chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Update	Change
matrixdotorg/synapse (source)	minor	v1.110.0 -> v1.112.0
myoung34/github-runner	minor	2.317.0 -> 2.318.0
vectorim/element-web	patch	v1.11.70 -> v1.11.72

---

Release Notes

element-hq/synapse (matrixdotorg/synapse)

v1.112.0

Compare Source

Synapse 1.112.0 (2024-07-30)

This security release is to update our locked dependency on Twisted to 24.7.0rc1, which includes a security fix for CVE-2024-41671 / GHSA-c8m8-j448-xjx7: Disordered HTTP pipeline response in twisted.web, again.

Note that this security fix is also available as Synapse 1.111.1, which does not include the rest of the changes in Synapse 1.112.0.

This issue means that, if multiple HTTP requests are pipelined in the same TCP connection, Synapse can send responses to the wrong HTTP request.
If a reverse proxy was configured to use HTTP pipelining, this could result in responses being sent to the wrong user, severely harming confidentiality.

With that said, despite being a high severity issue, we consider it unlikely that Synapse installations will be affected.
The use of HTTP pipelining in this fashion would cause worse performance for clients (request-response latencies would be increased as users' responses would be artificially blocked behind other users' slow requests). Further, Nginx and Haproxy, two common reverse proxies, do not appear to support configuring their upstreams to use HTTP pipelining and thus would not be affected. For both of these reasons, we consider it unlikely that a Synapse deployment would be set up in such a configuration.

Despite that, we cannot rule out that some installations may exist with this unusual setup and so we are releasing this security update today.

pip users: Note that by default, upgrading Synapse using pip will not automatically upgrade Twisted. Please manually install the new version of Twisted using pip install Twisted==24.7.0rc1. Note also that even the --upgrade-strategy=eager flag to pip install -U matrix-synapse will not upgrade Twisted to a patched version because it is only a release candidate at this time.

Internal Changes

• Upgrade locked dependency on Twisted to 24.7.0rc1. (#​17502)

Synapse 1.112.0rc1 (2024-07-23)

Please note that this release candidate does not include the security dependency update
included in version 1.111.1 as this version was released before 1.111.1.
The same security fix can be found in the full release of 1.112.0.

Features

• Add to-device extension support to experimental MSC3575 Sliding Sync /sync endpoint. (#​17416)
• Populate name/avatar fields in experimental MSC3575 Sliding Sync /sync endpoint. (#​17418)
• Populate heroes and room summary fields (joined_count, invited_count) in experimental MSC3575 Sliding Sync /sync endpoint. (#​17419)
• Populate is_dm room field in experimental MSC3575 Sliding Sync /sync endpoint. (#​17429)
• Add room subscriptions to experimental MSC3575 Sliding Sync /sync endpoint. (#​17432)
• Prepare for authenticated media freeze. (#​17433)
• Add E2EE extension support to experimental MSC3575 Sliding Sync /sync endpoint. (#​17454)

Bugfixes

• Add configurable option to always include offline users in presence sync results. Contributed by @​Michael-Hollister. (#​17231)
• Fix bug in experimental MSC3575 Sliding Sync /sync endpoint when using room type filters and the user has one or more remote invites. (#​17434)
• Order heroes by stream_ordering as the Matrix specification states (applies to /sync). (#​17435)
• Fix rare bug where /sync would break for a user when using workers with multiple stream writers. (#​17438)

Improved Documentation

• Update the readme image to have a white background, so that it is readable in dark mode. (#​17387)
• Add Red Hat Enterprise Linux and Rocky Linux 8 and 9 installation instructions. (#​17423)
• Improve documentation for the default_power_level_content_override config option. (#​17451)

Internal Changes

• Make sure we always use the right logic for enabling the media repo. (#​17424)
• Fix argument documentation for method RateLimiter.record_action. (#​17426)
• Reduce volume of 'Waiting for current token' logs, which were introduced in v1.109.0. (#​17428)
• Limit concurrent remote downloads to 6 per IP address, and decrement remote downloads without a content-length from the ratelimiter after the download is complete. (#​17439)
• Remove unnecessary call to resume producing in fake channel. (#​17449)
• Update experimental MSC3575 Sliding Sync /sync endpoint to bump room when it is created. (#​17453)
• Speed up generating sliding sync responses. (#​17458)
• Add cache to get_rooms_for_local_user_where_membership_is to speed up sliding sync. (#​17460)
• Speed up fetching room keys from backup. (#​17461)
• Speed up sorting of the room list in sliding sync. (#​17468)
• Implement handling of $ME as a state key in sliding sync. (#​17469)

