v1.136.0

Synapse 1.136.0 (2025-08-12)

Note: This release includes the security fixes from 1.135.2 and 1.136.0rc2, detailed below.

Please also check the relevant section in the upgrade notes for the changes to MAS support, metrics labels and the module API which may require your attention when upgrading.

Bugfixes

• Fix bug introduced in 1.135.2 and 1.136.0rc2 where the Make Room Admin API would not treat a room v12's creator power level as the highest in room. (#18805)

Synapse 1.136.0rc2 (2025-08-11)

This is the Synapse portion of the Matrix coordinated security release. This release includes support for room version 12 which fixes a number of security vulnerabilities, including CVE-2025-49090.

The default room version is not changed. Not all clients will support room version 12 immediately, and not all users will be using the latest version of their clients. Large, public rooms are advised to wait a few weeks before upgrading to room version 12 to allow users throughout the Matrix ecosystem to update their clients.

Note: release 1.135.1 was skipped due to issues discovered during the release process.

Two patched Synapse releases are now available:

• 1.135.2: stable release comprised of 1.135.0 + security patches
  • Upgrade to this release if you are currently running 1.135.0 or below.
• 1.136.0rc2: unstable release candidate comprised of 1.136.0rc1 + security patches.
  • Upgrade to this release only if you are on 1.136.0rc1.

Bugfixes

• Update MSC4293 redaction logic for room v12. (#80)

Internal Changes

• Add a parameter to upgrade_rooms(..) to allow auto join local users. (#83)

Synapse 1.136.0rc1 (2025-08-05)

Features

• Add configurable rate limiting for the creation of rooms. (#18514)
• Add support for MSC4293 - Redact on Kick/Ban. (#18540)
• When admins enable themselves to see soft-failed events, they will also see if the cause is due to the policy server flagging them as spam via unsigned. (#18585)
• Add ability to configure forward/outbound proxy via homeserver config instead of environment variables. See http_proxy, https_proxy, no_proxy_hosts. (#18686)
• Advertise experimental support for MSC4306 (Thread Subscriptions) through /_matrix/clients/versions if enabled. (#18722)
• Stabilise support for delegating authentication to Matrix Authentication Service. (#18759)
• Implement the push rules for experimental MSC4306: Thread Subscriptions. (#18762)

Bugfixes

• Allow return code 403 (allowed by C2S Spec since v1.2) when fetching profiles via federation. (#18696)
• Register the MSC4306 (Thread Subscriptions) endpoints in the CS API when the experimental feature is enabled. (#18726)
• Fix a long-standing bug where suspended users could not have server notices sent to them (a 403 was returned to the admin). (#18750)
• Fix an issue that could cause logcontexts to be lost on rate-limited requests. Found by @realtyem. (#18763)
• Fix invalidation of storage cache that was broken in 1.135.0. (#18786)

Improved Documentation

• Minor improvements to README. (#18700)
• Document that there can be multiple workers handling the receipts stream. (#18760)
• Improve worker documentation for some device paths. (#18761)

Deprecations and Removals

• Deprecate run_as_background_process exported as part of the module API interface in favor of ModuleApi.run_as_background_process. See the relevant section in the upgrade notes for more information. (#18737)

Internal Changes

• Add debug logging for HMAC digest verification failures when using the admin API to register users. (#18474)
• Speed up upgrading a room with large numbers of banned users. (#18574)
• Fix config documentation generation script on Windows by enforcing UTF-8. (#18580)
• Refactor cache, background process, Counter, LaterGauge, GaugeBucketCollector, Histogram, and Gauge metrics to be homeserver-scoped. (#18656, #18714, #18715, #18724, #18753, #18725, #18670, #18748, #18751)
• Reduce database usage in Sliding Sync by not querying for background update completion after the update is known to be complete. (#18718)
• Improve order of validation and ratelimiting in room creation. (#18723)
• Bump minimum version bound on Twisted to 21.2.0. (#18727, #18729)
• Use twisted.internet.testing module in tests instead of deprecated twisted.test.proto_helpers. (#18728)
• Remove obsolete /send_event replication endpoint. (#18730)
• Update metrics linting to be able to handle custom metrics. (#18733)
• Work around twisted.protocols.amp.TooLong error by reducing logging in some tests. (#18736)
• Prevent "Move labelled issues to correct projects" GitHub Actions workflow from failing when an issue is already on the project board. (#18755)
• Bump minimum supported Rust version (MSRV) to 1.82.0. Missed in #18553 (released in Synapse 1.134.0). (#18757)
• Make Clock.sleep(...) return a coroutine, so that mypy can catch places where we don't await on it. (#18772)
• Update implementation of MSC4306: Thread Subscriptions to include automatic subscription conflict prevention as introduced in later drafts. (#18756)

