Fix regression where we did not report failure

Newsfile
Use sqlglot to properly check SQL delta files
2025-12-05 01:10:13 +00:00 · 2025-11-26 11:43:41 +00:00 · 2025-11-26 11:43:41 +00:00 · 2025-11-26 11:43:35 +00:00 · 2025-11-25 14:09:48 +00:00 · 2025-11-25 10:20:47 +00:00
747 changed files with 13080 additions and 12345 deletions
--- a/.ci/scripts/auditwheel_wrapper.py
+++ b/.ci/scripts/auditwheel_wrapper.py
@@ -25,7 +25,6 @@
 import argparse
 import os
 import subprocess
-from typing import Optional
 from zipfile import ZipFile

 from packaging.tags import Tag
@@ -80,7 +79,7 @@ def cpython(wheel_file: str, name: str, version: Version, tag: Tag) -> str:
    return new_wheel_file


-def main(wheel_file: str, dest_dir: str, archs: Optional[str]) -> None:
+def main(wheel_file: str, dest_dir: str, archs: str | None) -> None:
    """Entry point"""

    # Parse the wheel file name into its parts. Note that `parse_wheel_filename`
--- a/.ci/scripts/calculate_jobs.py
+++ b/.ci/scripts/calculate_jobs.py
@@ -35,49 +35,58 @@ IS_PR = os.environ["GITHUB_REF"].startswith("refs/pull/")

 # First calculate the various trial jobs.
 #
-# For PRs, we only run each type of test with the oldest Python version supported (which
-# is Python 3.9 right now)
+# For PRs, we only run each type of test with the oldest and newest Python
+# version that's supported. The oldest version ensures we don't accidentally
+# introduce syntax or code that's too new, and the newest ensures we don't use
+# code that's been dropped in the latest supported Python version.

 trial_sqlite_tests = [
    {
-        "python-version": "3.9",
+        "python-version": "3.10",
        "database": "sqlite",
        "extras": "all",
-    }
+    },
+    {
+        "python-version": "3.14",
+        "database": "sqlite",
+        "extras": "all",
+    },
 ]

 if not IS_PR:
+    # Otherwise, check all supported Python versions.
+    #
+    # Avoiding running all of these versions on every PR saves on CI time.
    trial_sqlite_tests.extend(
        {
            "python-version": version,
            "database": "sqlite",
            "extras": "all",
        }
-        for version in ("3.10", "3.11", "3.12", "3.13")
+        for version in ("3.11", "3.12", "3.13")
    )

+# Only test postgres against the earliest and latest Python versions that we
+# support in order to save on CI time.
 trial_postgres_tests = [
    {
-        "python-version": "3.9",
+        "python-version": "3.10",
        "database": "postgres",
-        "postgres-version": "13",
+        "postgres-version": "14",
        "extras": "all",
-    }
+    },
+    {
+        "python-version": "3.14",
+        "database": "postgres",
+        "postgres-version": "17",
+        "extras": "all",
+    },
 ]

-if not IS_PR:
-    trial_postgres_tests.append(
-        {
-            "python-version": "3.13",
-            "database": "postgres",
-            "postgres-version": "17",
-            "extras": "all",
-        }
-    )
-
+# Ensure that Synapse passes unit tests even with no extra dependencies installed.
 trial_no_extra_tests = [
    {
-        "python-version": "3.9",
+        "python-version": "3.10",
        "database": "sqlite",
        "extras": "",
    }
@@ -99,24 +108,24 @@ set_output("trial_test_matrix", test_matrix)

 # First calculate the various sytest jobs.
 #
-# For each type of test we only run on bullseye on PRs
+# For each type of test we only run on bookworm on PRs


 sytest_tests = [
    {
-        "sytest-tag": "bullseye",
+        "sytest-tag": "bookworm",
    },
    {
-        "sytest-tag": "bullseye",
+        "sytest-tag": "bookworm",
        "postgres": "postgres",
    },
    {
-        "sytest-tag": "bullseye",
+        "sytest-tag": "bookworm",
        "postgres": "multi-postgres",
        "workers": "workers",
    },
    {
-        "sytest-tag": "bullseye",
+        "sytest-tag": "bookworm",
        "postgres": "multi-postgres",
        "workers": "workers",
        "reactor": "asyncio",
@@ -127,11 +136,11 @@ if not IS_PR:
    sytest_tests.extend(
        [
            {
-                "sytest-tag": "bullseye",
+                "sytest-tag": "bookworm",
                "reactor": "asyncio",
            },
            {
-                "sytest-tag": "bullseye",
+                "sytest-tag": "bookworm",
                "postgres": "postgres",
                "reactor": "asyncio",
            },
--- a/.ci/scripts/prepare_old_deps.sh
+++ b/.ci/scripts/prepare_old_deps.sh
@@ -16,20 +16,23 @@ export VIRTUALENV_NO_DOWNLOAD=1
 # to select the lowest possible versions, rather than resorting to this sed script.

