merge develop into psycopg3#8
Merged
Merged
Conversation
…oup (element-hq#19423) Bumps the minor-and-patches group with 1 update: [actions/setup-go](https://github.com/actions/setup-go). Updates `actions/setup-go` from 6.1.0 to 6.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-go/releases">actions/setup-go's releases</a>.</em></p> <blockquote> <h2>v6.2.0</h2> <h2>What's Changed</h2> <h3>Enhancements</h3> <ul> <li>Example for restore-only cache in documentation by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/696">actions/setup-go#696</a></li> <li>Update Node.js version in action.yml by <a href="https://github.com/ccoVeille"><code>@ccoVeille</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/691">actions/setup-go#691</a></li> <li>Documentation update of actions/checkout by <a href="https://github.com/deining"><code>@deining</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/683">actions/setup-go#683</a></li> </ul> <h3>Dependency updates</h3> <ul> <li>Upgrade js-yaml from 3.14.1 to 3.14.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/682">actions/setup-go#682</a></li> <li>Upgrade <code>@actions/cache</code> to v5 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/695">actions/setup-go#695</a></li> <li>Upgrade actions/checkout from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/686">actions/setup-go#686</a></li> <li>Upgrade qs from 6.14.0 to 6.14.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/703">actions/setup-go#703</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/ccoVeille"><code>@ccoVeille</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/691">actions/setup-go#691</a></li> <li><a href="https://github.com/deining"><code>@deining</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/683">actions/setup-go#683</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v6...v6.2.0">https://github.com/actions/setup-go/compare/v6...v6.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-go/commit/7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5"><code>7a3fe6c</code></a> Bump qs from 6.14.0 to 6.14.1 (<a href="https://redirect.github.com/actions/setup-go/issues/703">#703</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/b9adafd441833a027479ddd0db37eaece68d35cb"><code>b9adafd</code></a> Bump actions/checkout from 5 to 6 (<a href="https://redirect.github.com/actions/setup-go/issues/686">#686</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/d73f6bcfc2b419b74f47075f8a487b40cc4680f8"><code>d73f6bc</code></a> README.md: correct to actions/checkout@v6 (<a href="https://redirect.github.com/actions/setup-go/issues/683">#683</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/ae252ee6fb24babc50e89fc67c4aa608e69fbf8f"><code>ae252ee</code></a> Bump <code>@actions/cache</code> to v5 (<a href="https://redirect.github.com/actions/setup-go/issues/695">#695</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/bf7446afafbce8902019569bc0aab5a59380c516"><code>bf7446a</code></a> Bump js-yaml from 3.14.1 to 3.14.2 (<a href="https://redirect.github.com/actions/setup-go/issues/682">#682</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/02aadfee7f572f67453450365b688df2c3f95730"><code>02aadfe</code></a> Fix Node.js version in action.yml (<a href="https://redirect.github.com/actions/setup-go/issues/691">#691</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/4aaadf42668403795cdfdb15b1c4250e9fed12b9"><code>4aaadf4</code></a> Example for restore-only cache in documentation (<a href="https://redirect.github.com/actions/setup-go/issues/696">#696</a>)</li> <li>See full diff in <a href="https://github.com/actions/setup-go/compare/4dc6199c7b1a012772edbd06daecab0f50c9053c...7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
… directory (element-hq#19391) Bumps the patches group with 1 update in the / directory: [serde_json](https://github.com/serde-rs/json). Updates `serde_json` from 1.0.145 to 1.0.148 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/serde-rs/json/releases">serde_json's releases</a>.</em></p> <blockquote> <h2>v1.0.148</h2> <ul> <li>Update <code>zmij</code> dependency to 1.0</li> </ul> <h2>v1.0.147</h2> <ul> <li>Switch float-to-string algorithm from Ryū to Żmij for better f32 and f64 serialization performance (<a href="https://redirect.github.com/serde-rs/json/issues/1304">#1304</a>)</li> </ul> <h2>v1.0.146</h2> <ul> <li>Set fast_arithmetic=64 for riscv64 (<a href="https://redirect.github.com/serde-rs/json/issues/1305">#1305</a>, thanks <a href="https://github.com/Xeonacid"><code>@Xeonacid</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/serde-rs/json/commit/8b291c4c5620476d6834c69fbfb24d13a24d4596"><code>8b291c4</code></a> Release 1.0.148</li> <li><a href="https://github.com/serde-rs/json/commit/1aefe152735f1b11ce7f641f8e86448d227163bf"><code>1aefe15</code></a> Update to zmij 1.0</li> <li><a href="https://github.com/serde-rs/json/commit/62d6e8d6158ccc1608fb57d9a8a73cc8d15f5b2a"><code>62d6e8d</code></a> Release 1.0.147</li> <li><a href="https://github.com/serde-rs/json/commit/fd829a65beb37d2db296f1a64c22c25ad508d6d8"><code>fd829a6</code></a> Merge pull request <a href="https://redirect.github.com/serde-rs/json/issues/1304">#1304</a> from dtolnay/zmij</li> <li><a href="https://github.com/serde-rs/json/commit/e757a3d8813bfacad8354ae3af89fa19a471da6b"><code>e757a3d</code></a> Switch from ryu -> zmij for float formatting</li> <li><a href="https://github.com/serde-rs/json/commit/75ad7e6b4eb8a26560300d2d7332d6dd8cd5b277"><code>75ad7e6</code></a> Release 1.0.146</li> <li><a href="https://github.com/serde-rs/json/commit/bc6c8276d9597fae216085f940c712f4d4fce4bc"><code>bc6c827</code></a> Merge pull request <a href="https://redirect.github.com/serde-rs/json/issues/1305">#1305</a> from Xeonacid/patch-1</li> <li><a href="https://github.com/serde-rs/json/commit/a09210adf529842b912db6f69ad9858ad2f90e16"><code>a09210a</code></a> Set fast_arithmetic=64 for riscv64</li> <li><a href="https://github.com/serde-rs/json/commit/01182e54b5dbadee79696bd472b67391e92679af"><code>01182e5</code></a> Update actions/upload-artifact@v5 -> v6</li> <li><a href="https://github.com/serde-rs/json/commit/383b13a45feb2955236735397c53218acd4da515"><code>383b13a</code></a> Update actions/upload-artifact@v4 -> v5</li> <li>Additional commits viewable in <a href="https://github.com/serde-rs/json/compare/v1.0.145...v1.0.148">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Devon Hudson <devonhudson@librem.one>
…ing issues. (element-hq#19410) Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
…ning dependency (element-hq#19417) ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [x] Pull request is based on the develop branch * [x] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters)) There is a typo in check_dependencies.py which makes setuptools_rust a runtime requirement, but there is no need for it at runtime. This patch solves the typo. I tested starting 1.146.0 with this patch and without setuptools_rust and it starts correctly
Bumps [bytes](https://github.com/tokio-rs/bytes) from 1.11.0 to 1.11.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tokio-rs/bytes/releases">bytes's releases</a>.</em></p> <blockquote> <h2>Bytes v1.11.1</h2> <h1>1.11.1 (February 3rd, 2026)</h1> <ul> <li>Fix integer overflow in <code>BytesMut::reserve</code></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md">bytes's changelog</a>.</em></p> <blockquote> <h1>1.11.1 (February 3rd, 2026)</h1> <ul> <li>Fix integer overflow in <code>BytesMut::reserve</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tokio-rs/bytes/commit/417dccdeff249e0c011327de7d92e0d6fbe7cc43"><code>417dccd</code></a> Release bytes v1.11.1 (<a href="https://redirect.github.com/tokio-rs/bytes/issues/820">#820</a>)</li> <li><a href="https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f"><code>d0293b0</code></a> Merge commit from fork</li> <li>See full diff in <a href="https://github.com/tokio-rs/bytes/compare/v1.11.0...v1.11.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/element-hq/synapse/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…rejected. (element-hq#19429) Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
This is useful so we can test Synapse specific behaviors like our admin API. (see docs in PR, `complement/README.md`) ``` COMPLEMENT_DIR=../complement ./scripts-dev/complement.sh --in-repo ``` Complement calls these ["out-of-repo"](https://github.com/matrix-org/complement/blob/78c255edcebfcb0ac5e3c86d49d76cb21fdd035a/OUT-OF-REPO-TESTS.md) tests but it's a bit of a misnomer once they're in your project. (just depends on the perspective) There has been [previous desire](element-hq#19021 (comment)) for this kind of thing but this is spawning from wanting to have some tests for our purge history admin API (element-hq/synapse-rust-apps#430). There are some Sytest tests ([`matrix-org/sytest` -> `tests/48admin.pl#L91-L618`](https://github.com/matrix-org/sytest/blob/1be04cce46c0f84abac736390dc3fab17f35a756/tests/48admin.pl#L91-L618)) for this already but I'd much rather work in Complement instead of Sytest. I'm wanting these tests to ensure that our new `event-cache` rust app for Synapse Pro doesn't break these kind of erasure features (element-hq/synapse-rust-apps#366 and element-hq/synapse-rust-apps#153). Interestingly, there is already [`matrix-org/complement` -> `tests/csapi/admin_test.go`](https://github.com/matrix-org/complement/blob/78c255edcebfcb0ac5e3c86d49d76cb21fdd035a/tests/csapi/admin_test.go) (added in matrix-org/complement#322) in the Complement repo iteslf that tests the `/_synapse/admin/v1/send_server_notice` endpoint but it's a bit of an interesting case as [Dendrite also supports this endpoint](matrix-org/dendrite#2180). I don't think it's good practice to continually shove in more and more Synapse-specific behavior into the Complement repo itself. We already have success with other out-of-repo tests for projects like the [SBG](https://github.com/element-hq/sbg/tree/b76b05b53e40bf6890e51dd1b83cec3460274eb2/complement_tests), [TI-Messenger Proxy](https://github.com/element-hq/ti-messenger-proxy/tree/c8fa87feccc743c01cccbbc2685321206b532925/complement), and our [Synapse Pro for small hosts](https://github.com/element-hq/synapse-small-hosts/tree/c2ea7eabf3e1d7c26a5312ebef326b254937be99/complement).
