v1.141.0

Synapse 1.141.0 (2025-10-29)

Deprecation of MacOS Python wheels

The team has decided to deprecate and eventually stop publishing python wheels
for MacOS. This is a burden on the team, and we're not aware of any parties
that use them. Synapse docker images will continue to work on MacOS, as will
building Synapse from source (though note this requires a Rust compiler).

Publishing MacOS Python wheels will continue for the next few releases. If you
do make use of these wheels downstream, please reach out to us in
#synapse-dev:matrix.org. We'd
love to hear from you!

Docker images now based on Debian trixie with Python 3.13

The Docker images are now based on Debian trixie and use Python 3.13. If you
are using the Docker images as a base image you may need to e.g. adjust the
paths you mount any additional Python packages at.

No significant changes since 1.141.0rc2.

Synapse 1.141.0rc2 (2025-10-28)

Bugfixes

• Fix users being unable to log in if their password, or the server's configured pepper, was too long. (#19101)

Synapse 1.141.0rc1 (2025-10-21)

Features

• Allow using MSC4190 behavior without the opt-in registration flag. Contributed by @tulir @ Beeper. (#19031)
• Stabilized support for MSC4326: Device masquerading for appservices. Contributed by @tulir @ Beeper. (#19033)

Bugfixes

• Fix a bug introduced in 1.136.0 that would prevent Synapse from being able to be reload-ed more than once when running under systemd. (#19060)
• Fix a bug introduced in 1.140.0 where an internal server error could be raised when hashing user passwords that are too long. (#19078)

Updates to the Docker image

• Update docker image to use Debian trixie as the base and thus Python 3.13. (#19064)

Internal Changes

• Move unique snowflake homeserver background tasks to start_background_tasks (the standard pattern for this kind of thing). (#19037)
• Drop a deprecated field of the PyGitHub dependency in the release script and raise the dependency's minimum version to 1.59.0. (#19039)
• Update TODO list of conflicting areas where we encounter metrics being clobbered (ApplicationService). (#19040)

v1.141.0rc2

Synapse 1.141.0rc2 (2025-10-28)

Deprecation of MacOS Python wheels

The team has decided to deprecate and eventually stop publishing python wheels for MacOS. This is a burden on the team, and we're not aware of any parties that use them. Synapse docker images will continue to work on MacOS, as will building Synapse from source (though note this requires a Rust compiler).

Publishing MacOS Python wheels will continue for the next few releases. If you do make use of these wheels downstream, please reach out to us in #synapse-dev:matrix.org. We'd love to hear from you!

Bugfixes

• Fix users being unable to log in if their password, or the server's configured pepper, was too long. (#19101)

v1.141.0rc1

Synapse 1.141.0rc1 (2025-10-21)

Deprecation of MacOS Python wheels

The team has decided to deprecate and eventually stop publishing python wheels for MacOS. This is a burden on the team, and we're not aware of any parties that use them. Synapse docker images will continue to work on MacOS, as will building Synapse from source (though note this requires a Rust compiler).

Publishing MacOS Python wheels will continue for the next few releases. If you do make use of these wheels downstream, please reach out to us in #synapse-dev:matrix.org. We'd love to hear from you!

Features

• Allow using MSC4190 behavior without the opt-in registration flag. Contributed by @tulir @ Beeper. (#19031)
• Stabilize support for MSC4326: Device masquerading for appservices. Contributed by @tulir @ Beeper. (#19033)

Bugfixes

• Fix a bug introduced in 1.136.0 that would prevent Synapse from being able to be reload-ed more than once when running under systemd. (#19060)
• Fix a bug introduced in 1.140.0 where an internal server error could be raised when hashing user passwords that are too long. (#19078)

Updates to the Docker image

• Update docker image to use Debian trixie as the base and thus Python 3.13. (#19064)

Internal Changes

• Move unique snowflake homeserver background tasks to start_background_tasks (the standard pattern for this kind of thing). (#19037)
• Drop a deprecated field of the PyGitHub dependency in the release script and raise the dependency's minimum version to 1.59.0. (#19039)
• Update TODO list of conflicting areas where we encounter metrics being clobbered (ApplicationService). (#19040)

v1.140.0

Synapse 1.140.0 (2025-10-14)

Compatibility notice for users of synapse-s3-storage-provider

Deployments that make use of the synapse-s3-storage-provider module must upgrade to v1.6.0.

Using older versions of the module with this release of Synapse will prevent users from being able to upload or download media.

No significant changes since 1.140.0rc1.

