Update docker.io/matrixdotorg/synapse Docker tag to v1.155.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker.io/matrixdotorg/synapse	final	minor	v1.149.1 → v1.155.0

---

Release Notes

element-hq/synapse (docker.io/matrixdotorg/synapse)

v1.155.0

Compare Source

Synapse 1.155.0 (2026-06-16)

End of Life of Debian 12 Bookworm

The next version of Synapse will not include Debian packages for Debian 12 Bookworm
as it reached end of life on the 10th of June 2026.

Internal Changes

• When building releases, don't cancel Debian package builds when one of them fails. (#​19842)

Synapse 1.155.0rc1 (2026-06-09)

Bugfixes

• Limit the to-device EDU size to a reasonable value to mitigate long queues of to-device messages preventing outgoing federation because of the size of the transaction. (#​19617)
• Work around bug that sometimes breaks joining restricted rooms that require a remote join. Contributed by @​tulir @​ Beeper. (#​19730)
• Update Sliding Sync to return a new response immediately if a room subscription has changed and produced a new response. (#​19734, #​19792)
• Fix the /capabilities endpoint returning a 500 error on non-media workers when MSC4452: Preview URL capabilities API is enabled. (#​19839)

Improved Documentation

• Document how to see Rust build failure output when using poetry install. (#​19818)
• Document that the SQLite version included in Ubuntu LTS, aside from ESM-only versions, is included in our support policy. (#​19823)

Internal Changes

• Port the Python Event classes to Rust. (#​19701, #​19816, #​19817, #​19819)
• Added tests to ensure that email notification links are sanitized. Contributed by Noah Markert. (#​19741)
• Add GcpJsonFormatter logging formatter for use with Google Cloud Logging and GKE deployments. (#​19775)
• Add more logging to the to-device message replication stream. (#​19801, #​19821)
• Port Requester class to Rust. (#​19828)

v1.154.0

Compare Source

Synapse 1.154.0 (2026-06-04)

No significant changes since 1.154.0rc1.

Synapse 1.154.0rc1 (2026-05-27)

Features

• Add support for MSC4452: Preview URL capabilities API which exposes a io.element.msc4452.preview_url capability.
  If experimental_features.msc4452_enabled is true, the /_matrix/(client/v1/media|media/v3)/preview_url endpoint
  now responds with a 403 status code when the capability is disabled. (#​19715)

Bugfixes

• Fix a bug in MSC4186: Simplified Sliding Sync that could prevent user avatars from showing if the room had an empty name. (#​19468, #​19791)
• Fix access token cache not being invalidated for sessions using refresh tokens. Contributed by @​FrenchGithubUser @​ Famedly. (#​19483)
• Fix bug where Synapse would return 400 (M_BAD_JSON) when sending a message with a mentions field and Synapse module check_event_allowed callback registered (frozen event). Contributed by @​gaetan-sbt. (#​19634)
• Fix long-standing but niche bug with /sync where it could attempt to fetch data with flawed invalid future tokens. (#​19644)
• Fix /sync failing when MSC4354 Sticky Events are enabled and the sync request filters out Ephemeral Data Units (EDUs). (#​19787)
• Fix packaging for Fedora and EPEL caused by unnecessary bumping attrs minimum version requirement in pyproject.toml file. Contributed by Oleg Girko. (#​19789)
• Fix merging signatures when a policy server is running under the same server name as Synapse. The bug was re-introduced in v1.153.0rc1 after being fixed earlier in v1.151.0rc1. Contributed by @​tulir @​ Beeper. (#​19797)

Improved Documentation

• Added details about how Synapse syncs the picture claim when update_profile_information setting is true. (#​19508)

Internal Changes

• Port Event.content field to Rust. (#​19725)
• Prefer close backfill points (absolute distance). (#​19748)
• Replace unique quarantined_media waiting patterns with standard wait_for_stream_token(...). (#​19764)
• Improve Synapse logging around when someone encounters We can't get valid state history. so you can correlate everything by event_id. (#​19765)
• Tidy up Rust RoomVersion structs. (#​19766)
• Update WorkerLock tests to better stress the WORKER_LOCK_MAX_RETRY_INTERVAL. (#​19772)
• Refactor MSC4242: State DAG checks behind a single TypeIs helper to avoid scattered isinstance casts. (#​19774)
• Use StrCollection for prev_state_events. (#​19777)
• Fix up the construction of events in tests, ahead of the Rust event port. (#​19781)

v1.153.0

Compare Source

Synapse 1.153.0 (2026-05-19)

No significant changes since 1.153.0rc3.