…-hq#19365) Part of: MSC4354 whose experimental feature tracking issue is element-hq#19409 Follows: element-hq#19340 (a necessary bugfix for `/event/` to set this metadata) Partially supersedes: element-hq#18968 This PR implements the first batch of work to support MSC4354 Sticky Events. Sticky events are events that have been configured with a finite 'stickiness' duration, capped to 1 hour per current MSC draft. Whilst an event is sticky, we provide stronger delivery guarantees for the event, both to our clients and to remote homeservers, essentially making it reliable delivery as long as we have a functional connection to the client/server and until the stickiness expires. This PR merely supports creating sticky events and receiving the sticky TTL metadata in clients. It is not suitable for trialling sticky events since none of the other semantics are implemented. Contains a temporary SQLite workaround due to a bug in our supported version enforcement: element-hq#19452 --------- Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org> Co-authored-by: Eric Eastwood <erice@element.io>
…19459) Co-authored-by: Devon Hudson <devonhudson@librem.one>
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.3 to 46.0.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's changelog</a>.</em></p> <blockquote> <p>46.0.5 - 2026-02-10</p> <pre><code> * An attacker could create a malicious public key that reveals portions of your private key when using certain uncommon elliptic curves (binary curves). This version now includes additional security checks to prevent this attack. This issue only affects binary elliptic curves, which are rarely used in real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery Engine** for reporting the issue. **CVE-2026-26007** * Support for ``SECT*`` binary elliptic curves is deprecated and will be removed in the next release. <p>.. v46-0-4:</p> <p>46.0.4 - 2026-01-27<br /> </code></pre></p> <ul> <li><code>Dropped support for win_arm64 wheels</code>_.</li> <li>Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.</li> </ul> <p>.. _v46-0-3:</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyca/cryptography/commit/06e120e682cb200e3f7050c02f0bcdac90c4c6ad"><code>06e120e</code></a> bump version for 46.0.5 release (<a href="https://redirect.github.com/pyca/cryptography/issues/14289">#14289</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c"><code>0eebb9d</code></a> EC check key on cofactor > 1 (<a href="https://redirect.github.com/pyca/cryptography/issues/14287">#14287</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/bedf6e186b814f69a3f54f51252c23a71d44ed2e"><code>bedf6e1</code></a> fix openssl version on 46 branch (<a href="https://redirect.github.com/pyca/cryptography/issues/14220">#14220</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/e6f44fc8e6391f05d719fb9d369692325b87a471"><code>e6f44fc</code></a> bump for 46.0.4 and drop win arm64 due to CI issues (<a href="https://redirect.github.com/pyca/cryptography/issues/14217">#14217</a>)</li> <li>See full diff in <a href="https://github.com/pyca/cryptography/compare/46.0.3...46.0.5">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/element-hq/synapse/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.48.0 to 1.49.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tokio-rs/tokio/releases">tokio's releases</a>.</em></p> <blockquote> <h2>Tokio v1.49.0</h2> <h1>1.49.0 (January 3rd, 2026)</h1> <h3>Added</h3> <ul> <li>net: add support for <code>TCLASS</code> option on IPv6 (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7781">#7781</a>)</li> <li>runtime: stabilize <code>runtime::id::Id</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7125">#7125</a>)</li> <li>task: implement <code>Extend</code> for <code>JoinSet</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7195">#7195</a>)</li> <li>task: stabilize the <code>LocalSet::id()</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7776">#7776</a>)</li> </ul> <h3>Changed</h3> <ul> <li>net: deprecate <code>{TcpStream,TcpSocket}::set_linger</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7752">#7752</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>macros: fix the hygiene issue of <code>join!</code> and <code>try_join!</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7766">#7766</a>)</li> <li>runtime: revert "replace manual vtable definitions with Wake" (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7699">#7699</a>)</li> <li>sync: return <code>TryRecvError::Disconnected</code> from <code>Receiver::try_recv</code> after <code>Receiver::close</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7686">#7686</a>)</li> <li>task: remove unnecessary trait bounds on the <code>Debug</code> implementation (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7720">#7720</a>)</li> </ul> <h3>Unstable</h3> <ul> <li>fs: handle <code>EINTR</code> in <code>fs::write</code> for io-uring (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7786">#7786</a>)</li> <li>fs: support io-uring with <code>tokio::fs::read</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7696">#7696</a>)</li> <li>runtime: disable io-uring on <code>EPERM</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7724">#7724</a>)</li> <li>time: add alternative timer for better multicore scalability (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7467">#7467</a>)</li> </ul> <h3>Documented</h3> <ul> <li>docs: fix a typos in <code>bounded.rs</code> and <code>park.rs</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7817">#7817</a>)</li> <li>io: add <code>SyncIoBridge</code> cross-references to <code>copy</code> and <code>copy_buf</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7798">#7798</a>)</li> <li>io: doc that <code>AsyncWrite</code> does not inherit from <code>std::io::Write</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7705">#7705</a>)</li> <li>metrics: clarify that <code>num_alive_tasks</code> is not strongly consistent (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7614">#7614</a>)</li> <li>net: clarify the cancellation safety of the <code>TcpStream::peek</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7305">#7305</a>)</li> <li>net: clarify the drop behavior of <code>unix::OwnedWriteHalf</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7742">#7742</a>)</li> <li>net: clarify the platform-dependent backlog in <code>TcpSocket</code> docs (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7738">#7738</a>)</li> <li>runtime: mention <code>LocalRuntime</code> in <code>new_current_thread</code> docs (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7820">#7820</a>)</li> <li>sync: add missing period to <code>mpsc::Sender::try_send</code> docs (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7721">#7721</a>)</li> <li>sync: clarify the cancellation safety of <code>oneshot::Receiver</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7780">#7780</a>)</li> <li>sync: improve the docs for the <code>errors</code> of mpsc (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7722">#7722</a>)</li> <li>task: add example for <code>spawn_local</code> usage on local runtime (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7689">#7689</a>)</li> </ul> <p><a href="https://redirect.github.com/tokio-rs/tokio/issues/7125">#7125</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7125">tokio-rs/tokio#7125</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7195">#7195</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7195">tokio-rs/tokio#7195</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7305">#7305</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7305">tokio-rs/tokio#7305</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7467">#7467</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7467">tokio-rs/tokio#7467</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7614">#7614</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7614">tokio-rs/tokio#7614</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7686">#7686</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7686">tokio-rs/tokio#7686</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7689">#7689</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7689">tokio-rs/tokio#7689</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tokio-rs/tokio/commit/e3b89bbefa7564e2eba2fb9f849ef7bf87d60fad"><code>e3b89bb</code></a> chore: prepare Tokio v1.49.0 (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7824">#7824</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/4f577b84e939c8d427d79fdc73919842d8735de2"><code>4f577b8</code></a> Merge 'tokio-1.47.3' into 'master'</li> <li><a href="https://github.com/tokio-rs/tokio/commit/f320197693ee09e28f1fca0e55418081adcdfc25"><code>f320197</code></a> chore: prepare Tokio v1.47.3 (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7823">#7823</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/ea6b144cd1042d6841a7830b18f2df77c3db904b"><code>ea6b144</code></a> ci: freeze rustc on nightly-2025-01-25 in <code>netlify.toml</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7652">#7652</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/264e703296bccd6783a438815d91055d4517099b"><code>264e703</code></a> Merge <code>tokio-1.43.4</code> into <code>tokio-1.47.x</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7822">#7822</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/dfb0f00838ca1986dee04a54a6299d35b0a4072c"><code>dfb0f00</code></a> chore: prepare Tokio v1.43.4 (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7821">#7821</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/4a91f197b03dc335010fffcf0e0c14e1f4011b42"><code>4a91f19</code></a> ci: fix wasm32-wasip1 tests (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7788">#7788</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/601c383ab6def5a6d2f95a434c95a97b65059628"><code>601c383</code></a> ci: upgrade FreeBSD from 14.2 to 14.3 (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7758">#7758</a>)</li> <li><a href="https://github.com/tokio-rs/tokio/commit/484cb52d8d21cb8156decbeba9569651fcc09d0d"><code>484cb52</code></a> sync: return <code>TryRecvError::Disconnected</code> from <code>Receiver::try_recv</code> after `Re...</li> <li><a href="https://github.com/tokio-rs/tokio/commit/16f20c34ed9bc11eb1e7cdec441ab844b198d2cd"><code>16f20c3</code></a> rt: mention <code>LocalRuntime</code> in <code>new_current_thread</code> docs (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7820">#7820</a>)</li> <li>Additional commits viewable in <a href="https://github.com/tokio-rs/tokio/compare/tokio-1.48.0...tokio-1.49.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#19457) This allows the Rust HTTP client to be configured to force HTTP/2 even on plaintext connections. This is useful in contexts where the remote server is known to server HTTP/2 over plain text. Added because we use the Synapse Rust HTTP client with the Synapse Pro `event-cache` module. We use this because it's independent from the Python reactor which makes things slower than expected. Currently, the Synapse Rust HTTP client uses HTTP/1 which means a new connection for every request. With HTTP/2, we can share the connection across requests. We want to see if this will make a performance difference and less stress on the database connection situation, see element-hq/synapse-rust-apps#452 (comment) Here is the sibling PR for using HTTP/2 on the Synapse Pro `event-cache` module side: element-hq/synapse-pro-modules#35
