels

The team has decided to deprecate and stop publishing python wheels for MacOS as of this release. Synapse docker images will continue to work on MacOS, as will building Synapse from source (though note this requires a Rust compiler).

Unstable mutual rooms endpoint is now behind an experimental feature flag

Admins using the unstable MSC2666 endpoint (/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms), please check the relevant section in the upgrade notes as this release contains changes that disable that endpoint by default.

No significant changes since 1.144.0rc1.

Synapse 1.144.0rc1 (2025-12-02)

Admins using the unstable MSC2666 endpoint (/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms), please check the relevant section in the upgrade notes as this release contains changes that disable that endpoint by default.

Features

• Add experimental implementation of MSC4380 (invite blocking). (#​19203)
• Allow restarting delayed event timeouts on workers. (#​19207)

Bugfixes

• Fix a bug in the database function for fetching state deltas that could result in unnecessarily long query times. (#​18960)
• Fix v12 rooms when running with use_frozen_dicts: True. (#​19235)
• Fix bug where invalid canonical_alias content would return 500 instead of 400. (#​19240)
• Fix bug where Duration was logged incorrectly. (#​19267)

Improved Documentation

• Document in the --config-path help how multiple files are merged - by merging them shallowly. (#​19243)

Deprecations and Removals

• Stop building release wheels for MacOS. (#​19225)

Internal Changes

• Improve event filtering for Simplified Sliding Sync. (#​17782)
• Export SYNAPSE_SUPPORTED_COMPLEMENT_TEST_PACKAGES environment variable from scripts-dev/complement.sh. (#​19208)
• Refactor scripts-dev/complement.sh logic to avoid exit to facilitate being able to source it from other scripts (composable). (#​19209)
• Expire sliding sync connections that are too old or have too much pending data. (#​19211)
• Require an experimental feature flag to be enabled in order for the unstable MSC2666 endpoint (/_matrix/client/unstable/uk.half-shot.msc2666/user/mutual_rooms) to be available. (#​19219)
• Prevent changelog check CI running on @​dependabot's PRs even when a human has modified the branch. (#​19220)
• Auto-fix trailing spaces in multi-line strings and comments when running the lint script. (#​19221)
• Move towards using a dedicated Duration type. (#​19223, #​19229)
• Improve robustness of the SQL schema linting in CI. (#​19224)
• Add log to determine whether clients are using /messages as expected. (#​19226)
• Simplify README and add ESS Getting started section. (#​19228, #​19259)
• Add a unit test for ensuring associated refresh tokens are erased when a device is deleted. (#​19230)
• Prompt user to consider adding future deprecations to the changelog in release script. (#​19239)
• Fix check of the Rust compiled code being outdated when using source checkout and .egg-info. (#​19251)
• Stop building MacOS wheels in CI pipeline. (#​19263)

Updates to locked dependencies

• Bump Swatinem/rust-cache from 2.8.1 to 2.8.2. (#​19244)
• Bump actions/checkout from 5.0.0 to 6.0.0. (#​19213)
• Bump actions/setup-go from 6.0.0 to 6.1.0. (#​19214)
• Bump actions/setup-python from 6.0.0 to 6.1.0. (#​19245)
• Bump attrs from 25.3.0 to 25.4.0. (#​19215)
• Bump docker/metadata-action from 5.9.0 to 5.10.0. (#​19246)
• Bump http from 1.3.1 to 1.4.0. (#​19249)
• Bump pydantic from 2.12.4 to 2.12.5. (#​19250)
• Bump pyopenssl from 25.1.0 to 25.3.0. (#​19248)
• Bump rpds-py from 0.28.0 to 0.29.0. (#​19216)
• Bump rpds-py from 0.29.0 to 0.30.0. (#​19247)
• Bump sentry-sdk from 2.44.0 to 2.46.0. (#​19218)
• Bump types-bleach from 6.2.0.20250809 to 6.3.0.20251115. (#​19217)
• Bump types-jsonschema from 4.25.1.20250822 to 4.25.1.20251009. (#​19252)

v1.143.0

Compare Source

Synapse 1.143.0 (2025-11-25)

Dropping support for PostgreSQL 13

In line with our deprecation policy, we've dropped support for PostgreSQL 13, as it is no longer supported upstream. This release of Synapse requires PostgreSQL 14+.

No significant changes since 1.143.0rc2.

synapse 1.143.0rc2 (2025-11-18)

Internal Changes

• Fixes docker image creation in the release workflow.