Updates to locked dependencies

• Bump bytes from 1.6.0 to 1.6.1. (#​17441)
• Bump hiredis from 2.3.2 to 3.0.0. (#​17464)
• Bump jsonschema from 4.22.0 to 4.23.0. (#​17444)
• Bump matrix-org/done-action from 2 to 3. (#​17440)
• Bump mypy from 1.9.0 to 1.10.1. (#​17445)
• Bump pyopenssl from 24.1.0 to 24.2.1. (#​17465)
• Bump ruff from 0.5.0 to 0.5.4. (#​17466)
• Bump sentry-sdk from 2.6.0 to 2.8.0. (#​17456)
• Bump sentry-sdk from 2.8.0 to 2.10.0. (#​17467)
• Bump setuptools from 67.6.0 to 70.0.0. (#​17448)
• Bump twine from 5.1.0 to 5.1.1. (#​17443)
• Bump types-jsonschema from 4.22.0.20240610 to 4.23.0.20240712. (#​17446)
• Bump ulid from 1.1.2 to 1.1.3. (#​17442)
• Bump zipp from 3.15.0 to 3.19.1. (#​17427)

v1.111.1

Compare Source

Synapse 1.111.1 (2024-07-30)

This security release is to update our locked dependency on Twisted to 24.7.0rc1, which includes a security fix for CVE-2024-41671 / GHSA-c8m8-j448-xjx7: Disordered HTTP pipeline response in twisted.web, again.

This issue means that, if multiple HTTP requests are pipelined in the same TCP connection, Synapse can send responses to the wrong HTTP request.
If a reverse proxy was configured to use HTTP pipelining, this could result in responses being sent to the wrong user, severely harming confidentiality.

With that said, despite being a high severity issue, we consider it unlikely that Synapse installations will be affected.
The use of HTTP pipelining in this fashion would cause worse performance for clients (request-response latencies would be increased as users' responses would be artificially blocked behind other users' slow requests). Further, Nginx and Haproxy, two common reverse proxies, do not appear to support configuring their upstreams to use HTTP pipelining and thus would not be affected. For both of these reasons, we consider it unlikely that a Synapse deployment would be set up in such a configuration.

Despite that, we cannot rule out that some installations may exist with this unusual setup and so we are releasing this security update today.

pip users: Note that by default, upgrading Synapse using pip will not automatically upgrade Twisted. Please manually install the new version of Twisted using pip install Twisted==24.7.0rc1. Note also that even the --upgrade-strategy=eager flag to pip install -U matrix-synapse will not upgrade Twisted to a patched version because it is only a release candidate at this time.

Internal Changes

• Upgrade locked dependency on Twisted to 24.7.0rc1. (#​17502)

v1.111.0

Compare Source

Synapse 1.111.0 (2024-07-16)

No significant changes since 1.111.0rc2.

Synapse 1.111.0rc2 (2024-07-10)

Bugfixes

• Fix bug where using synapse.app.media_repository worker configuration would break the new media endpoints. (#​17420)

Improved Documentation

• Document the new federation media worker endpoints in the upgrade notes and worker docs. (#​17421)

Internal Changes

• Route authenticated federation media requests to media repository workers in Complement tests. (#​17422)

Synapse 1.111.0rc1 (2024-07-09)

Features

• Add rooms data to experimental MSC3575 Sliding Sync /sync endpoint. (#​17320)
• Add room_types/not_room_types filtering to experimental MSC3575 Sliding Sync /sync endpoint. (#​17337)
• Return "required state" in experimental MSC3575 Sliding Sync /sync endpoint. (#​17342)
• Support MSC3916 by adding _matrix/client/v1/media/download endpoint. (#​17365)
• Support MSC3916
  by adding _matrix/client/v1/media/thumbnail, _matrix/federation/v1/media/thumbnail endpoints and stabilizing the
  remaining _matrix/client/v1/media endpoints. (#​17388)
• Add rooms.bump_stamp for easier client-side sorting in experimental MSC3575 Sliding Sync /sync endpoint. (#​17395)
• Forget all of a user's rooms upon deactivation, preventing local room purges from being blocked on deactivated users. (#​17400)
• Declare support for Matrix 1.11. (#​17403)
• MSC3861: allow overriding the introspection endpoint. (#​17406)

Bugfixes

• Fix rare race which caused no new to-device messages to be received from remote server. (#​17362)
• Fix bug in experimental MSC3575 Sliding Sync /sync endpoint when using an old database. (#​17398)

Improved Documentation

• Clarify that url_preview_url_blacklist is a usability feature. (#​17356)
• Fix broken links in README. (#​17379)
• Clarify that changelog content and file extension need to match in order for entries to merge. (#​17399)

Internal Changes

• Make the release script create a release branch for Complement as well. (#​17318)
• Fix uploading packages to PyPi. (#​17363)
• Add CI check for the README. (#​17367)
• Fix linting errors from new ruff version. (#​17381, #​17411)
• Fix building debian packages on non-clean checkouts. (#​17390)
• Finish up work to allow per-user feature flags. (#​17392, #​17410)
• Allow enabling sliding sync per-user. (#​17393)