…mpatible in /complement (element-hq#19436) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.2.2+incompatible to 28.3.3+incompatible. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/docker/releases">github.com/docker/docker's releases</a>.</em></p> <blockquote> <h2>v28.3.3</h2> <h2>28.3.3</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:</p> <ul> <li><a href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A28.3.3">docker/cli, 28.3.3 milestone</a></li> <li><a href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A28.3.3">moby/moby, 28.3.3 milestone</a></li> </ul> <h3>Security</h3> <p>This release fixes an issue where, after a firewalld reload, published container ports could be accessed directly from the local network, even when they were intended to be accessible only via a loopback address. <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54388">CVE-2025-54388</a> / <a href="https://github.com/moby/moby/security/advisories/GHSA-x4rx-4gw3-53p4">GHSA-x4rx-4gw3-53p4</a> / <a href="https://redirect.github.com/moby/moby/pull/50506">moby/moby#50506</a>.</p> <h3>Packaging updates</h3> <ul> <li>Update Buildx to <a href="https://github.com/docker/buildx/releases/tag/v0.26.1">v0.26.1</a>. <a href="https://redirect.github.com/docker/docker-ce-packaging/pull/1230">docker/docker-ce-packaging#1230</a></li> <li>Update Compose to <a href="https://github.com/docker/compose/releases/tag/v2.39.1">v2.39.1</a>. <a href="https://redirect.github.com/docker/docker-ce-packaging/pull/1234">docker/docker-ce-packaging#1234</a></li> <li>Update Docker Model CLI plugin to <a href="https://github.com/docker/model-cli/releases/tag/v0.1.36">v0.1.36</a>. <a href="https://redirect.github.com/docker/docker-ce-packaging/pull/1233">docker/docker-ce-packaging#1233</a></li> </ul> <h3>Go SDK</h3> <ul> <li>cli/command/formatter: add <code>TrunateID()</code> utility as alternative for <code>github.com/docker/docker/pkg/stringid.TrunateID()</code>. <a href="https://redirect.github.com/docker/cli/pull/6180">docker/cli#6180</a></li> </ul> <h2>28.3.2</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:</p> <ul> <li><a href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A28.3.2">docker/cli, 28.3.2 milestone</a></li> <li><a href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A28.3.2">moby/moby, 28.3.2 milestone</a></li> <li>Deprecated and removed features, see <a href="https://github.com/docker/cli/blob/v28.3.2/docs/deprecated.md">Deprecated Features</a>.</li> <li>Changes to the Engine API, see <a href="https://github.com/moby/moby/blob/v28.3.2/docs/api/version-history.md">API version history</a>.</li> </ul> <h3>Bug fixes and enhancements</h3> <ul> <li>Fix <code>--use-api-socket</code> not working correctly when targeting a remote daemon. <a href="https://redirect.github.com/docker/cli/pull/6157">docker/cli#6157</a></li> <li>Fix stray "otel error" logs being printed if debug logging is enabled. <a href="https://redirect.github.com/docker/cli/pull/6160">docker/cli#6160</a></li> <li>Quote SSH arguments when connecting to a remote daemon over an SSH connection to avoid unexpected expansion. <a href="https://redirect.github.com/docker/cli/pull/6147">docker/cli#6147</a></li> <li>Warn when <code>DOCKER_AUTH_CONFIG</code> is set during <code>docker login</code> and <code>docker logout</code>. <a href="https://redirect.github.com/docker/cli/pull/6163">docker/cli#6163</a></li> </ul> <h3>Packaging updates</h3> <ul> <li>Update Compose to <a href="https://github.com/docker/compose/releases/tag/v2.38.2">v2.38.2</a>. <a href="https://redirect.github.com/docker/docker-ce-packaging/pull/1225">docker/docker-ce-packaging#1225</a></li> <li>Update Docker Model CLI plugin to <a href="https://github.com/docker/model-cli/releases/tag/v0.1.33">v0.1.33</a>. <a href="https://redirect.github.com/docker/docker-ce-packaging/pull/1227">docker/docker-ce-packaging#1227</a></li> <li>Update Go runtime to 1.24.5. <a href="https://redirect.github.com/moby/moby/pull/50354">moby/moby#50354</a></li> </ul> <h2>28.3.1</h2> <p>For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:</p> <ul> <li><a href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A28.3.1">docker/cli, 28.3.1 milestone</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/moby/moby/commit/bea959c7b793b32a893820b97c4eadc7c87fabb0"><code>bea959c</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/50506">#50506</a> from robmry/backport-28.x/fix_firewalld_reload</li> <li><a href="https://github.com/moby/moby/commit/3e9ff78b94efdd73bbccb13fe781b79ce7ca8cf1"><code>3e9ff78</code></a> bridge: Reapply endpoint iptables rules on firewalld reload</li> <li><a href="https://github.com/moby/moby/commit/29ed80aa867e93b5f5134b053325d01fb6528da7"><code>29ed80a</code></a> bridge: Trigger firewalld reload during bridge integration tests</li> <li><a href="https://github.com/moby/moby/commit/da489a11d4055fa01eeffa5a016cb03250733257"><code>da489a1</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/50478">#50478</a> from thaJeztah/28.x_backport_gha_bump_bk</li> <li><a href="https://github.com/moby/moby/commit/f173e45ae9bf199d1f3334d2fd5c4079c8d6daec"><code>f173e45</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/50480">#50480</a> from austinvazquez/cherry-pick-ea29dffaa541289591aa...</li> <li><a href="https://github.com/moby/moby/commit/e4b1f899962f287dee2291d387f04dde4b5c7e1a"><code>e4b1f89</code></a> daemon/server: remove compatibility with API v1.4 auth-config on push</li> <li><a href="https://github.com/moby/moby/commit/0c9e14dcce15b163dd1f655f9fdd33a1e71b0408"><code>0c9e14d</code></a> hack/buildkit-ref: temporarily bump BuildKit to head of v0.23 branch</li> <li><a href="https://github.com/moby/moby/commit/bf6d688157b015ac1f018367c5d8fa5fa47af6fb"><code>bf6d688</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/50471">#50471</a> from austinvazquez/cherry-pick-b1ce0c89f0214cc6711c...</li> <li><a href="https://github.com/moby/moby/commit/4205776b8538e11805bf5bdb6ff2e356d4ee358f"><code>4205776</code></a> client: always send (empty) body on push</li> <li><a href="https://github.com/moby/moby/commit/e77ff99ede5ee5952b3a9227863552ae6e5b6fb1"><code>e77ff99</code></a> Merge pull request <a href="https://redirect.github.com/docker/docker/issues/50354">#50354</a> from vvoland/50353-28.x</li> <li>Additional commits viewable in <a href="https://github.com/docker/docker/compare/v28.2.2...v28.3.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/element-hq/synapse/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…lement-hq#19469) Bumps the minor-and-patches group with 3 updates in the / directory: [docker/login-action](https://github.com/docker/login-action), [actions/setup-python](https://github.com/actions/setup-python) and [actions/cache](https://github.com/actions/cache). Updates `docker/login-action` from 3.6.0 to 3.7.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/login-action/releases">docker/login-action's releases</a>.</em></p> <blockquote> <h2>v3.7.0</h2> <ul> <li>Add <code>scope</code> input to set scopes for the authentication token by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/912">docker/login-action#912</a></li> <li>Add support for AWS European Sovereign Cloud ECR by <a href="https://github.com/dphi"><code>@dphi</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/914">docker/login-action#914</a></li> <li>Ensure passwords are redacted with <code>registry-auth</code> input by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/911">docker/login-action#911</a></li> <li>build(deps): bump lodash from 4.17.21 to 4.17.23 in <a href="https://redirect.github.com/docker/login-action/pull/915">docker/login-action#915</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.6.0...v3.7.0">https://github.com/docker/login-action/compare/v3.6.0...v3.7.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/docker/login-action/commit/c94ce9fb468520275223c153574b00df6fe4bcc9"><code>c94ce9f</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/915">#915</a> from docker/dependabot/npm_and_yarn/lodash-4.17.23</li> <li><a href="https://github.com/docker/login-action/commit/8339c958ce8511f38d0c474c1886a87c802bf1ef"><code>8339c95</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/912">#912</a> from docker/scope</li> <li><a href="https://github.com/docker/login-action/commit/c83e9320c8beb50b77dd007c46d5c8161f0cac4a"><code>c83e932</code></a> build(deps): bump lodash from 4.17.21 to 4.17.23</li> <li><a href="https://github.com/docker/login-action/commit/b268aa57e39ff0a5386d2fd1eded4e2e1d60d705"><code>b268aa5</code></a> chore: update generated content</li> <li><a href="https://github.com/docker/login-action/commit/a60322927812ddc99316dd6252b4fba6d8f09ac1"><code>a603229</code></a> documentation for scope input</li> <li><a href="https://github.com/docker/login-action/commit/7567f92a74b2639be1bd8bc932a112a0d81283da"><code>7567f92</code></a> Add scope input to set scopes for the authentication token</li> <li><a href="https://github.com/docker/login-action/commit/0567fa5ae8c9a197cb207537dc5cbb43ca3d803f"><code>0567fa5</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/914">#914</a> from dphi/add-support-for-amazonaws.eu</li> <li><a href="https://github.com/docker/login-action/commit/f6ef57754547a85003a0e18f789be661346d4a6e"><code>f6ef577</code></a> feat: add support for AWS European Sovereign Cloud ECR registries</li> <li><a href="https://github.com/docker/login-action/commit/916386b00027d425839f8da46d302dab33f5875b"><code>916386b</code></a> Merge pull request <a href="https://redirect.github.com/docker/login-action/issues/911">#911</a> from crazy-max/ensure-redact</li> <li><a href="https://github.com/docker/login-action/commit/5b3f94a294ea5478af3af437baa6ad0d3dcd04fd"><code>5b3f94a</code></a> chore: update generated content</li> <li>Additional commits viewable in <a href="https://github.com/docker/login-action/compare/5e57cd118135c172c3672efd75eb46360885c0ef...c94ce9fb468520275223c153574b00df6fe4bcc9">compare view</a></li> </ul> </details> <br /> Updates `actions/setup-python` from 6.1.0 to 6.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-python/releases">actions/setup-python's releases</a>.</em></p> <blockquote> <h2>v6.2.0</h2> <h2>What's Changed</h2> <h3>Dependency Upgrades</h3> <ul> <li>Upgrade dependencies to Node 24 compatible versions by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1259">actions/setup-python#1259</a></li> <li>Upgrade urllib3 from 2.5.0 to 2.6.3 in <code>/__tests__/data</code> by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-python/pull/1253">actions/setup-python#1253</a> and <a href="https://redirect.github.com/actions/setup-python/pull/1264">actions/setup-python#1264</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-python/compare/v6...v6.2.0">https://github.com/actions/setup-python/compare/v6...v6.