Synapse 1.143.0rc1 (2025-11-18)

Features

• Support multiple config files in register_new_matrix_user. (#​18784)
• Remove authentication from POST /_matrix/client/v1/delayed_events, and allow calling this endpoint with the update action to take (send/cancel/restart) in the request path instead of the body. (#​19152)

Bugfixes

• Fixed a longstanding bug where background updates were only run on the main database. (#​19181)
• Fixed a bug introduced in v1.142.0 preventing subpaths in MAS endpoints from working. (#​19186)
• Fix the SQLite-to-PostgreSQL migration script to correctly migrate a boolean column in the delayed_events table. (#​19155)

Improved Documentation

• Improve documentation around streams, particularly ID generators and adding new streams. (#​18943)

Deprecations and Removals

• Remove support for PostgreSQL 13. (#​19170)

Internal Changes

• Provide additional servers with federation room directory results. (#​18970)
• Add a shortcut return when there are no events to purge. (#​19093)
• Write union types as X | Y where possible, as per PEP 604, added in Python 3.10. (#​19111)
• Reduce cardinality of synapse_storage_events_persisted_events_sep_total metric by removing origin_entity label. This also separates out events sent by local application services by changing the origin_type for such events to application_service. The type field also only tracks common event types, and anything else is bucketed under *other*. (#​19133, #​19168)
• Run trial tests on Python 3.14 for PRs. (#​19135)
• Update pyproject.toml project metadata to be compatible with standard Python packaging tooling. (#​19137)
• Minor speed up of processing of inbound replication. (#​19138, #​19145, #​19146)
• Ignore recent Python language refactors from git blame (.git-blame-ignore-revs). (#​19150)
• Bump lower bounds of dependencies parameterized to 0.9.0 and idna to 3.3 as those are the first to advertise support for Python 3.10. (#​19167)
• Point out which event caused the exception when checking MSC4293 redactions. (#​19169)
• Restore printing sentinel for the log record request when no logcontext is active. (#​19172)
• Add debug logs to track Clock utilities. (#​19173)
• Remove explicit python version skips in cibuildwheel config as it's no longer required after #​19137. (#​19177)
• Fix potential lost logcontext when PerDestinationQueue.shutdown(...) is called. (#​19178)
• Fix bad deferred logcontext handling across the codebase. (#​19180)

Updates to locked dependencies

• Bump bytes from 1.10.1 to 1.11.0. (#​19193)
• Bump click from 8.1.8 to 8.3.1. (#​19195)
• Bump cryptography from 43.0.3 to 45.0.7. (#​19159)
• Bump docker/metadata-action from 5.8.0 to 5.9.0. (#​19161)
• Bump pydantic from 2.12.3 to 2.12.4. (#​19158)
• Bump pyo3-log from 0.13.1 to 0.13.2. (#​19156)
• Bump ruff from 0.14.3 to 0.14.5. (#​19196)
• Bump sentry-sdk from 2.34.1 to 2.43.0. (#​19157)
• Bump sentry-sdk from 2.43.0 to 2.44.0. (#​19197)
• Bump tomli from 2.2.1 to 2.3.0. (#​19194)
• Bump types-netaddr from 1.3.0.20240530 to 1.3.0.20251108. (#​19160)

v1.142.1

Compare Source

Synapse 1.142.1 (2025-11-18)

Bugfixes

• Fixed a bug introduced in v1.142.0 preventing subpaths in MAS endpoints from working. (#​19186)

v1.142.0

Compare Source

Synapse 1.142.0 (2025-11-11)

Dropped support for Python 3.9

This release drops support for Python 3.9, in line with our dependency deprecation policy, as it is now end of life.

SQLite 3.40.0+ is now required

The minimum supported SQLite version has been increased from 3.27.0 to 3.40.0.

If you use current versions of the matrixorg/synapse Docker images, no action is required.

Deprecation of MacOS Python wheels

The team has decided to deprecate and eventually stop publishing python wheels for MacOS. This is a burden on the team, and we're not aware of any parties that use them. Synapse docker images will continue to work on MacOS, as will building Synapse from source (though note this requires a Rust compiler).

At present, publishing MacOS Python wheels will continue for the next release (1.143.0), but will not be available after that (1.144.0+). If you do make use of these wheels downstream, please reach out to us in #synapse-dev:matrix.org. We'd love to hear from you!

Internal Changes

• Properly stop building wheels for Python 3.9 and free-threaded CPython. (#​19154)

Synapse 1.142.0rc4 (2025-11-07)

Bugfixes

• Fix a bug introduced in 1.142.0rc1 where any attempt to configure matrix_authentication_service.secret_path would prevent the homeserver from starting up. (#​19144)

Synapse 1.142.0rc3 (2025-11-04)

Internal Changes

• Update release scripts to prevent building wheels for free-threaded Python, as Synapse does not currently support it. (#​19140)

Synapse 1.142.0rc2 (2025-11-04)

Internal Changes

• Manually skip building Python 3.9 wheels, to prevent errors in the release workflow. (#​19119)

Synapse 1.142.0rc1 (2025-11-04)

Features

• Add support for Python 3.14. (#​19055, #​19134)
• Add an Admin API
  to allow an admin to fetch the space/room hierarchy for a given space. (#​19021)