 # Patch the project definitions in-place:
-# - Replace all lower and tilde bounds with exact bounds
-# - Replace all caret bounds---but not the one that defines the supported Python version!
-# - Delete all lines referring to psycopg2 --- so no testing of postgres support.
+# - `-E` use extended regex syntax.
+# - Don't modify the line that defines required Python versions.
+# - Replace all lower and tilde bounds with exact bounds.
+# - Replace all caret bounds with exact bounds.
+# - Delete all lines referring to psycopg2 - so no testing of postgres support.
 # - Use pyopenssl 17.0, which is the oldest version that works with
 #   a `cryptography` compiled against OpenSSL 1.1.
 # - Omit systemd: we're not logging to journal here.

-sed -i \
-   -e "s/[~>]=/==/g" \
-   -e '/^python = "^/!s/\^/==/g' \
-   -e "/psycopg2/d" \
-   -e 's/pyOpenSSL = "==16.0.0"/pyOpenSSL = "==17.0.0"/' \
-   -e '/systemd/d' \
-   pyproject.toml
+sed -i -E '
+  /^\s*requires-python\s*=/b
+  s/[~>]=/==/g
+  s/\^/==/g
+  /psycopg2/d
+  s/pyOpenSSL\s*==\s*16\.0\.0"/pyOpenSSL==17.0.0"/
+  /systemd/d
+' pyproject.toml

 echo "::group::Patched pyproject.toml"
 cat pyproject.toml
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -26,3 +26,8 @@ c4268e3da64f1abb5b31deaeb5769adb6510c0a7
 # Update black to 23.1.0 (https://github.com/matrix-org/synapse/pull/15103)
 9bb2eac71962970d02842bca441f4bcdbbf93a11

+# Use type hinting generics in standard collections (https://github.com/element-hq/synapse/pull/19046)
+fc244bb592aa481faf28214a2e2ce3bb4e95d990
+
+# Write union types as X | Y where possible (https://github.com/element-hq/synapse/pull/19111)
+fcac7e0282b074d4bd3414d1c9c181e9701875d9
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -31,7 +31,7 @@ jobs:
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Extract version from pyproject.toml
        # Note: explicitly requesting bash will mean bash is invoked with `-eo pipefail`, see
@@ -75,7 +75,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: digests-${{ matrix.suffix }}
          path: ${{ runner.temp }}/digests/*
@@ -95,7 +95,7 @@ jobs:
      - build
    steps:
      - name: Download digests
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*
@@ -120,10 +120,10 @@ jobs:
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Install Cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

      - name: Calculate docker image tag
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
        with:
          images: ${{ matrix.repository }}
          flavor: |
--- a/.github/workflows/docs-pr.yaml
+++ b/.github/workflows/docs-pr.yaml
@@ -13,7 +13,7 @@ jobs:
    name: GitHub Pages
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          # Fetch all history so that the schema_versions script works.
          fetch-depth: 0
@@ -39,7 +39,7 @@ jobs:
          cp book/welcome_and_overview.html book/index.html

      - name: Upload Artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: book
          path: book
@@ -50,7 +50,7 @@ jobs:
    name: Check links in documentation
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Setup mdbook
        uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -50,7 +50,7 @@ jobs:
    needs:
      - pre
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          # Fetch all history so that the schema_versions script works.
          fetch-depth: 0
--- a/.github/workflows/fix_lint.yaml
+++ b/.github/workflows/fix_lint.yaml
@@ -18,7 +18,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -47,6 +47,6 @@ jobs:
      - run: cargo fmt
        continue-on-error: true