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-python/commit/a309ff8b426b58ec0e2a45f0f869d46889d02405"><code>a309ff8</code></a> Bump urllib3 from 2.6.0 to 2.6.3 in /<strong>tests</strong>/data (<a href="https://redirect.github.com/actions/setup-python/issues/1264">#1264</a>)</li> <li><a href="https://github.com/actions/setup-python/commit/bfe8cc55a7890e3d6672eda6460ef37bfcc70755"><code>bfe8cc5</code></a> Upgrade <a href="https://github.com/actions"><code>@actions</code></a> dependencies to Node 24 compatible versions (<a href="https://redirect.github.com/actions/setup-python/issues/1259">#1259</a>)</li> <li><a href="https://github.com/actions/setup-python/commit/4f41a90a1f38628c7ccc608d05fbafe701bc20ae"><code>4f41a90</code></a> Bump urllib3 from 2.5.0 to 2.6.0 in /<strong>tests</strong>/data (<a href="https://redirect.github.com/actions/setup-python/issues/1253">#1253</a>)</li> <li>See full diff in <a href="https://github.com/actions/setup-python/compare/83679a892e2d95755f2dac6acb0bfd1e9ac5d548...a309ff8b426b58ec0e2a45f0f869d46889d02405">compare view</a></li> </ul> </details> <br /> Updates `actions/cache` from 5.0.1 to 5.0.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v5.0.3</h2> <h2>What's Changed</h2> <ul> <li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a href="https://github.com/actions/cache/security/dependabot/33">https://github.com/actions/cache/security/dependabot/33</a>)</li> <li>Bump <code>@actions/core</code> to v2.0.3</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v5...v5.0.3">https://github.com/actions/cache/compare/v5...v5.0.3</a></p> <h2>v.5.0.2</h2> <h1>v5.0.2</h1> <h2>What's Changed</h2> <p>When creating cache entries, 429s returned from the cache service will not be retried.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h2>How to prepare a release</h2> <blockquote> <p>[!NOTE]<br /> Relevant for maintainers with write access only.</p> </blockquote> <ol> <li>Switch to a new branch from <code>main</code>.</li> <li>Run <code>npm test</code> to ensure all tests are passing.</li> <li>Update the version in <a href="https://github.com/actions/cache/blob/main/package.json"><code>https://github.com/actions/cache/blob/main/package.json</code></a>.</li> <li>Run <code>npm run build</code> to update the compiled files.</li> <li>Update this <a href="https://github.com/actions/cache/blob/main/RELEASES.md"><code>https://github.com/actions/cache/blob/main/RELEASES.md</code></a> with the new version and changes in the <code>## Changelog</code> section.</li> <li>Run <code>licensed cache</code> to update the license report.</li> <li>Run <code>licensed status</code> and resolve any warnings by updating the <a href="https://github.com/actions/cache/blob/main/.licensed.yml"><code>https://github.com/actions/cache/blob/main/.licensed.yml</code></a> file with the exceptions.</li> <li>Commit your changes and push your branch upstream.</li> <li>Open a pull request against <code>main</code> and get it reviewed and merged.</li> <li>Draft a new release <a href="https://github.com/actions/cache/releases">https://github.com/actions/cache/releases</a> use the same version number used in <code>package.json</code> <ol> <li>Create a new tag with the version number.</li> <li>Auto generate release notes and update them to match the changes you made in <code>RELEASES.md</code>.</li> <li>Toggle the set as the latest release option.</li> <li>Publish the release.</li> </ol> </li> <li>Navigate to <a href="https://github.com/actions/cache/actions/workflows/release-new-action-version.yml">https://github.com/actions/cache/actions/workflows/release-new-action-version.yml</a> <ol> <li>There should be a workflow run queued with the same version number.</li> <li>Approve the run to publish the new version and update the major tags for this action.</li> </ol> </li> </ol> <h2>Changelog</h2> <h3>5.0.3</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a href="https://github.com/actions/cache/security/dependabot/33">https://github.com/actions/cache/security/dependabot/33</a>)</li> <li>Bump <code>@actions/core</code> to v2.0.3</li> </ul> <h3>5.0.2</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.3 <a href="https://redirect.github.com/actions/cache/pull/1692">#1692</a></li> </ul> <h3>5.0.1</h3> <ul> <li>Update <code>@azure/storage-blob</code> to <code>^12.29.1</code> via <code>@actions/cache@5.0.1</code> <a href="https://redirect.github.com/actions/cache/pull/1685">#1685</a></li> </ul> <h3>5.0.0</h3> <blockquote> <p>[!IMPORTANT] <code>actions/cache@v5</code> runs on the Node.js 24 runtime and requires a minimum Actions Runner version of <code>2.327.1</code>. If you are using self-hosted runners, ensure they are updated before upgrading.</p> </blockquote> <h3>4.3.0</h3> <ul> <li>Bump <code>@actions/cache</code> to <a href="https://redirect.github.com/actions/toolkit/pull/2132">v4.1.0</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/cache/commit/cdf6c1fa76f9f475f3d7449005a359c84ca0f306"><code>cdf6c1f</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1695">#1695</a> from actions/Link-/prepare-5.0.3</li> <li><a href="https://github.com/actions/cache/commit/a1bee22673bee4afb9ce4e0a1dc3da1c44060b7d"><code>a1bee22</code></a> Add review for the <code>@actions/http-client</code> license</li> <li><a href="https://github.com/actions/cache/commit/46957638dc5c5ff0c34c0143f443c07d3a7c769f"><code>4695763</code></a> Add licensed output</li> <li><a href="https://github.com/actions/cache/commit/dc73bb9f7bf74a733c05ccd2edfd1f2ac9e5f502"><code>dc73bb9</code></a> Upgrade dependencies and address security warnings</li> <li><a href="https://github.com/actions/cache/commit/345d5c2f761565bace4b6da356737147e9041e3a"><code>345d5c2</code></a> Add 5.0.3 builds</li> <li><a href="https://github.com/actions/cache/commit/8b402f58fbc84540c8b491a91e594a4576fec3d7"><code>8b402f5</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1692">#1692</a> from GhadimiR/main</li> <li><a href="https://github.com/actions/cache/commit/304ab5a0701ee61908ccb4b5822347949a2e2002"><code>304ab5a</code></a> license for httpclient</li> <li><a href="https://github.com/actions/cache/commit/609fc19e67cd310e97eb36af42355843ffcb35be"><code>609fc19</code></a> Update licensed record for cache</li> <li><a href="https://github.com/actions/cache/commit/b22231e43df11a67538c05e88835f1fa097599c5"><code>b22231e</code></a> Build</li> <li><a href="https://github.com/actions/cache/commit/93150cdfb36a9d84d4e8628c8870bec84aedcf8a"><code>93150cd</code></a> Add PR link to releases</li> <li>Additional commits viewable in <a href="https://github.com/actions/cache/compare/9255dc7a253b0ccc959486e2bca901246202afeb...cdf6c1fa76f9f475f3d7449005a359c84ca0f306">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Part of element-hq/serverproduct-internal#1153 Pushes Synapse docker images to the Element OCI Registry in addition to the dockerhub and ghcr registries. Ready for review despite Draft status. See element-hq#19420 (comment) ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [X] Pull request is based on the develop branch * [X] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [X] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters)) --------- Co-authored-by: Quentin Gliech <quenting@element.io>
Bumps [reqwest](https://github.com/seanmonstar/reqwest) from 0.12.26 to 0.12.28. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/seanmonstar/reqwest/releases">reqwest's releases</a>.</em></p> <blockquote> <h2>v0.12.28</h2> <h2>What's Changed</h2> <ul> <li>fix: correctly import TokioIo on Windows by <a href="https://github.com/seanmonstar"><code>@seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2896">seanmonstar/reqwest#2896</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/seanmonstar/reqwest/compare/v0.12.27...v0.12.28">https://github.com/seanmonstar/reqwest/compare/v0.12.27...v0.12.28</a></p> <h2>v0.12.27</h2> <h2>tl;dr</h2> <ul> <li>Add <code>ClientBuilder::windows_named_pipe(name)</code> option that will force all requests over that Windows Named Pipe.</li> </ul> <h2>What's Changed</h2> <ul> <li>chore: Disable unused tokio-util codec feature by <a href="https://github.com/tottoto"><code>@tottoto</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2893">seanmonstar/reqwest#2893</a></li> <li>chore: Use http_body_util::BodyDataStream by <a href="https://github.com/tottoto"><code>@tottoto</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2892">seanmonstar/reqwest#2892</a></li> <li>feat: add windows_named_pipe() option to client builder by <a href="https://github.com/seanmonstar"><code>@seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2789">seanmonstar/reqwest#2789</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/seanmonstar/reqwest/compare/v0.12.26...v0.12.27">https://github.com/seanmonstar/reqwest/compare/v0.12.26...v0.12.27</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md">reqwest's changelog</a>.</em></p> <blockquote> <h2>v0.12.28</h2> <ul> <li>Fix compiling on Windows if TLS and SOCKS features are not enabled.</li> </ul> <h2>v0.12.27</h2> <ul> <li>Add <code>ClientBuilder::windows_named_pipe(name)</code> option that will force all requests over that Windows Named Piper.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/seanmonstar/reqwest/commit/d97859910c357827ad5993d37ce750ad595f4fff"><code>d978599</code></a> v0.12.28</li> <li><a href="https://github.com/seanmonstar/reqwest/commit/ef2768a823b28bf00e23e218e034be035b08d770"><code>ef2768a</code></a> fix: correctly import TokioIo on Windows (<a href="https://redirect.github.com/seanmonstar/reqwest/issues/2896">#2896</a>)</li> <li><a href="https://github.com/seanmonstar/reqwest/commit/1bf6441b68c3e908d2588a3bb4f2043ceed737bf"><code>1bf6441</code></a> v0.12.27</li> <li><a href="https://github.com/seanmonstar/reqwest/commit/4967b1b4e25c2e9cc9f4f2cb0f4e4181f13366ba"><code>4967b1b</code></a> feat: add windows_named_pipe() option to client builder (<a href="https://redirect.github.com/seanmonstar/reqwest/issues/2789">#2789</a>)</li> <li><a href="https://github.com/seanmonstar/reqwest/commit/ef5b239cbaa5e93607415bcf943c8f571da13e42"><code>ef5b239</code></a> chore: Use http_body_util::BodyDataStream (<a href="https://redirect.github.com/seanmonstar/reqwest/issues/2892">#2892</a>)</li> <li><a href="https://github.com/seanmonstar/reqwest/commit/a8100047976e138483e2128ee0ea004931ceead0"><code>a810004</code></a> chore: Disable unused tokio-util codec feature (<a href="https://redirect.github.com/seanmonstar/reqwest/issues/2893">#2893</a>)</li> <li>See full diff in <a href="https://github.com/seanmonstar/reqwest/compare/v0.12.26...v0.12.28">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Quentin Gliech <quenting@element.io>
This is so that when we update dependencies etc we correctly ensure that the Rust library has been rebuilt.