Updates to locked dependencies

• Bump gitpython from 3.1.44 to 3.1.45. (#18743)
• Bump mypy-zope from 1.0.12 to 1.0.13. (#18744)
• Bump phonenumbers from 9.0.9 to 9.0.10. (#18741)
• Bump ruff from 0.12.4 to 0.12.5. (#18742)
• Bump sentry-sdk from 2.32.0 to 2.33.2. (#18745)
• Bump tokio from 1.46.1 to 1.47.0. (#18740)
• Bump types-jsonschema from 4.24.0.20250708 to 4.25.0.20250720. (#18703)
• Bump types-psycopg2 from 2.9.21.20250516 to 2.9.21.20250718. (#18706)

v1.136.0rc2

Synapse 1.136.0rc2 (2025-08-11)

This is the Synapse portion of the Matrix coordinated security release. This release includes support for room version 12 which fixes a number of security vulnerabilities, including CVE-2025-49090.

The default room version is not changed. Not all clients will support room version 12 immediately, and not all users will be using the latest version of their clients. Large, public rooms are advised to wait a few weeks before upgrading to room version 12 to allow users throughout the Matrix ecosystem to update their clients.

Note: release 1.135.1 was skipped due to issues discovered during the release process.

Two patched Synapse releases are now available:

• 1.135.2: stable release comprised of 1.135.0 + security patches
  • Upgrade to this release if you are currently running 1.135.0 or below.
• 1.136.0rc2: unstable release candidate comprised of 1.136.0rc1 + security patches.
  • Upgrade to this release only if you are on 1.136.0rc1.

Bugfixes

• Update MSC4293 redaction logic for room v12. (#80)

Internal Changes

• Add a parameter to upgrade_rooms(..) to allow auto join local users. (#83)

v1.135.2

Synapse 1.135.2 (2025-08-11)

This is the Synapse portion of the Matrix coordinated security release. This release includes support for room version 12 which fixes a number of security vulnerabilities, including CVE-2025-49090.

The default room version is not changed. Not all clients will support room version 12 immediately, and not all users will be using the latest version of their clients. Large, public rooms are advised to wait a few weeks before upgrading to room version 12 to allow users throughout the Matrix ecosystem to update their clients.

Note: release 1.135.1 was skipped due to issues discovered during the release process.

Two patched Synapse releases are now available:

• 1.135.2: stable release comprised of 1.135.0 + security patches
  • Upgrade to this release if you are currently running 1.135.0 or below.
• 1.136.0rc2: unstable release candidate comprised of 1.136.0rc1 + security patches.
  • Upgrade to this release only if you are on 1.136.0rc1.

Bugfixes

• Fix invalidation of storage cache that was broken in 1.135.0. (#18786)

Internal Changes

• Add a parameter to upgrade_rooms(..) to allow auto join local users. (#82)
• Speed up upgrading a room with large numbers of banned users. (#18574)

v1.136.0rc1

Synapse 1.136.0rc1 (2025-08-05)

Please check the relevant section in the upgrade notes as this release contains changes to MAS support, metrics labels and the module API which may require your attention when upgrading.

