v1.132.0rc1

Synapse 1.132.0rc1 (2025-06-10)

Features

• Add support for MSC4155 Invite Filtering. (#18288)
• Add experimental user_may_send_state_event module API callback. (#18455)
• Add experimental get_media_config_for_user and is_user_allowed_to_upload_media_of_size module API callbacks that allow overriding of media repository maximum upload size. (#18457)
• Add experimental get_ratelimit_override_for_user module API callback that allows overriding of per-user ratelimits. (#18458)
• Pass room_config argument to user_may_create_room spam checker module callback. (#18486)
• Support configuration of default and extra user types. (#18456)
• Successful requests to /_matrix/app/v1/ping will now force Synapse to reattempt delivering transactions to appservices. (#18521)
• Support the import of the RatelimitOverride type from synapse.module_api in modules and rename messages_per_second to per_second. (#18513)

Bugfixes

• Remove destinations from sending if not whitelisted. (#18484)
• Fixed room summary API incorrectly returning that a room is private in the room summary response when the join rule is omitted by the remote server. Contributed by @nexy7574. (#18493)
• Prevent users from adding themselves to their own user ignore list. (#18508)

Improved Documentation

• Generate config documentation from JSON Schema file. (#17892)
• Mention CAP_NET_BIND_SERVICE as an alternative to running Synapse as root in order to bind to a privileged port. (#18408)
• Surface hidden Admin API documentation regarding fetching of scheduled tasks. (#18516)
• Mark the new module APIs in this release as experimental. (#18536)

Internal Changes

• Mark dehydrated devices in the List All User Devices Admin API. (#18252)
• Reduce disk wastage by cleaning up received_transactions older than 1 day, rather than 30 days. (#18310)
• Distinguish all vs local events being persisted in the "Event Send Time Quantiles" graph (Grafana). (#18510)

v1.131.0

Synapse 1.131.0 (2025-06-03)

No significant changes since 1.131.0rc1.

Synapse 1.131.0rc1 (2025-05-28)

Features

• Add msc4263_limit_key_queries_to_users_who_share_rooms config option as per MSC4263. (#18180)
• Add option to allow registrations that begin with _. Contributed by _ (@hex5f). (#18262)
• Include room ID in response to the Room Deletion Status Admin API. (#18318)
• Add support for calling Policy Servers (MSC4284) to mark events as spam. (#18387)

Bugfixes

• Prevent race-condition in _maybe_retry_device_resync entrance. (#18391)
• Fix the tests.handlers.test_worker_lock.WorkerLockTestCase.test_lock_contention test which could spuriously time out on RISC-V architectures due to performance differences. (#18430)
• Fix admin redaction endpoint not redacting encrypted messages. (#18434)

Improved Documentation

• Update room_list_publication_rules docs to consider defaults that changed in v1.126.0. Contributed by @HarHarLinks. (#18286)
• Add advice for upgrading between major PostgreSQL versions to the database documentation. (#18445)

Internal Changes

• Fix a memory leak in _NotifierUserStream. (#18380)
• Fix a couple type annotations in the RootConfig/Config. (#18409)
• Explicitly enable PyPy builds in cibuildwheels config to avoid it being disabled on a future upgrade to cibuildwheel v3. (#18417)
• Update the PR review template to remove an erroneous line break from the final bullet point. (#18419)
• Explain why we flush_buffer() for Python print(...) output. (#18420)
• Add lint to ensure we don't add a CREATE/DROP INDEX in a schema delta. (#18440)
• Allow checking only for the existence of a field in an SSO provider's response, rather than requiring the value(s) to check. (#18454)
• Add unit tests for homeserver usage statistics. (#18463)
• Don't move invited users to new room when shutting down room. (#18471)