Synapse 1.140.0rc1 (2025-10-10)

Features

• Add a new Media Query by ID Admin API that allows server admins to query and investigate the metadata of local or cached remote media via
  the origin/media_id identifier found in a Matrix Content URI. (#18911)
• Add a new Fetch Event Admin API to fetch an event by ID. (#18963)
• Update MSC4284: Policy Servers implementation to support signatures when available. (#18934)
• Add experimental implementation of the GET /_matrix/client/v1/rtc/transports endpoint for the latest draft of MSC4143: MatrixRTC. (#18967)
• Expose a defer_to_threadpool function in the Synapse Module API that allows modules to run a function on a separate thread in a custom threadpool. (#19032)

Bugfixes

• Fix room upgrade room_config argument and documentation for user_may_create_room spam-checker callback. (#18721)
• Compute a user's last seen timestamp from their devices' last seen timestamps instead of IPs, because the latter are automatically cleared according to user_ips_max_age. (#18948)
• Fix bug where ephemeral events were not filtered by room ID. Contributed by @frastefanini. (#19002)
• Update Synapse main process version string to include git info. (#19011)

Improved Documentation

• Explain how Deferred callbacks interact with logcontexts. (#18914)
• Fix documentation for rc_room_creation and rc_reports to clarify that a per_user rate limit is not supported. (#18998)

Deprecations and Removals

• Remove deprecated LoggingContext.set_current_context/LoggingContext.current_context methods which already have equivalent bare methods in synapse.logging.context. (#18989)
• Drop support for unstable field names from the long-accepted MSC2732 (Olm fallback keys) proposal. (#18996)

Internal Changes

• Cleanly shutdown SynapseHomeServer object, allowing artifacts of embedded small hosts to be properly garbage collected. (#18828)
• Update OEmbed providers to use 'X' instead of 'Twitter' in URL previews, following a rebrand. Contributed by @HammyHavoc. (#18767)
• Fix server_name in logging context for multiple Synapse instances in one process. (#18868)
• Wrap the Rust HTTP client with make_deferred_yieldable so it follows Synapse logcontext rules. (#18903)
• Fix the GitHub Actions workflow that moves issues labeled "X-Needs-Info" to the "Needs info" column on the team's internal triage board. (#18913)
• Disconnect background process work from request trace. (#18932)
• Reduce overall number of calls to _get_e2e_cross_signing_signatures_for_devices by increasing the batch size of devices the query is called with, reducing DB load. (#18939)
• Update error code used when an appservice tries to masquerade as an unknown device using MSC4326. Contributed by @tulir @ Beeper. (#18947)
• Fix no active span when trying to log tracing error on startup (when OpenTracing is enabled). (#18959)
• Fix run_coroutine_in_background(...) incorrectly handling logcontext. (#18964)
• Add debug logs wherever we change current logcontext. (#18966)
• Update dockerfile metadata to fix broken link; point to documentation website. (#18971)
• Note that the code is additionally licensed under the Element Commercial license in SPDX expression field configs. (#18973)
• Fix logcontext handling in timeout_deferred tests. (#18974)
• Remove internal ReplicationUploadKeysForUserRestServlet as a follow-up to the work in #18581 that moved device changes off the main process. (#18988)
• Switch task scheduler from raw logcontext manipulation to using the dedicated logcontext utils. (#18990)
• Remove MockClock() in tests. (#18992)
• Switch back to our own custom LogContextScopeManager instead of OpenTracing's ContextVarsScopeManager which was causing problems when using the experimental SYNAPSE_ASYNC_IO_REACTOR option with tracing enabled. (#19007)
• Remove version_string argument from HomeServer since it's always the same. (#19012)
• Remove duplicate call to hs.start_background_tasks() introduced from a bad merge. (#19013)
• Split homeserver creation (create_homeserver) and setup (setup). (#19015)
• Swap near-end-of-life macos-13 GitHub Actions runner for the macos-15-intel variant. (#19025)
• Introduce RootConfig.validate_config() which can be subclassed in HomeServerConfig to do cross-config class validation. (#19027)
• Allow any command of the release.py script to accept a --gh-token argument. (#19035)