…19474) Reverts element-hq#19463 The complement tests haven't been reviewed and require more testing. Discussed in the internal [backend team lobby](https://matrix.to/#/!SGNQGPGUwtcPBUotTL:matrix.org/$XDARK2u2iLL5wWaxiL6tJYkLg80Sn6yWWEQib8ahl5Q?via=jki.re&via=element.io&via=matrix.org) room.
So we can better see why it decides to do a local vs remote join. Spawning from [investigating a join issue on `matrix.org`](https://matrix.to/#/!SGNQGPGUwtcPBUotTL:matrix.org/$Odvd47QtkRscxilzkhcFOsDZWNvJUSEhSrD8GpukKWo?via=jki.re&via=element.io&via=matrix.org).
If a set of messages exceeds this limit, the messages are split across several EDUs. Fix element-hq#17035 (should) There is currently [no official specced limit for EDUs](matrix-org/matrix-spec#807), but the consensus seems to be that it would be useful to have one to avoid this bug by bounding the transaction size. As a side effect it also limits the size of a single to-device message to a bit less than 65536. This should probably be added to the spec similarly to the [message size limit.](https://spec.matrix.org/v1.14/client-server-api/#size-limits) Spec PR: matrix-org/matrix-spec#2340 --------- Co-authored-by: mcalinghee <mcalinghee.dev@gmail.com> Co-authored-by: Eric Eastwood <madlittlemods@gmail.com>
…nect provider. (element-hq#19509) Fixes: element-hq#8088 Previously we would perform OIDC discovery on startup, which involves making HTTP requests to the identity provider(s). If that took a long time, we would block startup. If that failed, we would crash startup. This commit: - makes the loading happen in the background on startup - makes an error in the 'preload' non-fatal (though it logs at CRITICAL for visibility) - adds a templated error page to show on failed redirects (for unavailable providers), as otherwise you get a JSON response in your navigator. - This involves introducing 2 new exception types to mark other exceptions and keep the error handling fine-grained. The machinery was already there to load-on-demand the discovery config, so when the identity provider comes back up, the discovery is reattempted and login can succeed. Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
Principally so that we can share the same room version configuration between Python and Rust. For the most part, this is a direct port. Some special handling has had to go into `KNOWN_ROOM_VERSIONS` so that it can be sensibly shared between Python and Rust, since we do update it during config parsing. --------- Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This is a simplification so that `unsigned` only includes "simple"
values, to make it easier to port to Rust.
Reviewable commit-by-commit
Summary:
1. **Add `recheck` column to `redactions` table**
A new boolean `recheck` column (default true) is added to the
`redactions` table. This captures whether a redaction needs its sender
domain checked at read time — required for room v3+ where redactions are
accepted speculatively and later validated. When persisting a new
redaction, `recheck` is set directly from
`event.internal_metadata.need_to_check_redaction()`.
It's fine if initially we recheck all redactions, as it only results in
a little more CPU overhead (as we always pull out the redaction event
regardless).
2. **Backfill `recheck` via background update**
A background update (`redactions_recheck`) backfills the new column for
existing rows by reading `recheck_redaction` from each event's
`internal_metadata` JSON. This avoids loading full event objects by
reading `event_json` directly via a SQL JOIN.
3. **Don't fetch confirmed redaction events from the DB**
Previously, when loading events, Synapse recursively fetched all
redaction events regardless of whether they needed domain rechecking.
Now `_fetch_event_rows` reads the `recheck` column and splits redactions
into two lists:
- `unconfirmed_redactions` — need fetching and domain validation
- `confirmed_redactions` — already validated, applied directly without
fetching the event
This avoids unnecessary DB reads for the common case of
already-confirmed redactions.
4. **Move `redacted_because` population to `EventClientSerializer`**
Previously, `redacted_because` (the full redaction event object) was
stored in `event.unsigned` at DB fetch time, coupling storage-layer code
to client serialization concerns. This is removed from
`_maybe_redact_event_row` and moved into
`EventClientSerializer.serialize_event`, which fetches the redaction
event on demand. The storage layer now only sets
`unsigned["redacted_by"]` (the redaction event ID).
5. **Always use `EventClientSerializer`**
The standalone `serialize_event` function was made private
(`_serialize_event`). All external callers — `rest/client/room.py`,
`rest/admin/events.py, appservice/api.py`, and `tests` — were updated to
use `EventClientSerializer.serialize_event` / `serialize_events`,
ensuring
`redacted_because` is always populated correctly via the serializer.
6. **Batch-fetch redaction events in `serialize_events`**
`serialize_events` now collects all `redacted_by` IDs from the event
batch upfront and fetches them in a single `get_events` call, passing
the result as a `redaction_map` to each `serialize_event` call. This
reduces N individual DB round-trips to one when serializing a batch of
events that includes redacted events.
---------
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Reverts element-hq#18416 Unfortunately, this causes failures on `/sendToDevice` endpoint in normal circumstances. If a single user has, say, a hundred devices then we easily go over the limit. This blocks message sending entirely in encrypted rooms. cc @MadLittleMods @MatMaul
This is to accommodate media scanning and checking. Currently, a 3s timeout means we make 2-5 requests before a media item is successfully scanned. Number chosen based on vibes and light real world testing. Fixes matrix-org/policyserv#108 ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [x] Pull request is based on the develop branch * [x] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [x] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))
These seem to work properly in the hierarchy API so I figured I'd unprefix them and remove the flag requirement. This should [better align with the spec](https://spec.matrix.org/latest/client-server-api/#get_matrixclientv1roomsroomidhierarchy_response-200_spacehierarchyroomschunk) and Matrix v1.15 (via [MSC3266](matrix-org/matrix-spec-proposals#3266)), which says these properties are available and named like this. Related to element-hq#18731. This doesn't affect the stability or experimental flags of the room summary API, just the hierarchy API.
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v8.0.1</h2> <h2>What's Changed</h2> <ul> <li>Support for CJK characters in the artifact name by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/471">actions/download-artifact#471</a></li> <li>Add a regression test for artifact name + content-type mismatches by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/472">actions/download-artifact#472</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v8...v8.0.1">https://github.com/actions/download-artifact/compare/v8...v8.0.1</a></p> <h2>v8.0.0</h2> <h2>v8 - What's new</h2> <blockquote> <p>[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.</p> </blockquote> <blockquote> <p>[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).</p> </blockquote> <h3>Direct downloads</h3> <p>To support direct uploads in <code>actions/upload-artifact</code>, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the <code>Content-Type</code> header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new <code>skip-decompress</code> parameter to <code>true</code>.</p> <h3>Enforced checks (breaking)</h3> <p>A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the <code>digest-mismatch</code> parameter. To be secure by default, we are now defaulting the behavior to <code>error</code> which will fail the workflow run.</p> <h3>ESM</h3> <p>To support new versions of the @actions/* packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Don't attempt to un-zip non-zipped downloads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/460">actions/download-artifact#460</a></li> <li>Add a setting to specify what to do on hash mismatch and default it to <code>error</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/461">actions/download-artifact#461</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v7...v8.0.0">https://github.com/actions/download-artifact/compare/v7...v8.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/download-artifact/commit/3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c"><code>3e5f45b</code></a> Add regression tests for CJK characters (<a href="https://redirect.github.com/actions/download-artifact/issues/471">#471</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/e6d03f67377d4412c7aa56a8e2e4988e6ec479dd"><code>e6d03f6</code></a> Add a regression test for artifact name + content-type mismatches (<a href="https://redirect.github.com/actions/download-artifact/issues/472">#472</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3"><code>70fc10c</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/461">#461</a> from actions/danwkennedy/digest-mismatch-behavior</li> <li><a href="https://github.com/actions/download-artifact/commit/f258da9a506b755b84a09a531814700b86ccfc62"><code>f258da9</code></a> Add change docs</li> <li><a href="https://github.com/actions/download-artifact/commit/ccc058e5fbb0bb2352213eaec3491e117cbc4a5c"><code>ccc058e</code></a> Fix linting issues</li> <li><a href="https://github.com/actions/download-artifact/commit/bd7976ba57ecea96e6f3df575eb922d11a12a9fd"><code>bd7976b</code></a> Add a setting to specify what to do on hash mismatch and default it to <code>error</code></li> <li><a href="https://github.com/actions/download-artifact/commit/ac21fcf45e0aaee541c0f7030558bdad38d77d6c"><code>ac21fcf</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/460">#460</a> from actions/danwkennedy/download-no-unzip</li> <li><a href="https://github.com/actions/download-artifact/commit/15999bff51058bc7c19b50ebbba518eaef7c26c0"><code>15999bf</code></a> Add note about package bumps</li> <li><a href="https://github.com/actions/download-artifact/commit/974686ed5098c7f9c9289ec946b9058e496a2561"><code>974686e</code></a> Bump the version to <code>v8</code> and add release notes</li> <li><a href="https://github.com/actions/download-artifact/commit/fbe48b1d2756394be4cd4358ed3bc1343b330e75"><code>fbe48b1</code></a> Update test names to make it clearer what they do</li> <li>Additional commits viewable in <a href="https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the minor-and-patches group with 2 updates: [tailscale/github-action](https://github.com/tailscale/github-action) and [Swatinem/rust-cache](https://github.com/swatinem/rust-cache). Updates `tailscale/github-action` from 4.1.1 to 4.1.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tailscale/github-action/releases">tailscale/github-action's releases</a>.