Updates to locked dependencies

• Bump actions/setup-python from 5.5.0 to 5.6.0. (#18398)
• Bump authlib from 1.5.1 to 1.5.2. (#18452)
• Bump docker/build-push-action from 6.15.0 to 6.17.0. (#18397, #18449)
• Bump lxml from 5.3.0 to 5.4.0. (#18480)
• Bump mypy-zope from 1.0.9 to 1.0.11. (#18428)
• Bump pyo3 from 0.23.5 to 0.24.2. (#18460)
• Bump pyo3-log from 0.12.3 to 0.12.4. (#18453)
• Bump pyopenssl from 25.0.0 to 25.1.0. (#18450)
• Bump ruff from 0.7.3 to 0.11.11. (#18451, #18482)
• Bump tornado from 6.4.2 to 6.5.0. (#18459)
• Bump setuptools from 72.1.0 to 78.1.1. (#18461)
• Bump types-jsonschema from 4.23.0.20241208 to 4.23.0.20250516. (#18481)
• Bump types-requests from 2.32.0.20241016 to 2.32.0.20250328. (#18427)

v1.131.0rc1

Synapse 1.131.0rc1 (2025-05-28)

Features

• Add msc4263_limit_key_queries_to_users_who_share_rooms config option as per MSC4263. (#18180)
• Add option to allow registrations that begin with _. Contributed by _ (@hex5f). (#18262)
• Include room ID in response to the Room Deletion Status Admin API. (#18318)
• Add support for calling Policy Servers (MSC4284) to mark events as spam. (#18387)

Bugfixes

• Prevent race-condition in _maybe_retry_device_resync entrance. (#18391)
• Fix the tests.handlers.test_worker_lock.WorkerLockTestCase.test_lock_contention test which could spuriously time out on RISC-V architectures due to performance differences. (#18430)
• Fix admin redaction endpoint not redacting encrypted messages. (#18434)

Improved Documentation

• Update room_list_publication_rules docs to consider defaults that changed in v1.126.0. Contributed by @HarHarLinks. (#18286)
• Add advice for upgrading between major PostgreSQL versions to the database documentation. (#18445)

Internal Changes

• Fix a memory leak in _NotifierUserStream. (#18380)
• Fix a couple type annotations in the RootConfig/Config. (#18409)
• Explicitly enable PyPy builds in cibuildwheels config to avoid it being disabled on a future upgrade to cibuildwheel v3. (#18417)
• Update the PR review template to remove an erroneous line break from the final bullet point. (#18419)
• Explain why we flush_buffer() for Python print(...) output. (#18420)
• Add lint to ensure we don't add a CREATE/DROP INDEX in a schema delta. (#18440)
• Allow checking only for the existence of a field in an SSO provider's response, rather than requiring the value(s) to check. (#18454)
• Add unit tests for homeserver usage statistics. (#18463)
• Don't move invited users to new room when shutting down room. (#18471)

Updates to locked dependencies

• Bump actions/setup-python from 5.5.0 to 5.6.0. (#18398)
• Bump authlib from 1.5.1 to 1.5.2. (#18452)
• Bump docker/build-push-action from 6.15.0 to 6.17.0. (#18397, #18449)
• Bump lxml from 5.3.0 to 5.4.0. (#18480)
• Bump mypy-zope from 1.0.9 to 1.0.11. (#18428)
• Bump pyo3 from 0.23.5 to 0.24.2. (#18460)
• Bump pyo3-log from 0.12.3 to 0.12.4. (#18453)
• Bump pyopenssl from 25.0.0 to 25.1.0. (#18450)
• Bump ruff from 0.7.3 to 0.11.11. (#18451, #18482)
• Bump tornado from 6.4.2 to 6.5.0. (#18459)
• Bump setuptools from 72.1.0 to 78.1.1. (#18461)
• Bump types-jsonschema from 4.23.0.20241208 to 4.23.0.20250516. (#18481)
• Bump types-requests from 2.32.0.20241016 to 2.32.0.20250328. (#18427)

v1.130.0

Synapse 1.130.0 (2025-05-20)

Bugfixes

• Fix startup being blocked on creating a new index that was introduced in v1.130.0rc1. (#18439)
• Fix the ordering of local messages in rooms that were affected by GHSA-v56r-hwv5-mxg6. (#18447)

Synapse 1.130.0rc1 (2025-05-13)