Features

• Add configurable rate limiting for the creation of rooms. (#18514)
• Add support for MSC4293 - Redact on Kick/Ban. (#18540)
• When admins enable themselves to see soft-failed events, they will also see if the cause is due to the policy server flagging them as spam via unsigned. (#18585)
• Add ability to configure forward/outbound proxy via homeserver config instead of environment variables. See http_proxy, https_proxy, no_proxy_hosts. (#18686)
• Advertise experimental support for MSC4306 (Thread Subscriptions) through /_matrix/clients/versions if enabled. (#18722)
• Stabilise support for delegating authentication to Matrix Authentication Service. (#18759)
• Implement the push rules for experimental MSC4306: Thread Subscriptions. (#18762)

Bugfixes

• Allow return code 403 (allowed by C2S Spec since v1.2) when fetching profiles via federation. (#18696)
• Register the MSC4306 (Thread Subscriptions) endpoints in the CS API when the experimental feature is enabled. (#18726)
• Fix a long-standing bug where suspended users could not have server notices sent to them (a 403 was returned to the admin). (#18750)
• Fix an issue that could cause logcontexts to be lost on rate-limited requests. Found by @realtyem. (#18763)
• Fix invalidation of storage cache that was broken in 1.135.0. (#18786)

Improved Documentation

• Minor improvements to README. (#18700)
• Document that there can be multiple workers handling the receipts stream. (#18760)
• Improve worker documentation for some device paths. (#18761)

Deprecations and Removals

• Deprecate run_as_background_process exported as part of the module API interface in favor of ModuleApi.run_as_background_process. See the relevant section in the upgrade notes for more information. (#18737)

Internal Changes

• Add debug logging for HMAC digest verification failures when using the admin API to register users. (#18474)
• Speed up upgrading a room with large numbers of banned users. (#18574)
• Fix config documentation generation script on Windows by enforcing UTF-8. (#18580)
• Refactor cache, background process, Counter, LaterGauge, GaugeBucketCollector, Histogram, and Gauge metrics to be homeserver-scoped. (#18656, #18714, #18715, #18724, #18753, #18725, #18670, #18748, #18751)
• Reduce database usage in Sliding Sync by not querying for background update completion after the update is known to be complete. (#18718)
• Improve order of validation and ratelimiting in room creation. (#18723)
• Bump minimum version bound on Twisted to 21.2.0. (#18727, #18729)
• Use twisted.internet.testing module in tests instead of deprecated twisted.test.proto_helpers. (#18728)
• Remove obsolete /send_event replication endpoint. (#18730)
• Update metrics linting to be able to handle custom metrics. (#18733)
• Work around twisted.protocols.amp.TooLong error by reducing logging in some tests. (#18736)
• Prevent "Move labelled issues to correct projects" GitHub Actions workflow from failing when an issue is already on the project board. (#18755)
• Bump minimum supported Rust version (MSRV) to 1.82.0. Missed in #18553 (released in Synapse 1.134.0). (#18757)
• Make Clock.sleep(...) return a coroutine, so that mypy can catch places where we don't await on it. (#18772)
• Update implementation of MSC4306: Thread Subscriptions to include automatic subscription conflict prevention as introduced in later drafts. (#18756)

Updates to locked dependencies

• Bump gitpython from 3.1.44 to 3.1.45. (#18743)
• Bump mypy-zope from 1.0.12 to 1.0.13. (#18744)
• Bump phonenumbers from 9.0.9 to 9.0.10. (#18741)
• Bump ruff from 0.12.4 to 0.12.5. (#18742)
• Bump sentry-sdk from 2.32.0 to 2.33.2. (#18745)
• Bump tokio from 1.46.1 to 1.47.0. (#18740)
• Bump types-jsonschema from 4.24.0.20250708 to 4.25.0.20250720. (#18703)
• Bump types-psycopg2 from 2.9.21.20250516 to 2.9.21.20250718. (#18706)

v1.135.0

Synapse 1.135.0 (2025-08-01)

No significant changes since 1.135.0rc2.