-      - uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
+      - uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
        with:
          commit_message: "Attempt to fix linting"
--- a/.github/workflows/latest_deps.yml
+++ b/.github/workflows/latest_deps.yml
@@ -42,7 +42,7 @@ jobs:
    if: needs.check_repo.outputs.should_run_workflow == 'true'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
@@ -77,7 +77,7 @@ jobs:
            postgres-version: "14"

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -139,9 +139,9 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - sytest-tag: bullseye
+          - sytest-tag: bookworm

-          - sytest-tag: bullseye
+          - sytest-tag: bookworm
            postgres: postgres
            workers: workers
            redis: redis
@@ -152,7 +152,7 @@ jobs:
      BLACKLIST: ${{ matrix.workers && 'synapse-blacklist-with-workers' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -173,7 +173,7 @@ jobs:
        if: ${{ always() }}
        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Upload SyTest logs
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        if: ${{ always() }}
        with:
          name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.*, ', ') }})
@@ -202,14 +202,14 @@ jobs:

    steps:
      - name: Check out synapse codebase
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          path: synapse

      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod
@@ -234,7 +234,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/poetry_lockfile.yaml
+++ b/.github/workflows/poetry_lockfile.yaml
@@ -16,7 +16,7 @@ jobs:
    name: "Check locked dependencies have sdists"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: '3.x'
--- a/.github/workflows/push_complement_image.yml
+++ b/.github/workflows/push_complement_image.yml
@@ -33,17 +33,17 @@ jobs:
      packages: write
    steps:
      - name: Checkout specific branch (debug build)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        if: github.event_name == 'workflow_dispatch'
        with:
          ref: ${{ inputs.branch }}
      - name: Checkout clean copy of develop (scheduled build)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        if: github.event_name == 'schedule'
        with:
          ref: develop
      - name: Checkout clean copy of master (on-push)
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        if: github.event_name == 'push'
        with:
          ref: master
@@ -55,7 +55,7 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Work out labels for complement image
        id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
        with:
          images: ghcr.io/${{ github.repository }}/complement-synapse
          tags: |
--- a/.github/workflows/release-artifacts.yml
+++ b/.github/workflows/release-artifacts.yml
@@ -27,7 +27,7 @@ jobs:
    name: "Calculate list of debian distros"
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: "3.x"
@@ -55,7 +55,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          path: src

@@ -101,7 +101,7 @@ jobs:
          echo "ARTIFACT_NAME=${DISTRO#*:}" >> "$GITHUB_OUTPUT"

      - name: Upload debs as artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: debs-${{ steps.artifact-name.outputs.ARTIFACT_NAME }}
          path: debs/*
@@ -132,7 +132,7 @@ jobs:
            os: "ubuntu-24.04-arm"

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
@@ -141,20 +141,25 @@ jobs:
          python-version: "3.x"

      - name: Install cibuildwheel
-        run: python -m pip install cibuildwheel==3.0.0
+        run: python -m pip install cibuildwheel==3.2.1

      - name: Only build a single wheel on PR
        if: startsWith(github.ref, 'refs/pull/')
-        run: echo "CIBW_BUILD="cp39-manylinux_*"" >> $GITHUB_ENV
+        run: echo "CIBW_BUILD="cp310-manylinux_*"" >> $GITHUB_ENV

      - name: Build wheels
        run: python -m cibuildwheel --output-dir wheelhouse
        env:
-          # Skip testing for platforms which various libraries don't have wheels
-          # for, and so need extra build deps.
-          CIBW_TEST_SKIP: pp3*-* *i686* *musl*
+          # The platforms that we build for are determined by the
+          # `tool.cibuildwheel.skip` option in `pyproject.toml`.

-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+          # We skip testing wheels for the following platforms in CI:
+          #
+          # pp3*-* (PyPy wheels) broke in CI (TODO: investigate).
+          # musl: (TODO: investigate).
+          CIBW_TEST_SKIP: pp3*-* *musl*
+
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: Wheel-${{ matrix.os }}
          path: ./wheelhouse/*.whl
@@ -165,7 +170,7 @@ jobs:
    if: ${{ !startsWith(github.ref, 'refs/pull/') }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: "3.10"
@@ -175,7 +180,7 @@ jobs:
      - name: Build sdist
        run: python -m build --sdist