Features

• Add an Admin API endpoint GET /_synapse/admin/v1/scheduled_tasks to fetch scheduled tasks. (#18214)
• Add config option user_directory.exclude_remote_users which, when enabled, excludes remote users from user directory search results. (#18300)
• Add support for handling GET /devices/ on workers. (#18355)

Bugfixes

• Fix a longstanding bug where Synapse would immediately retry a failing push endpoint when a new event is received, ignoring any backoff timers. (#18363)
• Pass leave from remote invite rejection down Sliding Sync. (#18375)

Updates to the Docker image

• In configure_workers_and_start.py, use the same absolute path of Python in the interpreter shebang, and invoke child Python processes with sys.executable. (#18291)
• Optimize the build of the workers image. (#18292)
• In start_for_complement.sh, replace some external program calls with shell builtins. (#18293)
• When generating container scripts from templates, don't add a leading newline so that their shebangs may be handled correctly. (#18295)

Improved Documentation

• Improve formatting of the README file. (#18218)
• Add documentation for configuring Pocket ID as an OIDC provider. (#18237)
• Fix typo in docs about the push config option. Contributed by @HarHarLinks. (#18320)
• Add /_matrix/federation/v1/version to list of federation endpoints that can be handled by workers. (#18377)
• Add an Admin API endpoint GET /_synapse/admin/v1/scheduled_tasks to fetch scheduled tasks. (#18384)

Internal Changes

• Return specific error code when adding an email address / phone number to account is not supported (MSC4178). (#17578)
• Stop auto-provisionning missing users & devices when delegating auth to Matrix Authentication Service. Requires MAS 0.13.0 or later. (#18181)
• Apply file hashing and existing quarantines to media downloaded for URL previews. (#18297)
• Allow a few admin APIs used by matrix-authentication-service to run on workers. (#18313)
• Apply should_drop_federated_event to federation invites. (#18330)
• Allow /rooms/ admin API to be run on workers. (#18360)
• Minor performance improvements to the notifier. (#18367)
• Slight performance increase when using the ratelimiter. (#18369)
• Don't validate the at_hash (access token hash) field in OIDC ID Tokens if we don't end up actually using the OIDC Access Token. (#18374, #18385)
• Fixed test failures when using authlib 1.5.2. (#18390)
• Refactor MSC4186 Simplified Sliding Sync room list tests to cover both new and fallback logic paths. (#18399)

Updates to locked dependencies

• Bump actions/add-to-project from 280af8ae1f83a494cfad2cb10f02f6d13529caa9 to 5b1a254a3546aef88e0a7724a77a623fa2e47c36. (#18365)
• Bump actions/download-artifact from 4.2.1 to 4.3.0. (#18364)
• Bump actions/setup-go from 5.4.0 to 5.5.0. (#18426)
• Bump anyhow from 1.0.97 to 1.0.98. (#18336)
• Bump packaging from 24.2 to 25.0. (#18393)
• Bump pillow from 11.1.0 to 11.2.1. (#18429)
• Bump pydantic from 2.10.3 to 2.11.4. (#18394)
• Bump pyo3-log from 0.12.2 to 0.12.3. (#18317)
• Bump pyopenssl from 24.3.0 to 25.0.0. (#18315)
• Bump sha2 from 0.10.8 to 0.10.9. (#18395)
• Bump sigstore/cosign-installer from 3.8.1 to 3.8.2. (#18366)
• Bump softprops/action-gh-release from 1 to 2. (#18264)
• Bump stefanzweifel/git-auto-commit-action from 5.1.0 to 5.2.0. (#18354)
• Bump txredisapi from 1.4.10 to 1.4.11. (#18392)
• Bump types-jsonschema from 4.23.0.20240813 to 4.23.0.20241208. (#18305)
• Bump types-psycopg2 from 2.9.21.20250121 to 2.9.21.20250318. (#18316)

v1.130.0rc1

Synapse 1.130.0rc1 (2025-05-13)