</em></p> <blockquote> <h2>v4.1.2</h2> <h2>What's Changed</h2> <ul> <li>.github/workflows: fix check to skip integration test for PRs from forks by <a href="https://github.com/mpminardi"><code>@mpminardi</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/260">tailscale/github-action#260</a></li> <li>fix: Windows MSI download on self-hosted runners by <a href="https://github.com/doringeman"><code>@doringeman</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/259">tailscale/github-action#259</a></li> <li>Bump actions/checkout from 6.0.1 to 6.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/265">tailscale/github-action#265</a></li> <li>Bump actions/setup-node from 6.1.0 to 6.2.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/262">tailscale/github-action#262</a></li> <li><code>fix: add missing parentheses to core.isDebug()</code> by <a href="https://github.com/git-mracek"><code>@git-mracek</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/268">tailscale/github-action#268</a></li> <li>.github/workflows: run integration test if event is a push by <a href="https://github.com/mpminardi"><code>@mpminardi</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/270">tailscale/github-action#270</a></li> <li>store tailscale.tgz and tailscaled.pid in XDG cache/runtime by <a href="https://github.com/fbrv"><code>@fbrv</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/273">tailscale/github-action#273</a></li> <li>action,dist,src: bump default version to 1.94.2 by <a href="https://github.com/mpminardi"><code>@mpminardi</code></a> in <a href="https://redirect.github.com/tailscale/github-action/pull/274">tailscale/github-action#274</a></li> <li>Bump actions/setup-node from 6.2.0 to 6.3.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/269">tailscale/github-action#269</a></li> <li>Bump <code>@actions/core</code> from 2.0.1 to 2.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/258">tailscale/github-action#258</a></li> <li>Bump <code>@actions/github</code> from 6.0.1 to 7.0.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/257">tailscale/github-action#257</a></li> <li>Bump <code>@actions/tool-cache</code> from 2.0.2 to 3.0.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/256">tailscale/github-action#256</a></li> <li>Bump <code>@actions/cache</code> from 5.0.1 to 5.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/tailscale/github-action/pull/255">tailscale/github-action#255</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/doringeman"><code>@doringeman</code></a> made their first contribution in <a href="https://redirect.github.com/tailscale/github-action/pull/259">tailscale/github-action#259</a></li> <li><a href="https://github.com/git-mracek"><code>@git-mracek</code></a> made their first contribution in <a href="https://redirect.github.com/tailscale/github-action/pull/268">tailscale/github-action#268</a></li> <li><a href="https://github.com/fbrv"><code>@fbrv</code></a> made their first contribution in <a href="https://redirect.github.com/tailscale/github-action/pull/273">tailscale/github-action#273</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tailscale/github-action/compare/v4.1.1...v4.1.2">https://github.com/tailscale/github-action/compare/v4.1.1...v4.1.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tailscale/github-action/commit/306e68a486fd2350f2bfc3b19fcd143891a4a2d8"><code>306e68a</code></a> Bump <code>@actions/cache</code> from 5.0.1 to 5.0.2</li> <li><a href="https://github.com/tailscale/github-action/commit/989d9be101606d756046b6c34b8a11541de0157e"><code>989d9be</code></a> Bump <code>@actions/tool-cache</code> from 2.0.2 to 3.0.0</li> <li><a href="https://github.com/tailscale/github-action/commit/69584d71aecc8128e4b0fd3fd06ff4a8998c6430"><code>69584d7</code></a> Bump <code>@actions/github</code> from 6.0.1 to 7.0.0</li> <li><a href="https://github.com/tailscale/github-action/commit/cda17d523f21452f46ede1819918ad582662c078"><code>cda17d5</code></a> Bump <code>@actions/core</code> from 2.0.1 to 2.0.2</li> <li><a href="https://github.com/tailscale/github-action/commit/81231eb3b2a76c9ededb9b95ebde0c0205f609f6"><code>81231eb</code></a> Bump actions/setup-node from 6.2.0 to 6.3.0</li> <li><a href="https://github.com/tailscale/github-action/commit/48c6d0317a1f8ac4c13c0679c2f17adc61ddc827"><code>48c6d03</code></a> action,dist,src: bump default version to 1.94.2</li> <li><a href="https://github.com/tailscale/github-action/commit/cfed5b8999ac8d0ac83e4d12d56f142b96231c2b"><code>cfed5b8</code></a> store tailscale.tgz and tailscaled.pid in XDG cache/runtime dirs instead of t...</li> <li><a href="https://github.com/tailscale/github-action/commit/31d93e60e2d8b8941c12ec9bd2b58ccc6c6d3f13"><code>31d93e6</code></a> .github/workflows: run integration test if event is a push</li> <li><a href="https://github.com/tailscale/github-action/commit/564fe381c8a09ced277dfc55386a7a00ff064b73"><code>564fe38</code></a> chore: run make build to resolve linter error</li> <li><a href="https://github.com/tailscale/github-action/commit/127daded2689d2b194000d5a363b9754a774986d"><code>127dade</code></a> <code>fix: add missing parentheses to core.isDebug()</code></li> <li>Additional commits viewable in <a href="https://github.com/tailscale/github-action/compare/53acf823325fe9ca47f4cdaa951f90b4b0de5bb9...306e68a486fd2350f2bfc3b19fcd143891a4a2d8">compare view</a></li> </ul> </details> <br /> Updates `Swatinem/rust-cache` from 2.8.2 to 2.9.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/swatinem/rust-cache/releases">Swatinem/rust-cache's releases</a>.</em></p> <blockquote> <h2>v2.9.1</h2> <p>Fix regression in hash calculation</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/Swatinem/rust-cache/compare/v2.9.0...v2.9.1">https://github.com/Swatinem/rust-cache/compare/v2.9.0...v2.9.1</a></p> <h2>v2.9.0</h2> <h2>What's Changed</h2> <ul> <li>Add support for running rust-cache commands from within a Nix shell by <a href="https://github.com/marc0246"><code>@marc0246</code></a> in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/290">Swatinem/rust-cache#290</a></li> <li>Bump taiki-e/install-action from 2.62.57 to 2.62.60 in the actions group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/291">Swatinem/rust-cache#291</a></li> <li>Bump the actions group across 1 directory with 5 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/296">Swatinem/rust-cache#296</a></li> <li>Bump the prd-major group with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/294">Swatinem/rust-cache#294</a></li> <li>Bump <code>@types/node</code> from 24.10.1 to 25.0.2 in the dev-major group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/295">Swatinem/rust-cache#295</a></li> <li>Consider all installed toolchains in cache key by <a href="https://github.com/tamird"><code>@tamird</code></a> in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/293">Swatinem/rust-cache#293</a></li> <li>Compare case-insenitively for full cache key match by <a href="https://github.com/kbriggs"><code>@kbriggs</code></a> in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/303">Swatinem/rust-cache#303</a></li> <li>Migrate to <code>node24</code> runner by <a href="https://github.com/rhysd"><code>@rhysd</code></a> in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/314">Swatinem/rust-cache#314</a></li> <li>Bump the actions group across 1 directory with 7 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/312">Swatinem/rust-cache#312</a></li> <li>Bump the prd-minor group across 1 directory with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/307">Swatinem/rust-cache#307</a></li> <li>Bump <code>@types/node</code> from 25.0.2 to 25.2.2 in the dev-minor group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/309">Swatinem/rust-cache#309</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/marc0246"><code>@marc0246</code></a> made their first contribution in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/290">Swatinem/rust-cache#290</a></li> <li><a href="https://github.com/tamird"><code>@tamird</code></a> made their first contribution in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/293">Swatinem/rust-cache#293</a></li> <li><a href="https://github.com/kbriggs"><code>@kbriggs</code></a> made their first contribution in <a href="https://redirect.github.com/Swatinem/rust-cache/pull/303">Swatinem/rust-cache#303</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Swatinem/rust-cache/compare/v2.8.2...v2.9.0">https://github.com/Swatinem/rust-cache/compare/v2.8.2...v2.9.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md">Swatinem/rust-cache's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>2.9.1</h2> <ul> <li>Fix regression in hash calculation</li> </ul> <h2>2.9.0</h2> <ul> <li>Update to <code>node24</code></li> <li>Support running from within a <code>nix</code> shell</li> <li>Consider all installed toolchains for cache key</li> <li>Use case-insensitive comparison to determine exact cache hit</li> </ul> <h2>2.8.2</h2> <ul> <li>Don't overwrite env for cargo-metadata call</li> </ul> <h2>2.8.1</h2> <ul> <li>Set empty <code>CARGO_ENCODED_RUSTFLAGS</code> when retrieving metadata</li> <li>Various dependency updates</li> </ul> <h2>2.8.0</h2> <ul> <li>Add support for <code>warpbuild</code> cache provider</li> <li>Add new <code>cache-workspace-crates</code> feature</li> </ul> <h2>2.7.8</h2> <ul> <li>Include CPU arch in the cache key</li> </ul> <h2>2.7.7</h2> <ul> <li>Also cache <code>cargo install</code> metadata</li> </ul> <h2>2.7.6</h2> <ul> <li>Allow opting out of caching $CARGO_HOME/bin</li> <li>Add runner OS in cache key</li> <li>Adds an option to do lookup-only of the cache</li> </ul> <h2>2.7.5</h2> <ul> <li>Support Cargo.lock format cargo-lock v4</li> <li>Only run macOsWorkaround() on macOS</li> </ul> <h2>2.7.3</h2> <ul> <li>Work around upstream problem that causes cache saving to hang for minutes.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Swatinem/rust-cache/commit/c19371144df3bb44fab255c43d04cbc2ab54d1c4"><code>c193711</code></a> 2.9.1</li> <li><a href="https://github.com/Swatinem/rust-cache/commit/781e8d91ab29deb65464798965e49853f963b561"><code>781e8d9</code></a> try reverting pipeline change</li> <li><a href="https://github.com/Swatinem/rust-cache/commit/3d1fa4654a5786f5537b1d31acd0f35e56de9924"><code>3d1fa46</code></a> add changelog</li> <li><a href="https://github.com/Swatinem/rust-cache/commit/c676846f29d98ff6b0106d3608c7ffd4048af17b"><code>c676846</code></a> 2.9.0</li> <li><a href="https://github.com/Swatinem/rust-cache/commit/bf71d02c11df9d5253618f39943e9dd59f7fd5a9"><code>bf71d02</code></a> bump dependencies and rebuild</li> <li><a href="https://github.com/Swatinem/rust-cache/commit/8a02ed5e290d8afc7e587930243f3016b3223f50"><code>8a02ed5</code></a> Bump <code>@types/node</code> from 25.0.2 to 25.2.2 in the dev-minor group (<a href="https://redirect.github.com/swatinem/rust-cache/issues/309">#309</a>)</li> <li><a href="https://github.com/Swatinem/rust-cache/commit/390157d4874246aff722dd7f77e641fcae197678"><code>390157d</code></a> Bump the prd-minor group across 1 directory with 2 updates (<a href="https://redirect.github.com/swatinem/rust-cache/issues/307">#307</a>)</li> <li><a href="https://github.com/Swatinem/rust-cache/commit/68500c182e89a3f56d9b1de095d7e62f0ea5b8bf"><code>68500c1</code></a> Bump the actions group across 1 directory with 7 updates (<a href="https://redirect.github.com/swatinem/rust-cache/issues/312">#312</a>)</li> <li><a href="https://github.com/Swatinem/rust-cache/commit/1a8384176d7ed15c323a201c65073983cdb5a5be"><code>1a83841</code></a> Migrate to <code>node24</code> runner (<a href="https://redirect.github.com/swatinem/rust-cache/issues/314">#314</a>)</li> <li><a href="https://github.com/Swatinem/rust-cache/commit/11da8522bc3856a8fbc565f1d1530989c793d67d"><code>11da852</code></a> Compare case-insenitively for full cache key match (<a href="https://redirect.github.com/swatinem/rust-cache/issues/303">#303</a>)</li> <li>Additional commits viewable in <a href="https://github.com/swatinem/rust-cache/compare/779680da715d629ac1d338a641029a2f4372abb5...c19371144df3bb44fab255c43d04cbc2ab54d1c4">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/releases">requests's releases</a>.