Updates to locked dependencies

• Bump Swatinem/rust-cache from 2.8.0 to 2.8.1. (#18949)
• Bump actions/cache from 4.2.4 to 4.3.0. (#18983)
• Bump anyhow from 1.0.99 to 1.0.100. (#18950)
• Bump authlib from 1.6.3 to 1.6.4. (#18957)
• Bump authlib from 1.6.4 to 1.6.5. (#19019)
• Bump bcrypt from 4.3.0 to 5.0.0. (#18984)
• Bump docker/login-action from 3.5.0 to 3.6.0. (#18978)
• Bump lxml from 6.0.0 to 6.0.2. (#18979)
• Bump phonenumbers from 9.0.13 to 9.0.14. (#18954)
• Bump phonenumbers from 9.0.14 to 9.0.15. (#18991)
• Bump prometheus-client from 0.22.1 to 0.23.1. (#19016)
• Bump pydantic from 2.11.9 to 2.11.10. (#19017)
• Bump pygithub from 2.7.0 to 2.8.1. (#18952)
• Bump regex from 1.11.2 to 1.11.3. (#18981)
• Bump serde from 1.0.224 to 1.0.226. (#18953)
• Bump serde from 1.0.226 to 1.0.228. (#18982)
• Bump setuptools-rust from 1.11.1 to 1.12.0. (#18980)
• Bump twine from 6.1.0 to 6.2.0. (#18985)
• Bump types-pyyaml from 6.0.12.20250809 to 6.0.12.20250915. (#19018)
• Bump types-requests from 2.32.4.20250809 to 2.32.4.20250913. (#18951)
• Bump typing-extensions from 4.14.1 to 4.15.0. (#18956)

v1.140.0rc1

Synapse 1.140.0rc1 (2025-10-10)

Compatibility notice for users of synapse-s3-storage-provider

Deployments that make use of the synapse-s3-storage-provider module must upgrade to v1.6.0. Using older versions of the module with this release of Synapse will prevent users from being able to upload or download media.

Features

• Add a new Media Query by ID Admin API that allows server admins to query and investigate the metadata of local or cached remote media via
  the origin/media_id identifier found in a Matrix Content URI. (#18911)
• Add a new Fetch Event Admin API to fetch an event by ID. (#18963)
• Update MSC4284: Policy Servers implementation to support signatures when available. (#18934)
• Add experimental implementation of the GET /_matrix/client/v1/rtc/transports endpoint for the latest draft of MSC4143: MatrixRTC. (#18967)
• Expose a defer_to_threadpool function in the Synapse Module API that allows modules to run a function on a separate thread in a custom threadpool. (#19032)

Bugfixes

• Fix room upgrade room_config argument and documentation for user_may_create_room spam-checker callback. (#18721)
• Compute a user's last seen timestamp from their devices' last seen timestamps instead of IPs, because the latter are automatically cleared according to user_ips_max_age. (#18948)
• Fix bug where ephemeral events were not filtered by room ID. Contributed by @frastefanini. (#19002)
• Update Synapse main process version string to include git info. (#19011)

Improved Documentation

• Explain how Deferred callbacks interact with logcontexts. (#18914)
• Fix documentation for rc_room_creation and rc_reports to clarify that a per_user rate limit is not supported. (#18998)

Deprecations and Removals

• Remove deprecated LoggingContext.set_current_context/LoggingContext.current_context methods which already have equivalent bare methods in synapse.logging.context. (#18989)
• Drop support for unstable field names from the long-accepted MSC2732 (Olm fallback keys) proposal. (#18996)

Internal Changes

• Cleanly shutdown SynapseHomeServer object, allowing artifacts of embedded small hosts to be properly garbage collected. (#18828)
• Update OEmbed providers to use 'X' instead of 'Twitter' in URL previews, following a rebrand. Contributed by @HammyHavoc. (#18767)
• Fix server_name in logging context for multiple Synapse instances in one process. (#18868)
• Wrap the Rust HTTP client with make_deferred_yieldable so it follows Synapse logcontext rules. (#18903)
• Fix the GitHub Actions workflow that moves issues labeled "X-Needs-Info" to the "Needs info" column on the team's internal triage board. (#18913)
• Disconnect background process work from request trace. (#18932)
• Reduce overall number of calls to _get_e2e_cross_signing_signatures_for_devices by increasing the batch size of devices the query is called with, reducing DB load. (#18939)
• Update error code used when an appservice tries to masquerade as an unknown device using MSC4326. Contributed by @tulir @ Beeper. (#18947)
• Fix no active span when trying to log tracing error on startup (when OpenTracing is enabled). (#18959)
• Fix run_coroutine_in_background(...) incorrectly handling logcontext. (#18964)
• Add debug logs wherever we change current logcontext. (#18966)
• Update dockerfile metadata to fix broken link; point to documentation website. (#18971)
• Note that the code is additionally licensed under the Element Commercial license in SPDX expression field configs. (#18973)
• Fix logcontext handling in timeout_deferred tests. (#18974)
• Remove internal ReplicationUploadKeysForUserRestServlet as a follow-up to the work in #18581 that moved device changes off the main process. (#18988)
• Switch task scheduler from raw logcontext manipulation to using the dedicated logcontext utils. (#18990)
• Remove MockClock() in tests. (#18992)
• Switch back to our own custom LogContextScopeManager instead of OpenTracing's ContextVarsScopeManager which was causing problems when using the experimental SYNAPSE_ASYNC_IO_REACTOR option with tracing enabled. (#19007)
• Remove version_string argument from HomeServer since it's always the same. (#19012)
• Remove duplicate call to hs.start_background_tasks() introduced from a bad merge. (#19013)
• Split homeserver creation (create_homeserver) and setup (setup). (#19015)
• Swap near-end-of-life macos-13 GitHub Actions runner for the macos-15-intel variant. (#19025)
• Introduce RootConfig.validate_config() which can be subclassed in HomeServerConfig to do cross-config class validation. (#19027)
• Allow any command of the release.py script to accept a --gh-token argument. (#19035)