Synapse 1.135.0rc2 (2025-07-30)

Bugfixes

• Fix user failing to deactivate with MAS when /_synapse/mas is handled by a worker. (#18716)

Internal Changes

• Fix performance regression introduced in #18238 by adding a cache to is_server_admin. (#18747)

Synapse 1.135.0rc1 (2025-07-22)

Features

• Add recaptcha_private_key_path and recaptcha_public_key_path config option. (#17984, #18684)
• Add plain-text handling for rich-text topics as per MSC3765. (#18195)
• If enabled by the user, server admins will see soft failed events over the Client-Server API. (#18238)
• Add experimental support for MSC4277: Harmonizing the reporting endpoints. (#18263)
• Add ability to limit amount of media uploaded by a user in a given time period. (#18527)
• Enable workers to write directly to the device lists stream and handle device list updates, reducing load on the main process. (#18581)
• Support arbitrary profile fields. Contributed by @clokep. (#18635)
• Advertise support for Matrix v1.12. (#18647)
• Add an option to issue redactions as an admin user via the admin redaction endpoint. (#18671)
• Add experimental and incomplete support for MSC4306: Thread Subscriptions. (#18674)
• Include event_id when getting state with ?format=event. Contributed by @tulir @ Beeper. (#18675)

Bugfixes

• Fix CPU and database spinning when retrying sending events to servers whilst at the same time purging those events. (#18499)
• Don't allow creation of tags with names longer than 255 bytes, as per the spec. (#18660)
• Fix sliding_sync_connections-related errors when porting from SQLite to Postgres. (#18677)
• Fix the MAS integration not working when Synapse is started with --daemonize or using synctl. (#18691)

Improved Documentation

• Document that some config options for the user directory are in violation of the Matrix spec. (#18548)
• Update rc_delayed_event_mgmt docs to the actual nesting level. Contributed by @HarHarLinks. (#18692)

Internal Changes

• Add a dedicated internal API for Matrix Authentication Service to Synapse communication. (#18520)
• Allow user registrations to be done on workers. (#18552)
• Remove unnecessary HTTP replication calls. (#18564)
• Refactor Measure block metrics to be homeserver-scoped. (#18601)
• Refactor cache metrics to be homeserver-scoped. (#18604)
• Unbreak "Latest dependencies" workflow by using the --without dev poetry option instead of removed --no-dev. (#18617)
• Update URL Preview code to work with lxml 6.0.0+. (#18622)
• Use markdown-it-py instead of commonmark in the release script. (#18637)
• Fix typing errors with upgraded mypy version. (#18653)
• Add doc comment explaining that config files are shallowly merged. (#18664)
• Minor speed up of insertion into stream_positions table. (#18672)
• Remove unused allow_no_prev_events option when creating an event. (#18676)
• Clean up MetricsResource and Prometheus hacks. (#18687)
• Fix dirty Cargo.lock changes appearing after install (base64). (#18689)
• Prevent dirty Cargo.lock changes from install. (#18693)
• Correct spelling of 'Admin token used' log line. (#18697)
• Reduce log spam when client stops downloading media while it is being streamed to them. (#18699)

Updates to locked dependencies

• Bump authlib from 1.6.0 to 1.6.1. (#18704)
• Bump base64 from 0.21.7 to 0.22.1. (#18666)
• Bump jsonschema from 4.24.0 to 4.25.0. (#18707)
• Bump lxml from 5.4.0 to 6.0.0. (#18631)
• Bump mypy from 1.13.0 to 1.16.1. (#18653)
• Bump once_cell from 1.19.0 to 1.21.3. (#18710)
• Bump phonenumbers from 9.0.8 to 9.0.9. (#18681)
• Bump ruff from 0.12.2 to 0.12.5. (#18683, #18705)
• Bump serde_json from 1.0.140 to 1.0.141. (#18709)
• Bump sigstore/cosign-installer from 3.9.1 to 3.9.2. (#18708)
• Bump types-jsonschema from 4.24.0.20250528 to 4.24.0.20250708. (#18682)

v1.135.0rc2

Synapse 1.135.0rc2 (2025-07-30)

Bugfixes

• Fix user failing to deactivate with MAS when /_synapse/mas is handled by a worker. (#18716)

Internal Changes

• Fix performance regression introduced in #18238 by adding a cache to is_server_admin. (#18747)

v1.135.0rc1

Synapse 1.135.0rc1 (2025-07-22)