Features

• Add an Admin API endpoint GET /_synapse/admin/v1/scheduled_tasks to fetch scheduled tasks. (#18214)
• Add config option user_directory.exclude_remote_users which, when enabled, excludes remote users from user directory search results. (#18300)
• Add support for handling GET /devices/ on workers. (#18355)

Bugfixes

• Fix a longstanding bug where Synapse would immediately retry a failing push endpoint when a new event is received, ignoring any backoff timers. (#18363)
• Pass leave from remote invite rejection down Sliding Sync. (#18375)

Updates to the Docker image

• In configure_workers_and_start.py, use the same absolute path of Python in the interpreter shebang, and invoke child Python processes with sys.executable. (#18291)
• Optimize the build of the workers image. (#18292)
• In start_for_complement.sh, replace some external program calls with shell builtins. (#18293)
• When generating container scripts from templates, don't add a leading newline so that their shebangs may be handled correctly. (#18295)

Improved Documentation

• Improve formatting of the README file. (#18218)
• Add documentation for configuring Pocket ID as an OIDC provider. (#18237)
• Fix typo in docs about the push config option. Contributed by @HarHarLinks. (#18320)
• Add /_matrix/federation/v1/version to list of federation endpoints that can be handled by workers. (#18377)
• Add an Admin API endpoint GET /_synapse/admin/v1/scheduled_tasks to fetch scheduled tasks. (#18384)

Internal Changes

• Return specific error code when adding an email address / phone number to account is not supported (MSC4178). (#17578)
• Stop auto-provisionning missing users & devices when delegating auth to Matrix Authentication Service. Requires MAS 0.13.0 or later. (#18181)
• Apply file hashing and existing quarantines to media downloaded for URL previews. (#18297)
• Allow a few admin APIs used by matrix-authentication-service to run on workers. (#18313)
• Apply should_drop_federated_event to federation invites. (#18330)
• Allow /rooms/ admin API to be run on workers. (#18360)
• Minor performance improvements to the notifier. (#18367)
• Slight performance increase when using the ratelimiter. (#18369)
• Don't validate the at_hash (access token hash) field in OIDC ID Tokens if we don't end up actually using the OIDC Access Token. (#18374, #18385)
• Fixed test failures when using authlib 1.5.2. (#18390)
• Refactor MSC4186 Simplified Sliding Sync room list tests to cover both new and fallback logic paths. (#18399)

Updates to locked dependencies

• Bump actions/add-to-project from 280af8ae1f83a494cfad2cb10f02f6d13529caa9 to 5b1a254a3546aef88e0a7724a77a623fa2e47c36. (#18365)
• Bump actions/download-artifact from 4.2.1 to 4.3.0. (#18364)
• Bump actions/setup-go from 5.4.0 to 5.5.0. (#18426)
• Bump anyhow from 1.0.97 to 1.0.98. (#18336)
• Bump packaging from 24.2 to 25.0. (#18393)
• Bump pillow from 11.1.0 to 11.2.1. (#18429)
• Bump pydantic from 2.10.3 to 2.11.4. (#18394)
• Bump pyo3-log from 0.12.2 to 0.12.3. (#18317)
• Bump pyopenssl from 24.3.0 to 25.0.0. (#18315)
• Bump sha2 from 0.10.8 to 0.10.9. (#18395)
• Bump sigstore/cosign-installer from 3.8.1 to 3.8.2. (#18366)
• Bump softprops/action-gh-release from 1 to 2. (#18264)
• Bump stefanzweifel/git-auto-commit-action from 5.1.0 to 5.2.0. (#18354)
• Bump txredisapi from 1.4.10 to 1.4.11. (#18392)
• Bump types-jsonschema from 4.23.0.20240813 to 4.23.0.20241208. (#18305)
• Bump types-psycopg2 from 2.9.21.20250121 to 2.9.21.20250318. (#18316)

v1.129.0

Synapse 1.129.0 (2025-05-06)

No significant changes since 1.129.0rc2.

Synapse 1.129.0rc2 (2025-04-30)

Synapse 1.129.0rc1 was never formally released due to regressions discovered during the release process. 1.129.0rc2 fixes those regressions by reverting the affected PRs.