Updates to locked dependencies

• Bump Swatinem/rust-cache from 2.8.0 to 2.8.1. (#18949)
• Bump actions/cache from 4.2.4 to 4.3.0. (#18983)
• Bump anyhow from 1.0.99 to 1.0.100. (#18950)
• Bump authlib from 1.6.3 to 1.6.4. (#18957)
• Bump authlib from 1.6.4 to 1.6.5. (#19019)
• Bump bcrypt from 4.3.0 to 5.0.0. (#18984)
• Bump docker/login-action from 3.5.0 to 3.6.0. (#18978)
• Bump lxml from 6.0.0 to 6.0.2. (#18979)
• Bump phonenumbers from 9.0.13 to 9.0.14. (#18954)
• Bump phonenumbers from 9.0.14 to 9.0.15. (#18991)
• Bump prometheus-client from 0.22.1 to 0.23.1. (#19016)
• Bump pydantic from 2.11.9 to 2.11.10. (#19017)
• Bump pygithub from 2.7.0 to 2.8.1. (#18952)
• Bump regex from 1.11.2 to 1.11.3. (#18981)
• Bump serde from 1.0.224 to 1.0.226. (#18953)
• Bump serde from 1.0.226 to 1.0.228. (#18982)
• Bump setuptools-rust from 1.11.1 to 1.12.0. (#18980)
• Bump twine from 6.1.0 to 6.2.0. (#18985)
• Bump types-pyyaml from 6.0.12.20250809 to 6.0.12.20250915. (#19018)
• Bump types-requests from 2.32.4.20250809 to 2.32.4.20250913. (#18951)
• Bump typing-extensions from 4.14.1 to 4.15.0. (#18956)

v1.139.2

Synapse 1.139.2 (2025-10-07)

Bugfixes

• Fix a bug introduced in 1.139.1 where a client could receive an Internal Server Error if they set device_keys: null in the request to POST /_matrix/client/v3/keys/upload. (#19023)

v1.139.1

Synapse 1.139.1 (2025-10-07)

Security Fixes

• Fix CVE-2025-61672 / GHSA-fh66-fcv5-jjfr. Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. (#17097)

Deprecations and Removals

• Drop support for unstable field names from the long-accepted MSC2732 (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. (#18996)

v1.138.4

Synapse 1.138.4 (2025-10-07)

Bugfixes

• Fix a bug introduced in 1.138.3 where a client could receive an Internal Server Error if they set device_keys: null in the request to POST /_matrix/client/v3/keys/upload. (#19023)

v1.138.3

Synapse 1.138.3 (2025-10-07)

Security Fixes

• Fix CVE-2025-61672 / GHSA-fh66-fcv5-jjfr. Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. (#17097)

Deprecations and Removals

• Drop support for unstable field names from the long-accepted MSC2732 (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. (#18996)

v1.139.0

Synapse 1.139.0 (2025-09-30)

/register requests from old application service implementations may break when using MAS

If you are using Matrix Authentication Service (MAS), as of this release any Application Services that do not set inhibit_login=true when calling POST /_matrix/client/v3/register will receive the error IO.ELEMENT.MSC4190.M_APPSERVICE_LOGIN_UNSUPPORTED in response.

Please see the upgrade notes for more information.

No significant changes since 1.139.0rc3.