Features

• Add recaptcha_private_key_path and recaptcha_public_key_path config option. (#17984, #18684)
• Add plain-text handling for rich-text topics as per MSC3765. (#18195)
• If enabled by the user, server admins will see soft failed events over the Client-Server API. (#18238)
• Add experimental support for MSC4277: Harmonizing the reporting endpoints. (#18263)
• Add ability to limit amount of media uploaded by a user in a given time period. (#18527)
• Enable workers to write directly to the device lists stream and handle device list updates, reducing load on the main process. (#18581)
• Support arbitrary profile fields. Contributed by @clokep. (#18635)
• Advertise support for Matrix v1.12. (#18647)
• Add an option to issue redactions as an admin user via the admin redaction endpoint. (#18671)
• Add experimental and incomplete support for MSC4306: Thread Subscriptions. (#18674)
• Include event_id when getting state with ?format=event. Contributed by @tulir @ Beeper. (#18675)

Bugfixes

• Fix CPU and database spinning when retrying sending events to servers whilst at the same time purging those events. (#18499)
• Don't allow creation of tags with names longer than 255 bytes, as per the spec. (#18660)
• Fix sliding_sync_connections-related errors when porting from SQLite to Postgres. (#18677)
• Fix the MAS integration not working when Synapse is started with --daemonize or using synctl. (#18691)

Improved Documentation

• Document that some config options for the user directory are in violation of the Matrix spec. (#18548)
• Update rc_delayed_event_mgmt docs to the actual nesting level. Contributed by @HarHarLinks. (#18692)

Internal Changes

• Add a dedicated internal API for Matrix Authentication Service to Synapse communication. (#18520)
• Allow user registrations to be done on workers. (#18552)
• Remove unnecessary HTTP replication calls. (#18564)
• Refactor Measure block metrics to be homeserver-scoped. (#18601)
• Refactor cache metrics to be homeserver-scoped. (#18604)
• Unbreak "Latest dependencies" workflow by using the --without dev poetry option instead of removed --no-dev. (#18617)
• Update URL Preview code to work with lxml 6.0.0+. (#18622)
• Use markdown-it-py instead of commonmark in the release script. (#18637)
• Fix typing errors with upgraded mypy version. (#18653)
• Add doc comment explaining that config files are shallowly merged. (#18664)
• Minor speed up of insertion into stream_positions table. (#18672)
• Remove unused allow_no_prev_events option when creating an event. (#18676)
• Clean up MetricsResource and Prometheus hacks. (#18687)
• Fix dirty Cargo.lock changes appearing after install (base64). (#18689)
• Prevent dirty Cargo.lock changes from install. (#18693)
• Correct spelling of 'Admin token used' log line. (#18697)
• Reduce log spam when client stops downloading media while it is being streamed to them. (#18699)

Updates to locked dependencies

• Bump authlib from 1.6.0 to 1.6.1. (#18704)
• Bump base64 from 0.21.7 to 0.22.1. (#18666)
• Bump jsonschema from 4.24.0 to 4.25.0. (#18707)
• Bump lxml from 5.4.0 to 6.0.0. (#18631)
• Bump mypy from 1.13.0 to 1.16.1. (#18653)
• Bump once_cell from 1.19.0 to 1.21.3. (#18710)
• Bump phonenumbers from 9.0.8 to 9.0.9. (#18681)
• Bump ruff from 0.12.2 to 0.12.5. (#18683, #18705)
• Bump serde_json from 1.0.140 to 1.0.141. (#18709)
• Bump sigstore/cosign-installer from 3.9.1 to 3.9.2. (#18708)
• Bump types-jsonschema from 4.24.0.20250528 to 4.24.0.20250708. (#18682)

v1.134.0

Synapse 1.134.0 (2025-07-15)

No significant changes since 1.134.0rc1.