Synapse 1.153.0rc3 (2026-05-15)

Bugfixes

• Revert 'Have MSC4186: Simplified Sliding Sync return a new response immediately if a room subscription has changed and produced a new response. (#​19714)' (introduced in 1.153.0rc1) due to performance problems. (#​19784)

Synapse 1.153.0rc2 (2026-05-13)

Bugfixes

• Correctly handle arbitrary precision integers in unsigned field of events. The bug was introduced in 1.153.0rc1. (#​19769)

Synapse 1.153.0rc1 (2026-05-08)

Features

• Make ACLs apply to EDUs per MSC4163. (#​18475)
• Stabilize MSC3266: Room summary API, removing the experimental config flag msc3266_enabled. Contributed by @​dasha-uwu. (#​19720)
• Partial MSC4311 implementation: m.room.create is now a required part of stripped invite_state/knock_state . Contributed by @​FrenchGithubUser @​Famedly. (#​19722)
• Expose tombstoned and replacement_room in room details on admin API endpoint GET /_synapse/admin/v1/rooms/<room_id>. Contributed by Noah Markert. (#​19737)

Bugfixes

• Allow self-requested user erasure (upon account deactivation) to succeed even if Synapse has disabled profile changes. Contributed by Famedly. (#​19398)
• Fix Synapse not backfilling new history when attempting to use a pagination token near a backward extremity. (#​19611)
• Have MSC4186: Simplified Sliding Sync return a new response immediately if a room subscription has changed and produced a new response. (#​19714)
• Fix a bug where when upgrading a room to room version 12, the power level event in the old room got temporarily mutated to remove the user upgrading the room's power. (#​19727)
• Fix packaging for Fedora and EPEL caused by unnecessary bumping authlib minimum version requirement in pyproject.toml file. Contributed by Oleg Girko. (#​19742)

Improved Documentation

• Add warning about known problems when configuring use_frozen_dicts. (#​19711)

Internal Changes

• Port Event.signatures field to Rust. (#​19706)
• Port Event.unsigned field to Rust. (#​19708)
• Add a Rust canonical JSON serializer. (#​19739, #​19763)
• Configure Dependabot to only update Python dependencies in the lockfile, unless widening upper bounds. (#​19743)
• Reduce WORKER_LOCK_MAX_RETRY_INTERVAL to 5 seconds to reduce idle time after lock is released. (#​19755)
• Force keyword-only arguments for Duration so time units have to be specified. (#​19756)

v1.152.1

Compare Source

Synapse 1.152.1 (2026-05-07)

Security Fixes

• Prevent CPU starvation (Denial of Service) under worker lock contention, additionally capping the WorkerLock time out interval to a maximum of 60 seconds. Contributed by Famedly. (#​19394, ELEMENTSEC-2026-1706, GHSA-8q93-326v-3m7g, CVE-2026-45078)
• Prevent pagination ending when a page is full of rejected events. (ELEMENTSEC-2025-1636, GHSA-6qf2-7x63-mm6v, CVE-2026-45076)

v1.152.0

Compare Source

Synapse 1.152.0 (2026-04-28)

No significant changes since 1.152.0rc1.

Configuration changes needed for deployments using workers

For deployments using workers, please note that this version introduces a new quarantined_media_changes stream writer, which may require configuration changes.
Please see the the relevant section in the upgrade notes for details.

Without configuring this new stream writer, only the main process will be able to handle the /media/quarantine admin API endpoints for quarantining media.

Synapse 1.152.0rc1 (2026-04-22)

Features

• Add a "Listing quarantined media changes" Admin API for retrieving a paginated record of when media became (un)quarantined. (#​19558, #​19677, #​19694)
• Advertise MSC4445 sync timeline order in unstable_features. (#​19642)
• Report the Rust compiler version used in the Prometheus metrics. Contributed by Noah Markert. (#​19643)
• Passthrough 'article' and 'profile' OpenGraph metadata on URL preview requests. (#​19659)
• Add a way to re-sign local events with a new signing key. (#​19668)
• Support MSC4450: Identity Provider selection for User-Interactive Authentication with Legacy Single Sign-On. (#​19693)
• Add experimental support for MSC4242: State DAGs. Excludes federation support. (#​19424)
• Adds Admin API endpoints to
  list, fetch and delete user reports. (#​19657)
• Reduce database disk space usage by pruning old rows from device_lists_changes_in_room. (#​19473, #​19709)

Bugfixes

• Reject device_keys: null in the request to POST /_matrix/client/v3/keys/upload, as per the spec. This was temporarily allowed as a workaround for misbehaving clients. (#​19637)
• Fix database migrations failing on platforms where SQLite is configured with SQLITE_DBCONFIG_DEFENSIVE by default, such as macOS. (#​19690)
• Fix a bug introduced in v1.145 where a non-admin could bypass admin checks for downloading remote quarantined media. This relied on the media already being previously present on the homeserver. (#​19639)

Improved Documentation

• Include a workaround for running the unit tests with SQLite under recent versions of MacOS. (#​19615)
• Fix Docker image link typo in worker docs. (#​19645)
• Update the developer stream docs for creating a new stream to point out _setup_sequence(...) in portdb. (#​19675)
• Update the developer stream docs for creating a new stream to highlight places that require documentation updates. (#​19696)