Bugfixes

• Fix a bug introduced in 1.111.0 where failed attempts to download authenticated remote media would not be handled correctly. (#​19062)
• Update the oidc_session_no_samesite cookie to have the Secure attribute, so the only difference between it and the paired oidc_session cookie, is the configuration of the SameSite attribute as described in the comments / cookie names. Contributed by @​kieranlane. (#​19079)
• Fix a bug introduced in 1.140.0 where lost logcontext warnings would be emitted from timeouts in sync and requests made by Synapse itself. (#​19090)
• Fix a bug introdued in 1.140.0 where lost logcontext warning were emitted when using HomeServer.shutdown(). (#​19108)

Improved Documentation

• Update the link to the Debian oldstable package for SQLite. (#​19047)
• Point out additional Redis configuration options available in the worker docs. Contributed by @​servisbryce. (#​19073)
• Update the list of Debian releases that the downstream Debian package is maintained for. (#​19100)
• Add a page to the documentation describing the steps the Synapse team takes to review the release notes before publishing them. (#​19109)

Deprecations and Removals

• Drop support for Python 3.9. (#​19099)
• Remove support for SQLite < 3.37.2. (#​19047)

Internal Changes

• Fix CI linter for schema delta files to correctly handle all types of CREATE TABLE syntax. (#​19020)
• Use type hinting generics in standard collections, as per PEP 585, added in Python 3.9. (#​19046)
• Always treat RETURNING as supported by SQL engines, now that the minimum-supported versions of both SQLite and PostgreSQL support it. (#​19047)
• Move oidc.load_metadata() startup into _base.start(). (#​19056)
• Remove logcontext problems caused by awaiting raw deferLater(...). (#​19058)
• Prevent duplicate logging setup when running multiple Synapse instances. (#​19067)
• Be mindful of other logging context filters in 3rd-party code and avoid overwriting log record fields unless we know the log record is relevant to Synapse. (#​19068)
• Update pydantic to v2. (#​19071)
• Update deprecated code in the release script to prevent a warning message from being printed. (#​19080)
• Update the deprecated poetry development dependencies group name in pyproject.toml. (#​19081)
• Remove pp38* skip selector from cibuildwheel to silence warning. (#​19085)
• Don't immediately exit the release script if the checkout is dirty. Instead, allow the user to clear the dirty changes and retry. (#​19088)
• Update the release script's generated announcement text to include a title and extra text for RC's. (#​19089)
• Fix lints on main branch. (#​19092)
• Use cheaper random string function in logcontext utilities. (#​19094)
• Avoid clobbering other SIGHUP handlers in 3rd-party code. (#​19095)
• Prevent duplicate GitHub draft releases being created during the Synapse release process. (#​19096)
• Use Pillow's Image.getexif method instead of the experimental Image._getexif. (#​19098)
• Prevent uv /usr/local/.lock file from appearing in built Synapse docker images. (#​19107)
• Allow Synapse's runtime dependency checking code to take packaging markers (i.e. python <= 3.14) into account when checking dependencies. (#​19110)
• Move exception handling up the stack (avoid exit(1) in our composable functions). (#​19116)
• Fix a lint error related to lifetimes in Rust 1.90. (#​19118)
• Refactor and align app entrypoints (avoid exit(1) in our composable functions). (#​19121, #​19131)
• Speed up pruning of ratelimiters. (#​19129)

Updates to locked dependencies

• Bump actions/download-artifact from 5.0.0 to 6.0.0. (#​19102)
• Bump actions/upload-artifact from 4 to 5. (#​19106)
• Bump hiredis from 3.2.1 to 3.3.0. (#​19103)
• Bump icu_segmenter from 2.0.0 to 2.0.1. (#​19126)
• Bump idna from 3.10 to 3.11. (#​19053)
• Bump ijson from 3.4.0 to 3.4.0.post0. (#​19051)
• Bump markdown-it-py from 3.0.0 to 4.0.0. (#​19123)
• Bump msgpack from 1.1.1 to 1.1.2. (#​19050)
• Bump psycopg2 from 2.9.10 to 2.9.11. (#​19125)
• Bump pyyaml from 6.0.2 to 6.0.3. (#​19105)
• Bump regex from 1.11.3 to 1.12.2. (#​19074)
• Bump reqwest from 0.12.23 to 0.12.24. (#​19077)
• Bump ruff from 0.12.10 to 0.14.3. (#​19124)
• Bump sigstore/cosign-installer from 3.10.0 to 4.0.0. (#​19075)
• Bump stefanzweifel/git-auto-commit-action from 6.0.1 to 7.0.0. (#​19052)
• Bump tokio from 1.47.1 to 1.48.0. (#​19076)
• Bump types-psycopg2 from 2.9.21.20250915 to 2.9.21.20251012. (#​19054)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.