Updates to locked dependencies

• Bump certifi from 2023.7.22 to 2024.7.4. (#​17404)
• Bump cryptography from 42.0.7 to 42.0.8. (#​17382)
• Bump ijson from 3.2.3 to 3.3.0. (#​17413)
• Bump log from 0.4.21 to 0.4.22. (#​17384)
• Bump mypy-zope from 1.0.4 to 1.0.5. (#​17414)
• Bump pillow from 10.3.0 to 10.4.0. (#​17412)
• Bump pydantic from 2.7.1 to 2.8.2. (#​17415)
• Bump ruff from 0.3.7 to 0.5.0. (#​17381)
• Bump serde from 1.0.203 to 1.0.204. (#​17409)
• Bump serde_json from 1.0.117 to 1.0.120. (#​17385, #​17408)
• Bump types-setuptools from 69.5.0.20240423 to 70.1.0.20240627. (#​17380)

element-hq/element-web (vectorim/element-web)

v1.11.72

Compare Source

✨ Features

• Polyfill Intl.Segmenter for wider web browser compatibility (#​27803). Contributed by @​dbkr.
• Enable audio/webaudio Modernizr rule (#​27772). Contributed by @​t3chguy.
• Add release announcement for the new room header (#​12802). Contributed by @​MidhunSureshR.
• Default the room header to on (#​12803). Contributed by @​MidhunSureshR.
• Update Thread Panel to match latest designs (#​12797). Contributed by @​t3chguy.
• Close any open modals on logout (#​12777). Contributed by @​dbkr.
• Iterate design of right panel empty state (#​12796). Contributed by @​t3chguy.
• Update styling of UserInfo right panel card (#​12788). Contributed by @​t3chguy.
• Accessibility: Add Landmark navigation (#​12190). Contributed by @​akirk.
• Let Element Call widget receive m.room.create (#​12710). Contributed by @​AndrewFerr.
• Let Element Call widget set session memberships (#​12713). Contributed by @​AndrewFerr.
• Update right panel base card styling to match Compound (#​12768). Contributed by @​t3chguy.
• Align widget_build_url_ignore_dm with call behaviour switch between 1:1 and Widget (#​12760). Contributed by @​t3chguy.
• Move integrations switch (#​12733). Contributed by @​dbkr.
• Element-R: Report events with withheld keys separately to Posthog. (#​12755). Contributed by @​richvdh.

🐛 Bug Fixes

• Add a modernizr check for WebAssembly support (#​27776). Contributed by @​dbkr.
• Test for lack of WebAssembly support (#​12792). Contributed by @​dbkr.
• Fix stray 'account' heading (#​12791). Contributed by @​dbkr.
• Add test for the unsupported browser screen (#​12787). Contributed by @​dbkr.
• Fix HTML export test (#​12778). Contributed by @​dbkr.
• Fix HTML export missing a bunch of Compound variables (#​12774). Contributed by @​t3chguy.
• Fix inability to change accent colour consistently in custom theming (#​12772). Contributed by @​t3chguy.
• Fix edge case of landing on 3pid email link with registration disabled (#​12771). Contributed by @​t3chguy.

v1.11.71

Compare Source

✨ Features

• Add Modernizr rule for Intl.Segmenter (#​27677). Contributed by @​t3chguy.
• Add tabs to the right panel (#​12672). Contributed by @​MidhunSureshR.
• Promote new room header from labs to Beta (#​12739). Contributed by @​t3chguy.
• Redesign room search interface (#​12677). Contributed by @​t3chguy.
• Move language settings to 'preferences' (#​12723). Contributed by @​dbkr.
• New layout selector ui in user settings (#​12676). Contributed by @​florianduros.
• Prevent Element appearing in system media controls (#​10995). Contributed by @​SuperKenVery.
• Move the account management button (#​12663). Contributed by @​dbkr.
• Disable profile controls if the HS doesn't allow them to be set (#​12652). Contributed by @​dbkr.
• New theme ui in user settings (#​12576). Contributed by @​florianduros.
• Adjust room header hover transition from 300ms to 200ms (#​12703). Contributed by @​t3chguy.
• Split out email & phone number settings to separate components & move discovery to privacy tab (#​12670). Contributed by @​dbkr.

🐛 Bug Fixes

• Ensure we do not load matrix-react-sdk is a manner which can white-screen (#​27685). Contributed by @​t3chguy.
• Fix incoming call toast crash due to audio refactor (#​12737). Contributed by @​t3chguy.
• Improve new room header accessibility (#​12725). Contributed by @​t3chguy.
• Fix closing all modals (#​12728). Contributed by @​dbkr.
• Fix close button on forgot password flow (#​12732). Contributed by @​dbkr.
• Don't consider textual characters to be emoji (#​12582). Contributed by @​robintown.
• Clear autocomplete input on selection accept (#​12709). Contributed by @​dbkr.
• Fix Match system theme toggle (#​12719). Contributed by @​florianduros.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.