</em></p> <blockquote> <h2>v2.33.0</h2> <h2>2.33.0 (2026-03-25)</h2> <p><strong>Announcements</strong></p> <ul> <li>📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at <a href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>. Give it a try, and report any gaps or feedback you may have in the issue. 📣</li> </ul> <p><strong>Security</strong></p> <ul> <li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Migrated to a PEP 517 build system using setuptools. (<a href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li> </ul> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (<a href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Dropped support for Python 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li> </ul> <p><strong>Documentation</strong></p> <ul> <li>Various typo fixes and doc improvements.</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/M0d3v1"><code>@M0d3v1</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6865">psf/requests#6865</a></li> <li><a href="https://github.com/aminvakil"><code>@aminvakil</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7220">psf/requests#7220</a></li> <li><a href="https://github.com/E8Price"><code>@E8Price</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6960">psf/requests#6960</a></li> <li><a href="https://github.com/mitre88"><code>@mitre88</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7244">psf/requests#7244</a></li> <li><a href="https://github.com/magsen"><code>@magsen</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/6553">psf/requests#6553</a></li> <li><a href="https://github.com/Rohan5commit"><code>@Rohan5commit</code></a> made their first contribution in <a href="https://redirect.github.com/psf/requests/pull/7227">psf/requests#7227</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25">https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's changelog</a>.</em></p> <blockquote> <h2>2.33.0 (2026-03-25)</h2> <p><strong>Announcements</strong></p> <ul> <li>📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at <a href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>. Give it a try, and report any gaps or feedback you may have in the issue. 📣</li> </ul> <p><strong>Security</strong></p> <ul> <li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.</li> </ul> <p><strong>Improvements</strong></p> <ul> <li>Migrated to a PEP 517 build system using setuptools. (<a href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li> </ul> <p><strong>Bugfixes</strong></p> <ul> <li>Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (<a href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li> </ul> <p><strong>Deprecations</strong></p> <ul> <li>Dropped support for Python 3.9 following its end of support. (<a href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li> </ul> <p><strong>Documentation</strong></p> <ul> <li>Various typo fixes and doc improvements.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/psf/requests/commit/bc04dfd6dad4cb02cd92f5daa81eb562d280a761"><code>bc04dfd</code></a> v2.33.0</li> <li><a href="https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7"><code>66d21cb</code></a> Merge commit from fork</li> <li><a href="https://github.com/psf/requests/commit/8b9bc8fc0f63be84602387913c4b689f19efd028"><code>8b9bc8f</code></a> Move badges to top of README (<a href="https://redirect.github.com/psf/requests/issues/7293">#7293</a>)</li> <li><a href="https://github.com/psf/requests/commit/e331a288f369973f5de0ec8901c94cae4fa87286"><code>e331a28</code></a> Remove unused extraction call (<a href="https://redirect.github.com/psf/requests/issues/7292">#7292</a>)</li> <li><a href="https://github.com/psf/requests/commit/753fd08c5eacce0aa0df73fe47e49525c67e0a29"><code>753fd08</code></a> docs: fix FAQ grammar in httplib2 example</li> <li><a href="https://github.com/psf/requests/commit/774a0b837a194ee885d4fdd9ca947900cc3daf71"><code>774a0b8</code></a> docs(socks): same block as other sections</li> <li><a href="https://github.com/psf/requests/commit/9c72a41bec8597f948c9d8caa5dc3f12273b3303"><code>9c72a41</code></a> Bump github/codeql-action from 4.33.0 to 4.34.1</li> <li><a href="https://github.com/psf/requests/commit/ebf71906798ec82f34e07d3168f8b8aecaf8a3be"><code>ebf7190</code></a> Bump github/codeql-action from 4.32.0 to 4.33.0</li> <li><a href="https://github.com/psf/requests/commit/0e4ae38f0c93d4f92a96c774bd52c069d12a4798"><code>0e4ae38</code></a> docs: exclude Response.is_permanent_redirect from API docs (<a href="https://redirect.github.com/psf/requests/issues/7244">#7244</a>)</li> <li><a href="https://github.com/psf/requests/commit/d568f47278492e630cc990a259047c67991d007a"><code>d568f47</code></a> docs: clarify Quickstart POST example (<a href="https://redirect.github.com/psf/requests/issues/6960">#6960</a>)</li> <li>Additional commits viewable in <a href="https://github.com/psf/requests/compare/v2.32.5...v2.33.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/element-hq/synapse/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 3.0.2 to 4.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dorny/paths-filter/releases">dorny/paths-filter's releases</a>.</em></p> <blockquote> <h2>v4.0.1</h2> <h2>What's Changed</h2> <ul> <li>Support merge queue by <a href="https://github.com/masaru-iritani"><code>@masaru-iritani</code></a> in <a href="https://redirect.github.com/dorny/paths-filter/pull/255">dorny/paths-filter#255</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/masaru-iritani"><code>@masaru-iritani</code></a> made their first contribution in <a href="https://redirect.github.com/dorny/paths-filter/pull/255">dorny/paths-filter#255</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/dorny/paths-filter/compare/v4.0.0...v4.0.1">https://github.com/dorny/paths-filter/compare/v4.0.0...v4.0.1</a></p> <h2>v4.0.0</h2> <h2>What's Changed</h2> <ul> <li>feat: update action runtime to node24 by <a href="https://github.com/saschabratton"><code>@saschabratton</code></a> in <a href="https://redirect.github.com/dorny/paths-filter/pull/294">dorny/paths-filter#294</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/saschabratton"><code>@saschabratton</code></a> made their first contribution in <a href="https://redirect.github.com/dorny/paths-filter/pull/294">dorny/paths-filter#294</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/dorny/paths-filter/compare/v3.0.3...v4.0.0">https://github.com/dorny/paths-filter/compare/v3.0.3...v4.0.0</a></p> <h2>v3.0.3</h2> <h2>What's Changed</h2> <ul> <li>Add missing predicate-quantifier by <a href="https://github.com/wardpeet"><code>@wardpeet</code></a> in <a href="https://redirect.github.com/dorny/paths-filter/pull/279">dorny/paths-filter#279</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/wardpeet"><code>@wardpeet</code></a> made their first contribution in <a href="https://redirect.github.com/dorny/paths-filter/pull/279">dorny/paths-filter#279</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/dorny/paths-filter/compare/v3...v3.0.3">https://github.com/dorny/paths-filter/compare/v3...v3.0.3</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md">dorny/paths-filter's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>v4.0.0</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/294">Update action runtime to node24</a></li> </ul> <h2>v3.0.3</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/279">Add missing predicate-quantifier</a></li> </ul> <h2>v3.0.2</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/224">Add config parameter for predicate quantifier</a></li> </ul> <h2>v3.0.1</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/133">Compare base and ref when token is empty</a></li> </ul> <h2>v3.0.0</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/210">Update to Node.js 20</a></li> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/215">Update all dependencies</a></li> </ul> <h2>v2.11.1</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/167">Update <code>@actions/core</code> to v1.10.0 - Fixes warning about deprecated set-output</a></li> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/168">Document need for pull-requests: read permission</a></li> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/164">Updating to actions/checkout@v3</a></li> </ul> <h2>v2.11.0</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/157">Set list-files input parameter as not required</a></li> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/161">Update Node.js</a></li> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/162">Fix incorrect handling of Unicode characters in exec()</a></li> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/163">Use Octokit pagination</a></li> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/160">Updates real world links</a></li> </ul> <h2>v2.10.2</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/91">Fix getLocalRef() returns wrong ref</a></li> </ul> <h2>v2.10.1</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/85">Improve robustness of change detection</a></li> </ul> <h2>v2.10.0</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/82">Add ref input parameter</a></li> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/83">Fix change detection in PR when pullRequest.changed_files is incorrect</a></li> </ul> <h2>v2.9.3</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/78">Fix change detection when base is a tag</a></li> </ul> <h2>v2.9.2</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/75">Fix fetching git history</a></li> </ul> <h2>v2.9.1</h2> <ul> <li><a href="https://redirect.github.com/dorny/paths-filter/pull/74">Fix fetching git history + fallback to unshallow repo</a></li> </ul> <h2>v2.9.0</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/dorny/paths-filter/commit/fbd0ab8f3e69293af611ebaee6363fc25e6d187d"><code>fbd0ab8</code></a> feat: add merge_group event support</li> <li><a href="https://github.com/dorny/paths-filter/commit/efb1da7ce8d89bbc261191e5a2dc1453c3837339"><code>efb1da7</code></a> feat: add dist/ freshness check to PR workflow</li> <li><a href="https://github.com/dorny/paths-filter/commit/d8f7b061b24c30a325ff314b76c37adb05b041ce"><code>d8f7b06</code></a> Merge pull request <a href="https://redirect.github.com/dorny/paths-filter/issues/302">#302</a> from dorny/issue-299</li> <li><a href="https://github.com/dorny/paths-filter/commit/addbc147a95845176e1bc013a012fbf1d366389a"><code>addbc14</code></a> Update README for v4</li> <li><a href="https://github.com/dorny/paths-filter/commit/9d7afb8d214ad99e78fbd4247752c4caed2b6e4c"><code>9d7afb8</code></a> Update CHANGELOG for v4.0.0</li> <li><a href="https://github.com/dorny/paths-filter/commit/782470c5d953cae2693d643172b14e01bacb71f3"><code>782470c</code></a> Merge branch 'releases/v3'</li> <li><a href="https://github.com/dorny/paths-filter/commit/d1c1ffe0248fe513906c8e24db8ea791d46f8590"><code>d1c1ffe</code></a> Update CHANGELOG for v3.0.3</li> <li><a href="https://github.com/dorny/paths-filter/commit/ce10459c8b92cd8901166c0a222fbb033ef39365"><code>ce10459</code></a> Merge pull request <a href="https://redirect.github.com/dorny/paths-filter/issues/294">#294</a> from saschabratton/master</li> <li><a href="https://github.com/dorny/paths-filter/commit/5f40380c5482e806c81cec080f5192e7234d8fe9"><code>5f40380</code></a> feat: update action runtime to node24</li> <li><a href="https://github.com/dorny/paths-filter/commit/668c092af3649c4b664c54e4b704aa46782f6f7c"><code>668c092</code></a> Merge pull request <a href="https://redirect.github.com/dorny/paths-filter/issues/279">#279</a> from wardpeet/patch-1</li> <li>Additional commits viewable in <a href="https://github.com/dorny/paths-filter/compare/de90cc6fb38fc0963ad72b210f1f284cd68cea36...fbd0ab8f3e69293af611ebaee6363fc25e6d187d">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5 to 46.0.6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's changelog</a>.</em></p> <blockquote> <p>46.0.6 - 2026-03-25</p> <pre><code> * **SECURITY ISSUE**: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for reporting the issue. **CVE-2026-34073** <p>.. _v46-0-5:<br /> </code></pre></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyca/cryptography/commit/91d728897bdad30cd5c79a2b23e207f1f050d587"><code>91d7288</code></a> Cherry-pick <a href="https://redirect.github.com/pyca/cryptography/issues/14542">#14542</a> (<a href="https://redirect.github.com/pyca/cryptography/issues/14543">#14543</a>)</li> <li>See full diff in <a href="https://github.com/pyca/cryptography/compare/46.0.5...46.0.6">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/element-hq/synapse/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
element-hq#19627) Bumps the minor-and-patches group with 1 update: [phonenumbers](https://github.com/daviddrysdale/python-phonenumbers). Updates `phonenumbers` from 9.0.25 to 9.0.26 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/daviddrysdale/python-phonenumbers/commit/07e2c75b1dc1d94c806755e4842410e19cd1e17e"><code>07e2c75</code></a> Prep for 9.0.26 release</li> <li><a href="https://github.com/daviddrysdale/python-phonenumbers/commit/55522da42bff8bd7eefd08b17c978971bc60e135"><code>55522da</code></a> Generated files for metadata</li> <li><a href="https://github.com/daviddrysdale/python-phonenumbers/commit/8ca762b2309a1df12f2eadf601ce413bf3cd1826"><code>8ca762b</code></a> Merge metadata changes from upstream 9.0.26</li> <li>See full diff in <a href="https://github.com/daviddrysdale/python-phonenumbers/compare/v9.0.25...v9.0.26">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#19623) Bumps the patches group with 1 update: [once_cell](https://github.com/matklad/once_cell). Updates `once_cell` from 1.21.3 to 1.21.4 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/matklad/once_cell/blob/master/CHANGELOG.md">once_cell's changelog</a>.</em></p> <blockquote> <h2>1.21.4</h2> <ul> <li> <p>Fix unsoundness in <code>OnceCell::wait</code> under <code>--features=parking_lot</code>, <a href="https://redirect.github.com/matklad/once_cell/pull/295">#295</a>.</p> <p>If thread A calls <code>wait</code>, while thread B calls <code>get_or_try_init(f)</code>, and, furthermore, <code>f</code> panics, the <code>wait</code> incorrectly returns and thread A observes uninitialized memory.</p> <p>Kudos to <a href="https://github.com/meng-xu-cs"><code>@meng-xu-cs</code></a> for a nice find!</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/matklad/once_cell/commit/80fe900b21f6d76c1a2ed74d3343e8a3a88c46d0"><code>80fe900</code></a> Merge pull request <a href="https://redirect.github.com/matklad/once_cell/issues/296">#296</a> from matklad/matklad/plfix</li> <li><a href="https://github.com/matklad/once_cell/commit/a5e09c971c23afb1a3be8ae32794e2dca940ccd4"><code>a5e09c9</code></a> release 1.21.4</li> <li><a href="https://github.com/matklad/once_cell/commit/2426d45d85841879e71a880af543fd3d2be78db1"><code>2426d45</code></a> Merge pull request <a href="https://redirect.github.com/matklad/once_cell/issues/295">#295</a> from matklad/matklad/plfix</li> <li><a href="https://github.com/matklad/once_cell/commit/a1441215db85adb6a47b0aa1062d1eea7c5fba65"><code>a144121</code></a> Merge pull request <a href="https://redirect.github.com/matklad/once_cell/issues/290">#290</a> from alexanderkjall/run-tests-with-no-default-features</li> <li><a href="https://github.com/matklad/once_cell/commit/232a1a49b55154c0b6f12d662619000efd3aecd8"><code>232a1a4</code></a> Merge pull request <a href="https://redirect.github.com/matklad/once_cell/issues/292">#292</a> from phil-opp/doc-fix</li> <li><a href="https://github.com/matklad/once_cell/commit/d31767bbcd33b03ee3360a9112eba41d1b278d3a"><code>d31767b</code></a> fix OnceCell::wait with features=parking_lot</li> <li><a href="https://github.com/matklad/once_cell/commit/28d29ae1c1eb082617efb4eddb6dae3d0c607fdd"><code>28d29ae</code></a> Fix: <code>sync::OnceCell::try_insert</code> docs should import <code>sync</code> variant</li> <li><a href="https://github.com/matklad/once_cell/commit/0f78fb0d6d6a634fd76548f33fa38b250390e982"><code>0f78fb0</code></a> make the command 'cargo test --no-default-features' work</li> <li><a href="https://github.com/matklad/once_cell/commit/fda60a6c70eb2e25a0c73bf515ec4779df3d2e6c"><code>fda60a6</code></a> Merge pull request <a href="https://redirect.github.com/matklad/once_cell/issues/287">#287</a> from AbeZbm/add-tests</li> <li><a href="https://github.com/matklad/once_cell/commit/b5b98c09eb9c95376e150eb6bda8c7637bba5aa4"><code>b5b98c0</code></a> Add tests for OnceRef</li> <li>See full diff in <a href="https://github.com/matklad/once_cell/compare/v1.21.3...v1.21.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Lower the database `statement_timeout` to 10m Part of element-hq/backend-internal#223 The `statement_timeout` was first introduced in matrix-org/synapse#15853 as a great sanity check starting point (any timeout is better than no timeout). This idea is spawning from [discussions on 2026-03-16](https://docs.google.com/document/d/12RZKPk3a4__JUSH9wYHODo9rRyKzsHg6BSCAcmqmbOU/edit?tab=t.0#bookmark=id.x9y4kx82lvaj) about `matrix.org` performance and specifically room event search which frequently causes long-running transactions that hold up vacuums and causes things to go wibbly. It was brought up again today in another `matrix.org` performance [discussion on 2026-03-25](https://docs.google.com/document/d/15h4901gAzGMAol2n1b71OAcesVMNhgQbPNb55xouluw/edit?tab=t.0#bookmark=id.b53a918ntk0j) and was surprised nothing came of this yet. ### Some things may break We expect that when/if things break, to add specific overrides where it matters. For reference, we already have a couple of overrides in the codebase: - When using [`create_index_in_background`](https://github.com/element-hq/synapse/blob/40d35a95e2ce56982f839f2d5f01bdad34e65453/synapse/storage/background_updates.py#L802-L804) - When [purging rooms](https://github.com/element-hq/synapse/blob/40d35a95e2ce56982f839f2d5f01bdad34e65453/synapse/storage/databases/main/purge_events.py#L166-L169) ### Going further Ideally, we could go even further. The `statement_timeout` for any database query coming from people's HTTP requests should be 60s or less (or lower, no one wants to wait that long anyway). For now we'll take this iterative step down to 10m. Another point of reference is that for example on `matrix.org`, we even time out the whole HTTP request after 180s. For reference, we also discussed propagating request cancellation to the database query (cancelling statements when the user goes away) which is a good additional thing we could do. @sandhose looked into this before and it is only a recent libpq / Postgres / psycopg3 feature, not available in psycopg2 (which we currently use). As an example of how weird cancellation can get, `psql` will spawn a new connection to `SELECT pg_cancel_backend(<pid>);` when you `Ctrl+C`, see https://neon.com/blog/ctrl-c-in-psql-gives-me-the-heebie-jeebies ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [x] Pull request is based on the develop branch * [x] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [x] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters))
…9509 (element-hq#19636) Run `poetry run ./scripts-dev/lint.sh` which exposed some formatted Complement tests that were introduced in element-hq#19509 There is no CI for this so it's easy to miss.
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
…e prometheus metrics (element-hq#19643) # What is done? - resolves element-hq#19403 - Adds build-time Rust compiler detection and captures the rustc --version value during the build. - Exposes the captured compiler version from the Rust extension via a new Python-callable function. - Exports a new Prometheus metric for rustc version. # How to test? - compile `poetry install` - add `enable_metrics: true` and ```yaml resources: - compress: false names: - client - federation - metrics ``` to homeserver.yaml - start synapse - find the rustc version at `http://localhost:8008/_synapse/metrics` ### Pull Request Checklist <!-- Please read https://element-hq.github.io/synapse/latest/development/contributing_guide.html before submitting your pull request --> * [x] Pull request is based on the develop branch * [x] Pull request includes a [changelog file](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#changelog). The entry should: - Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from `EventStore` to `EventWorkerStore`.". - Use markdown where necessary, mostly for `code blocks`. - End with either a period (.) or an exclamation mark (!). - Start with a capital letter. - Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry. * [x] [Code style](https://element-hq.github.io/synapse/latest/code_style.html) is correct (run the [linters](https://element-hq.github.io/synapse/latest/development/contributing_guide.html#run-the-linters)) --------- Co-authored-by: Quentin Gliech <quenting@element.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge in upstream develop. Only had to fix poetry lock file and the
complement.shscript 🤨