Synapse 1.134.0rc1 (2025-07-09)

Features

• Support for MSC4235: via query param for hierarchy endpoint. Contributed by Krishan (@kfiven). (#18070)
• Add forget_forced_upon_leave capability as per MSC4267. (#18196)
• Add federated_user_may_invite spam checker callback which receives the entire invite event. Contributed by @tulir @ Beeper. (#18241)

Bugfixes

• Fix KeyError on background updates when using split main/state databases. (#18509)
• Improve performance of device deletion by adding missing index. (#18582)
• Fix avatar_url and displayname being sent on federation profile queries when they are not set. (#18593)
• Respond with 401 & M_USER_LOCKED when a locked user calls POST /login, as per the spec. (#18594)
• Ensure policy servers are not asked to scan policy server change events, allowing rooms to disable the use of a policy server while the policy server is down. (#18605)

Improved Documentation

• Fix documentation of the Delete Room Admin API's status field. (#18519)

Deprecations and Removals

• Stop adding the "origin" field to newly-created events (PDUs). (#18418)

Internal Changes

• Replace PyICU crate with equivalent icu_segmenter Rust crate. (#18553, #18646)
• Improve docstring on simple_upsert_many. (#18573)
• Raise poetry-core version cap to 2.1.3. (#18575)
• Raise setuptools_rust version cap to 1.11.1. (#18576)
• Better handling of ratelimited requests. (#18595, #18600)
• Update to Rust 1.87.0 in CI, and bump the pinned commit of the dtolnay/rust-toolchain GitHub Action to b3b07ba8b418998c39fb20f53e8b695cdcc8de1b. (#18596)
• Speed up bulk device deletion. (#18602)
• Speed up the building of arm-based wheels in CI. (#18618)
• Speed up the building of Docker images in CI. (#18620)
• Add .zed/ directory to .gitignore. (#18623)
• Log the room ID we're purging state for. (#18625)

Updates to locked dependencies

• Bump Swatinem/rust-cache from 2.7.8 to 2.8.0. (#18612)
• Bump attrs from 24.2.0 to 25.3.0. (#18649)
• Bump authlib from 1.5.2 to 1.6.0. (#18642)
• Bump base64 from 0.21.7 to 0.22.1. (#18589)
• Bump base64 from 0.21.7 to 0.22.1. (#18629)
• Bump docker/build-push-action from 6.17.0 to 6.18.0. (#18497)
• Bump docker/setup-buildx-action from 3.10.0 to 3.11.1. (#18587)
• Bump hiredis from 3.1.0 to 3.2.1. (#18638)
• Bump ijson from 3.3.0 to 3.4.0. (#18650)
• Bump jsonschema from 4.23.0 to 4.24.0. (#18630)
• Bump msgpack from 1.1.0 to 1.1.1. (#18651)
• Bump mypy-zope from 1.0.11 to 1.0.12. (#18640)
• Bump phonenumbers from 9.0.2 to 9.0.8. (#18652)
• Bump pillow from 11.2.1 to 11.3.0. (#18624)
• Bump prometheus-client from 0.21.0 to 0.22.1. (#18609)
• Bump pyasn1-modules from 0.4.1 to 0.4.2. (#18495)
• Bump pydantic from 2.11.4 to 2.11.7. (#18639)
• Bump reqwest from 0.12.15 to 0.12.20. (#18590)
• Bump reqwest from 0.12.20 to 0.12.22. (#18627)
• Bump ruff from 0.11.11 to 0.12.1. (#18645)
• Bump ruff from 0.12.1 to 0.12.2. (#18657)
• Bump sentry-sdk from 2.22.0 to 2.32.0. (#18633)
• Bump setuptools-rust from 1.10.2 to 1.11.1. (#18655)
• Bump sigstore/cosign-installer from 3.8.2 to 3.9.0. (#18588)
• Bump sigstore/cosign-installer from 3.9.0 to 3.9.1. (#18608)
• Bump stefanzweifel/git-auto-commit-action from 5.2.0 to 6.0.1. (#18607)
• Bump tokio from 1.45.1 to 1.46.0. (#18628)
• Bump tokio from 1.46.0 to 1.46.1. (#18667)
• Bump treq from 24.9.1 to 25.5.0. (#18610)
• Bump types-bleach from 6.2.0.20241123 to 6.2.0.20250514. (#18634)
• Bump types-jsonschema from 4.23.0.20250516 to 4.24.0.20250528. (#18611)
• Bump types-opentracing from 2.4.10.6 to 2.4.10.20250622. (#18586)
• Bump types-psycopg2 from 2.9.21.20250318 to 2.9.21.20250516. (#18658)
• Bump types-pyyaml from 6.0.12.20241230 to 6.0.12.20250516. (#18643)
• Bump types-setuptools from 75.2.0.20241019 to 80.9.0.20250529. (#18644)
• Bump typing-extensions from 4.12.2 to 4.14.0. (#18654)
• Bump typing-extensions from 4.14.0 to 4.14.1. (#18668)
• Bump urllib3 from 2.2.2 to 2.5.0. (#18572)