-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: Sdist
          path: dist/*.tar.gz
@@ -191,7 +196,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Download all workflow run artifacts
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      - name: Build a tarball for the debs
        # We need to merge all the debs uploads into one folder, then compress
        # that.
@@ -200,16 +205,11 @@ jobs:
          mv debs*/* debs/
          tar -cvJf debs.tar.xz debs
      - name: Attach to release
-        # Pinned to work around https://github.com/softprops/action-gh-release/issues/445
-        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v0.1.15
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          files: |
-            Sdist/*
-            Wheel*/*
-            debs.tar.xz
-          # if it's not already published, keep the release as a draft.
-          draft: true
-          # mark it as a prerelease if the tag contains 'rc'.
-          prerelease: ${{ contains(github.ref, 'rc') }}
+        run: |
+          gh release upload "${{ github.ref_name }}" \
+            Sdist/* \
+            Wheel*/* \
+            debs.tar.xz \
+            --repo ${{ github.repository }}
--- a/.github/workflows/schema.yaml
+++ b/.github/workflows/schema.yaml
@@ -14,7 +14,7 @@ jobs:
    name: Ensure Synapse config schema is valid
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: "3.x"
@@ -40,7 +40,7 @@ jobs:
    name: Ensure generated documentation is up-to-date
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: "3.x"
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -86,7 +86,7 @@ jobs:
    if: ${{ needs.changes.outputs.linting == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
        with:
@@ -106,17 +106,17 @@ jobs:
    if: ${{ needs.changes.outputs.linting == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: "3.x"
-      - run: "pip install 'click==8.1.1' 'GitPython>=3.1.20'"
+      - run: "pip install 'click==8.1.1' 'GitPython>=3.1.20' 'sqlglot>=28.0.0'"
      - run: scripts-dev/check_schema_delta.py --force-colors

  check-lockfile:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: "3.x"
@@ -129,7 +129,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Setup Poetry
        uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -151,7 +151,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -187,7 +187,7 @@ jobs:
  lint-crlf:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Check line endings
        run: scripts-dev/check_line_terminators.sh

@@ -195,7 +195,7 @@ jobs:
    if: ${{ (github.base_ref == 'develop'  || contains(github.base_ref, 'release-')) && github.actor != 'dependabot[bot]' }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
@@ -207,33 +207,13 @@ jobs:
        env:
          PULL_REQUEST_NUMBER: ${{ github.event.number }}

-  lint-pydantic:
-    runs-on: ubuntu-latest
-    needs: changes
-    if: ${{ needs.changes.outputs.linting == 'true' }}
-
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
-        with:
-          toolchain: ${{ env.RUST_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
-      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
-        with:
-          poetry-version: "2.1.1"
-          extras: "all"
-      - run: poetry run scripts-dev/check_pydantic_models.py
-
  lint-clippy:
    runs-on: ubuntu-latest
    needs: changes
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -252,7 +232,7 @@ jobs:
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -270,7 +250,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -306,7 +286,7 @@ jobs:
    if: ${{ needs.changes.outputs.rust == 'true' }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -326,7 +306,7 @@ jobs:
    needs: changes
    if: ${{ needs.changes.outputs.linting_readme == 'true' }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: "3.x"
@@ -341,7 +321,6 @@ jobs:
      - lint-mypy
      - lint-crlf
      - lint-newsfile
-      - lint-pydantic
      - check-sampleconfig
      - check-schema-delta
      - check-lockfile
@@ -363,7 +342,6 @@ jobs:
            lint
            lint-mypy
            lint-newsfile
-            lint-pydantic
            lint-clippy
            lint-clippy-nightly
            lint-rust
@@ -376,7 +354,7 @@ jobs:
    needs: linting-done
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: "3.x"
@@ -397,7 +375,7 @@ jobs:
        job:  ${{ fromJson(needs.calculate-test-jobs.outputs.trial_test_matrix) }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - run: sudo apt-get -qq install xmlsec1
      - name: Set up PostgreSQL ${{ matrix.job.postgres-version }}
        if: ${{ matrix.job.postgres-version }}
@@ -453,7 +431,7 @@ jobs:
      - changes
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -470,7 +448,7 @@ jobs:

      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
-          python-version: '3.9'
+          python-version: '3.10'

      - name: Prepare old deps
        if: steps.cache-poetry-old-deps.outputs.cache-hit != 'true'
@@ -514,11 +492,11 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        python-version: ["pypy-3.9"]
+        python-version: ["pypy-3.10"]
        extras: ["all"]