Internal Changes

• Revert the slow background update introduced by #18068 in v1.128.0. (#18372)
• Revert "Add total_event_count, total_message_count, and total_e2ee_event_count fields to the homeserver usage statistics.", added in v1.129.0rc1. (#18373)

Synapse 1.129.0rc1 (2025-04-15)

Features

• Add passthrough_authorization_parameters in OIDC configuration to allow passing parameters to the authorization grant URL. (#18232)
• Add total_event_count, total_message_count, and total_e2ee_event_count fields to the homeserver usage statistics. (#18260) This was reverted in 1.129.0rc2.

Bugfixes

• Fix force_tracing_for_users config when using delegated auth. (#18334)
• Fix the token introspection cache logging access tokens when MAS integration is in use. (#18335)
• Stop caching introspection failures when delegating auth to MAS. (#18339)
• Fix ExternalIDReuse exception after migrating to MAS on workers with a high traffic. (#18342)
• Fix minor performance regression caused by tracking of room participation. Regressed in v1.128.0. (#18345)

Updates to the Docker image

• Optimize the build of the complement-synapse image. (#18294)

Internal Changes

• Disable statement timeout during room purge. (#18133)
• Add cache to storage functions used to auth requests when using delegated auth. (#18337)

v1.129.0rc2

Synapse 1.129.0rc2 (2025-04-30)

Synapse 1.129.0rc1 was never formally released due to regressions discovered during the release process. 1.129.0rc2 fixes those regressions by reverting the affected PRs.

Internal Changes

• Revert the slow background update introduced by #18068 in v1.128.0. (#18372)
• Revert "Add total event, unencrypted message, and e2ee event counts to stats reporting", added in v1.129.0rc1. (#18373)

Synapse 1.129.0rc1 (2025-04-15)

Features

• Add passthrough_authorization_parameters in OIDC configuration to allow passing parameters to the authorization grant URL. (#18232)
• Add total_event_count, total_message_count, and total_e2ee_event_count fields to the homeserver usage statistics. (#18260)

Bugfixes

• Fix force_tracing_for_users config when using delegated auth. (#18334)
• Fix the token introspection cache logging access tokens when MAS integration is in use. (#18335)
• Stop caching introspection failures when delegating auth to MAS. (#18339)
• Fix ExternalIDReuse exception after migrating to MAS on workers with a high traffic. (#18342)
• Fix minor performance regression caused by tracking of room participation. Regressed in v1.128.0. (#18345)

Updates to the Docker image

• Optimize the build of the complement-synapse image. (#18294)

Internal Changes

• Disable statement timeout during room purge. (#18133)
• Add cache to storage functions used to auth requests when using delegated auth. (#18337)

v1.128.0

Synapse 1.128.0 (2025-04-08)

No significant changes since 1.128.0rc1.

Synapse 1.128.0rc1 (2025-04-01)

Features

• Add an access token introspection cache to make Matrix Authentication Service integration (MSC3861) more efficient. (#18231)
• Add background job to clear unreferenced state groups. (#18254)
• Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. (#18277, #18302, #18296)

Bugfixes

• Add index to sliding sync (MSC4186) membership snapshot table, to fix a performance issue. (#18074)

Updates to the Docker image

• Specify the architecture of installed packages via an APT config option, which is more reliable than appending package names with :{arch}. (#18271)
• Always specify base image debian versions with a build argument. (#18272)
• Allow passing arguments to start_for_complement.sh (to be sent to configure_workers_and_start.py). (#18273)
• Make some improvements to the prefix-log script in the workers image. (#18274)
• Use uv pip to install supervisor in the worker image. (#18275)
• Avoid needing to download & use rsync in a build layer. (#18287)

Improved Documentation

• Fix how to obtain access token and change naming from riot to element (#18225)
• Correct a small typo in the SSO mapping providers documentation. (#18276)
• Add docs for how to clear out the Poetry wheel cache. (#18283)