v1.134.0rc1

Synapse 1.134.0rc1 (2025-07-09)

Features

• Support for MSC4235: via query param for hierarchy endpoint. Contributed by Krishan (@kfiven). (#18070)
• Add forget_forced_upon_leave capability as per MSC4267. (#18196)
• Add federated_user_may_invite spam checker callback which receives the entire invite event. Contributed by @tulir @ Beeper. (#18241)

Bugfixes

• Fix KeyError on background updates when using split main/state databases. (#18509)
• Improve performance of device deletion by adding missing index. (#18582)
• Fix avatar_url and displayname being sent on federation profile queries when they are not set. (#18593)
• Respond with 401 & M_USER_LOCKED when a locked user calls POST /login, as per the spec. (#18594)
• Ensure policy servers are not asked to scan policy server change events, allowing rooms to disable the use of a policy server while the policy server is down. (#18605)

Improved Documentation

• Fix documentation of the Delete Room Admin API's status field. (#18519)

Deprecations and Removals

• Stop adding the "origin" field to newly-created events (PDUs). (#18418)

Internal Changes

• Replace PyICU crate with equivalent icu_segmenter Rust crate. (#18553, #18646)
• Improve docstring on simple_upsert_many. (#18573)
• Raise poetry-core version cap to 2.1.3. (#18575)
• Raise setuptools_rust version cap to 1.11.1. (#18576)
• Better handling of ratelimited requests. (#18595, #18600)
• Update to Rust 1.87.0 in CI, and bump the pinned commit of the dtolnay/rust-toolchain GitHub Action to b3b07ba8b418998c39fb20f53e8b695cdcc8de1b. (#18596)
• Speed up bulk device deletion. (#18602)
• Speed up the building of arm-based wheels in CI. (#18618)
• Speed up the building of Docker images in CI. (#18620)
• Add .zed/ directory to .gitignore. (#18623)
• Log the room ID we're purging state for. (#18625)