Synapse 1.139.0rc3 (2025-09-25)

Bugfixes

• Fix a bug introduced in 1.139.0rc1 where run_coroutine_in_background(...) incorrectly handled logcontexts, resulting in partially broken logging. (#18964)

Synapse 1.139.0rc2 (2025-09-23)

Internal Changes

• Drop support for Ubuntu 24.10 Oracular Oriole, and add support for Ubuntu 25.04 Plucky Puffin. (#18962)

Synapse 1.139.0rc1 (2025-09-23)

Features

• Add experimental support for MSC4308: Thread Subscriptions extension to Sliding Sync when MSC4306: Thread Subscriptions and MSC4186: Simplified Sliding Sync are enabled. (#18695)
• Update push rules for experimental MSC4306: Thread Subscriptions to follow a newer draft. (#18846)
• Add get_media_upload_limits_for_user and on_media_upload_limit_exceeded module API callbacks to the media repository. (#18848)
• Support MSC4169 for backwards-compatible redaction sending using the /send endpoint. Contributed by @SpiritCroc @ Beeper. (#18898)
• Add an in-memory cache to _get_e2e_cross_signing_signatures_for_devices to reduce DB load. (#18899)
• Update MSC4190 support to return correct errors and allow appservices to reset cross-signing keys without user-interactive authentication. Contributed by @tulir @ Beeper. (#18946)

Bugfixes

• Ensure all PDUs sent via /send pass canonical JSON checks. (#18641)
• Fix bug where we did not send invite revocations over federation. (#18823)
• Fix prefixed support for MSC4133. (#18875)
• Fix open redirect in legacy SSO flow with the idp query parameter. (#18909)
• Fix a performance regression related to the experimental Delayed Events (MSC4140) feature. (#18926)

Updates to the Docker image

• Suppress "Applying schema" log noise bulk when SYNAPSE_LOG_TESTING is set. (#18878)

Improved Documentation

• Clarify Python dependency constraints in our deprecation policy. (#18856)
• Clarify necessary jwt_config parameter in OIDC documentation for authentik. Contributed by @maxkratz. (#18931)

Deprecations and Removals

• Remove obsolete and experimental /sync/e2ee endpoint. (#18583)

Internal Changes

• Fix LaterGauge metrics to collect from all servers. (#18791)
• Configure Synapse to run MSC4306: Thread Subscriptions Complement tests. (#18819)
• Remove sentinel logcontext usage where we log in setup, start and exit. (#18870)
• Use the Enum's value for the dictionary key when responding to an admin request for experimental features. (#18874)
• Start background tasks after we fork the process (daemonize). (#18886)
• Better explain how we manage the logcontext in run_in_background(...) and run_as_background_process(...). (#18900, #18906)
• Remove sentinel logcontext usage in Clock utilities like looping_call and call_later. (#18907)
• Replace usages of the deprecated pkg_resources interface in preparation of setuptools dropping it soon. (#18910)
• Split loading config from homeserver setup. (#18933)
• Fix run_in_background not being awaited properly in some tests causing LoggingContext problems. (#18937)
• Fix run_as_background_process not being awaited properly causing LoggingContext problems in experimental MSC4140: Delayed events implementation. (#18938)
• Introduce Clock.call_when_running(...) to wrap startup code in a logcontext, ensuring we can identify which server generated the logs. (#18944)
• Introduce Clock.add_system_event_trigger(...) to wrap system event callback code in a logcontext, ensuring we can identify which server generated the logs. (#18945)

Updates to locked dependencies

• Bump actions/setup-go from 5.5.0 to 6.0.0. (#18891)
• Bump actions/setup-python from 5.6.0 to 6.0.0. (#18890)
• Bump authlib from 1.6.1 to 1.6.3. (#18921)
• Bump jsonschema from 4.25.0 to 4.25.1. (#18897)
• Bump log from 0.4.27 to 0.4.28. (#18892)
• Bump phonenumbers from 9.0.12 to 9.0.13. (#18893)
• Bump pydantic from 2.11.7 to 2.11.9. (#18922)
• Bump serde from 1.0.219 to 1.0.223. (#18920)
• Bump serde_json from 1.0.143 to 1.0.145. (#18919)
• Bump sigstore/cosign-installer from 3.9.2 to 3.10.0. (#18917)
• Bump towncrier from 24.8.0 to 25.8.0. (#18894)
• Bump types-psycopg2 from 2.9.21.20250809 to 2.9.21.20250915. (#18918)
• Bump types-requests from 2.32.4.20250611 to 2.32.4.20250809. (#18895)
• Bump types-setuptools from 80.9.0.20250809 to 80.9.0.20250822. (#18924)