Internal Changes

• Add a column participant to room_memberships table. (#18068)
• Update Poetry to 2.1.1, including updating the lock file version. (#18251)
• Pin GitHub Actions dependencies by commit hash. (#18255)
• Add DB delta to remove the old state group deletion job. (#18284)

Updates to locked dependencies

• Bump actions/add-to-project from f5473ace9aeee8b97717b281e26980aa5097023f to 280af8ae1f83a494cfad2cb10f02f6d13529caa9. (#18303)
• Bump actions/cache from 4.2.2 to 4.2.3. (#18266)
• Bump actions/download-artifact from 4.2.0 to 4.2.1. (#18268)
• Bump actions/setup-python from 5.4.0 to 5.5.0. (#18298)
• Bump actions/upload-artifact from 4.6.1 to 4.6.2. (#18304)
• Bump authlib from 1.4.1 to 1.5.1. (#18306)
• Bump dawidd6/action-download-artifact from 8 to 9. (#18204)
• Bump jinja2 from 3.1.5 to 3.1.6. (#18223)
• Bump log from 0.4.26 to 0.4.27. (#18267)
• Bump phonenumbers from 8.13.50 to 9.0.2. (#18299)
• Bump pygithub from 2.5.0 to 2.6.1. (#18243)
• Bump pyo3-log from 0.12.1 to 0.12.2. (#18269)

v1.128.0rc1

Synapse 1.128.0rc1 (2025-04-01)

Features

• Add an access token introspection cache to make Matrix Authentication Service integration (MSC3861) more efficient. (#18231)
• Add background job to clear unreferenced state groups. (#18254)
• Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. (#18277, #18302, #18296)

Bugfixes

• Add index to sliding sync (MSC4186) membership snapshot table, to fix a performance issue. (#18074)

Updates to the Docker image

• Specify the architecture of installed packages via an APT config option, which is more reliable than appending package names with :{arch}. (#18271)
• Always specify base image debian versions with a build argument. (#18272)
• Allow passing arguments to start_for_complement.sh (to be sent to configure_workers_and_start.py). (#18273)
• Make some improvements to the prefix-log script in the workers image. (#18274)
• Use uv pip to install supervisor in the worker image. (#18275)
• Avoid needing to download & use rsync in a build layer. (#18287)

Improved Documentation

• Fix how to obtain access token and change naming from riot to element (#18225)
• Correct a small typo in the SSO mapping providers documentation. (#18276)
• Add docs for how to clear out the Poetry wheel cache. (#18283)

Internal Changes

• Add a column participant to room_memberships table. (#18068)
• Update Poetry to 2.1.1, including updating the lock file version. (#18251)
• Pin GitHub Actions dependencies by commit hash. (#18255)
• Add DB delta to remove the old state group deletion job. (#18284)

Updates to locked dependencies

• Bump actions/add-to-project from f5473ace9aeee8b97717b281e26980aa5097023f to 280af8ae1f83a494cfad2cb10f02f6d13529caa9. (#18303)
• Bump actions/cache from 4.2.2 to 4.2.3. (#18266)
• Bump actions/download-artifact from 4.2.0 to 4.2.1. (#18268)
• Bump actions/setup-python from 5.4.0 to 5.5.0. (#18298)
• Bump actions/upload-artifact from 4.6.1 to 4.6.2. (#18304)
• Bump authlib from 1.4.1 to 1.5.1. (#18306)
• Bump dawidd6/action-download-artifact from 8 to 9. (#18204)
• Bump jinja2 from 3.1.5 to 3.1.6. (#18223)
• Bump log from 0.4.26 to 0.4.27. (#18267)
• Bump phonenumbers from 8.13.50 to 9.0.2. (#18299)
• Bump pygithub from 2.5.0 to 2.6.1. (#18243)
• Bump pyo3-log from 0.12.1 to 0.12.2. (#18269)

v1.127.1

Synapse 1.127.1 (2025-03-26)

Security

• Fix CVE-2025-30355 / GHSA-v56r-hwv5-mxg6. High severity vulnerability affecting federation. The vulnerability has been exploited in the wild.