Updates to locked dependencies

• Bump Swatinem/rust-cache from 2.7.8 to 2.8.0. (#18612)
• Bump attrs from 24.2.0 to 25.3.0. (#18649)
• Bump authlib from 1.5.2 to 1.6.0. (#18642)
• Bump base64 from 0.21.7 to 0.22.1. (#18589)
• Bump base64 from 0.21.7 to 0.22.1. (#18629)
• Bump docker/build-push-action from 6.17.0 to 6.18.0. (#18497)
• Bump docker/setup-buildx-action from 3.10.0 to 3.11.1. (#18587)
• Bump hiredis from 3.1.0 to 3.2.1. (#18638)
• Bump ijson from 3.3.0 to 3.4.0. (#18650)
• Bump jsonschema from 4.23.0 to 4.24.0. (#18630)
• Bump msgpack from 1.1.0 to 1.1.1. (#18651)
• Bump mypy-zope from 1.0.11 to 1.0.12. (#18640)
• Bump phonenumbers from 9.0.2 to 9.0.8. (#18652)
• Bump pillow from 11.2.1 to 11.3.0. (#18624)
• Bump prometheus-client from 0.21.0 to 0.22.1. (#18609)
• Bump pyasn1-modules from 0.4.1 to 0.4.2. (#18495)
• Bump pydantic from 2.11.4 to 2.11.7. (#18639)
• Bump reqwest from 0.12.15 to 0.12.20. (#18590)
• Bump reqwest from 0.12.20 to 0.12.22. (#18627)
• Bump ruff from 0.11.11 to 0.12.1. (#18645)
• Bump ruff from 0.12.1 to 0.12.2. (#18657)
• Bump sentry-sdk from 2.22.0 to 2.32.0. (#18633)
• Bump setuptools-rust from 1.10.2 to 1.11.1. (#18655)
• Bump sigstore/cosign-installer from 3.8.2 to 3.9.0. (#18588)
• Bump sigstore/cosign-installer from 3.9.0 to 3.9.1. (#18608)
• Bump stefanzweifel/git-auto-commit-action from 5.2.0 to 6.0.1. (#18607)
• Bump tokio from 1.45.1 to 1.46.0. (#18628)
• Bump tokio from 1.46.0 to 1.46.1. (#18667)
• Bump treq from 24.9.1 to 25.5.0. (#18610)
• Bump types-bleach from 6.2.0.20241123 to 6.2.0.20250514. (#18634)
• Bump types-jsonschema from 4.23.0.20250516 to 4.24.0.20250528. (#18611)
• Bump types-opentracing from 2.4.10.6 to 2.4.10.20250622. (#18586)
• Bump types-psycopg2 from 2.9.21.20250318 to 2.9.21.20250516. (#18658)
• Bump types-pyyaml from 6.0.12.20241230 to 6.0.12.20250516. (#18643)
• Bump types-setuptools from 75.2.0.20241019 to 80.9.0.20250529. (#18644)
• Bump typing-extensions from 4.12.2 to 4.14.0. (#18654)
• Bump typing-extensions from 4.14.0 to 4.14.1. (#18668)
• Bump urllib3 from 2.2.2 to 2.5.0. (#18572)

v1.133.0

Synapse 1.133.0 (2025-07-01)

Pre-built wheels are now built using the manylinux_2_28 base, which is expected to be compatible with distros using glibc 2.28 or later, including:

• Debian 10+
• Ubuntu 18.10+
• Fedora 29+
• CentOS/RHEL 8+

Previously, wheels were built using the manylinux2014 base, which was expected to be compatible with distros using glibc 2.17 or later.

Bugfixes

• Bump cibuildwheel to 3.0.0 to fix the manylinux wheel builds. (#18615)

Synapse 1.133.0rc1 (2025-06-24)

Features

• Add support for the MSC4260 user report API. (#18120)

Bugfixes

• Fix an issue where, during state resolution for v11 rooms, Synapse would incorrectly calculate the power level of the creator when there was no power levels event in the room. (#18534, #18547)
• Fix long-standing bug where sliding sync did not honour the room_id_to_include config option. (#18535)
• Fix an issue where "Lock timeout is getting excessive" warnings would be logged even when the lock timeout was <10 minutes. (#18543)
• Fix an issue where Synapse could calculate the wrong power level for the creator of the room if there was no power levels event. (#18545)

Improved Documentation

• Generate config documentation from JSON Schema file. (#18528)
• Fix typo in user type documentation. (#18568)

Internal Changes

• Increase performance of introspecting access tokens when using delegated auth. (#18357, #18561)
• Log user deactivations. (#18541)
• Enable flake8-logging and flake8-logging-format rules in Ruff and fix related issues throughout the codebase. (#18542)
• Clean up old, unused rows from the device_federation_inbox table. (#18546)
• Run config schema CI on develop and release branches. (#18551)
• Add support for Twisted 25.5.0+ releases. (#18577)
• Update PyO3 to version 0.25. (#18578)

Updates to locked dependencies

• Bump actions/setup-python from 5.5.0 to 5.6.0. (#18555)
• Bump base64 from 0.21.7 to 0.22.1. (#18559)
• Bump dawidd6/action-download-artifact from 9 to 11. (#18556)
• Bump headers from 0.4.0 to 0.4.1. (#18529)
• Bump requests from 2.32.2 to 2.32.4. (#18533)
• Bump types-requests from 2.32.0.20250328 to 2.32.4.20250611. (#18558)