Internal Changes

• Update CI to use re-usable Complement GitHub CI workflow. (#​19533)
• Fix docstring for limit argument in _maybe_backfill_inner(...). (#​19630)
• Document context for why increase timeout for policy server requests. (#​19633)
• Run lint script to format Complement tests introduced in #​19509. (#​19636)
• Small simplifications to the events class. (#​19680, #​19712)
• Introduce spam_checker_spammy internal event metadata. (#​19453)
• Add a FilteredEvent class that saves us copying events. (#​19640)
• Convert EventInternalMetadata to use Arc<RwLock<_>>. (#​19669)

v1.151.0

Compare Source

Synapse 1.151.0 (2026-04-07)

Bugfixes

• Fix KNOWN_ROOM_VERSIONS.__contains__ raising TypeError for non-string keys, which could cause /sync to fail for rooms with a NULL room version in the database. Bug introduced in #​19589 as part of v1.151.0rc1. (#​19649)

Synapse 1.151.0rc1 (2026-03-31)

Features

• Add stable support for MSC4284 Policy Servers. (#​19503)
• Update and stabilize support for MSC2666: Get rooms in common with another user. Contributed by @​tulir @​ Beeper. (#​19511)
• Updated experimental support for MSC4388: Secure out-of-band channel for sign in with QR. (#​19573)
• Stabilize room_version and encryption fields in the space/room /hierarchy API (part of MSC3266). (#​19576)
• Introduce a configuration option to allow using HTTP/2 over plaintext when Synapse connects to Matrix Authentication Service. (#​19586)

Bugfixes

• Fix MSC4284 Policy Servers implementation to skip signing org.matrix.msc4284.policy and m.room.policy state events. (#​19503)
• Correctly apply MSC4284 Policy Server signatures to events when the sender and policy server have the same server name. (#​19503)
• Allow Synapse to start up even when discovery fails for an OpenID Connect provider. (#​19509)
• Fix quarantine media admin APIs sometimes returning inaccurate counts for remote media. (#​19559)
• Fix Build and push complement image CI job not having poetry available for the Complement runner script. (#​19578)
• Increase timeout for policy server requests to avoid repeated requests for checking media. (#​19629)

Deprecations and Removals

• Remove support for MSC3852: Expose user agent information on Device as the MSC was closed. (#​19430)

Internal Changes

• Fix small comment typo in config output from the demo/start.sh script. (#​19538)
• Add MSC3820 comment context to RoomVersion attributes. (#​19577)
• Remove redacted_because from internal unsigned. (#​19581)
• Prevent sending registration emails if registration is disabled. (#​19585)
• Port RoomVersion to Rust. (#​19589)
• Only show failing Complement tests in the formatted output in CI. (#​19590)
• Ensure old Complement test files are removed when downloading a Complement checkout via ./scripts-dev/complement.sh. (#​19592)
• Update HomeserverTestCase.pump() docstring to demystify behavior (Twisted reactor/clock). (#​19602)
• Deprecate HomeserverTestCase.pump() in favor of more direct HomeserverTestCase.reactor.advance(...) usage. (#​19602)
• Lower the Postgres database statement_timeout to 10m (previously 1h). (#​19604)

v1.150.0

Compare Source

Synapse 1.150.0 (2026-03-24)

No significant changes since 1.150.0rc1.

Upgrade notes

Please read the upgrade notes as this release includes a few changes that may affect your deployment.

Synapse 1.150.0rc1 (2026-03-17)

Features

• Add experimental support for the MSC4370 Federation API GET /extremities endpoint. (#​19314)
• MSC4140: Cancellable delayed events: When persisting a delayed event to the timeline, include its delay_id in the event's unsigned section in /sync responses to the event sender. (#​19479)
• Expose MSC4354 Sticky Events over the legacy (v3) /sync API. (#​19487)
• When Matrix Authentication Service (MAS) integration is enabled, allow MAS to set the user locked status in Synapse. (#​19554)

Bugfixes

• Fix Build and push complement image CI job pointing to non-existent image. (#​19523)
• Fix a bug introduced in v1.26.0 that caused deactivated, erased users to not be removed from the user directory. (#​19542)

Improved Documentation

• In the Admin API documentation, always express path parameters as /<param> instead of as /$param. (#​19307)
• Update docs to clarify outbound_federation_restricted_to can also be used with the Secure Border Gateway (SBG). (#​19517)
• Unify Complement developer docs. (#​19518)

Internal Changes

• Put membership updates in a background resumable task when changing the avatar or the display name. (#​19311)
• Add in-repo Complement test to sanity check Synapse version matches git checkout (testing what we think we are). (#​19476)
• Migrate dev dependencies to PEP 735 dependency groups. (#​19490)
• Remove the optional systemd-python dependency and the systemd extra on the synapse package. (#​19491)
• Avoid re-computing the event ID when cloning events. (#​19527)
• Allow caching of the /versions and /auth_metadata public endpoints. (#​19530)
• Add a few labels to the number groupings in the Processed request logs. (#​19548)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.