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      # Install libs necessary for PyPy to build binary wheels for dependencies
      - run: sudo apt-get -qq install xmlsec1 libxml2-dev libxslt-dev
      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
@@ -568,7 +546,7 @@ jobs:
        job: ${{ fromJson(needs.calculate-test-jobs.outputs.sytest_test_matrix) }}

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Prepare test blacklist
        run: cat sytest-blacklist .ci/worker-blacklist > synapse-blacklist-with-workers

@@ -585,7 +563,7 @@ jobs:
        if: ${{ always() }}
        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Upload SyTest logs
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        if: ${{ always() }}
        with:
          name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.job.*, ', ') }})
@@ -615,7 +593,7 @@ jobs:
          --health-retries 5

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - run: sudo apt-get -qq install xmlsec1 postgresql-client
      - uses: matrix-org/setup-python-poetry@5bbf6603c5c930615ec8a29f1b5d7d258d905aa4 # v2.0.0
        with:
@@ -638,10 +616,10 @@ jobs:
    strategy:
      matrix:
        include:
-          - python-version: "3.9"
-            postgres-version: "13"
+          - python-version: "3.10"
+            postgres-version: "14"

-          - python-version: "3.13"
+          - python-version: "3.14"
            postgres-version: "17"

    services:
@@ -659,7 +637,7 @@ jobs:
          --health-retries 5

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Add PostgreSQL apt repository
        # We need a version of pg_dump that can handle the version of
        # PostgreSQL being tested against. The Ubuntu package repository lags
@@ -683,7 +661,7 @@ jobs:
          PGPASSWORD: postgres
          PGDATABASE: postgres
      - name: "Upload schema differences"
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        if: ${{ failure() && !cancelled() && steps.run_tester_script.outcome == 'failure' }}
        with:
          name: Schema dumps
@@ -714,7 +692,7 @@ jobs:

    steps:
      - name: Checkout synapse codebase
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          path: synapse

@@ -727,7 +705,7 @@ jobs:
      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod
@@ -750,7 +728,7 @@ jobs:
      - changes

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -770,7 +748,7 @@ jobs:
      - changes

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
--- a/.github/workflows/triage_labelled.yml
+++ b/.github/workflows/triage_labelled.yml
@@ -22,7 +22,7 @@ jobs:
      # This field is case-sensitive.
      TARGET_STATUS: Needs info
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          # Only clone the script file we care about, instead of the whole repo.
          sparse-checkout: .ci/scripts/triage_labelled_issue.sh
--- a/.github/workflows/twisted_trunk.yml
+++ b/.github/workflows/twisted_trunk.yml
@@ -43,7 +43,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -70,7 +70,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - run: sudo apt-get -qq install xmlsec1

      - name: Install Rust
@@ -108,16 +108,16 @@ jobs:
    if: needs.check_repo.outputs.should_run_workflow == 'true'
    runs-on: ubuntu-latest
    container:
-      # We're using debian:bullseye because it uses Python 3.9 which is our minimum supported Python version.
+      # We're using bookworm because that's what Debian oldstable is at the time of writing.
      # This job is a canary to warn us about unreleased twisted changes that would cause problems for us if
      # they were to be released immediately. For simplicity's sake (and to save CI runners) we use the oldest
      # version, assuming that any incompatibilities on newer versions would also be present on the oldest.
-      image: matrixdotorg/sytest-synapse:bullseye
+      image: matrixdotorg/sytest-synapse:bookworm
      volumes:
        - ${{ github.workspace }}:/src

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
@@ -147,7 +147,7 @@ jobs:
        if: ${{ always() }}
        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Upload SyTest logs
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        if: ${{ always() }}
        with:
          name: Sytest Logs - ${{ job.status }} - (${{ join(matrix.*, ', ') }})
@@ -175,14 +175,14 @@ jobs:

    steps:
      - name: Run actions/checkout@v4 for synapse
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          path: synapse

      - name: Prepare Complement's Prerequisites
        run: synapse/.ci/scripts/setup_complement_prerequisites.sh

-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          cache-dependency-path: complement/go.sum
          go-version-file: complement/go.mod
@@ -217,7 +217,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,381 @@
+# Synapse 1.143.0rc2 (2025-11-18)
+
+## Internal Changes
+
+- Fixes docker image creation in the release workflow.
+
+
+
+# Synapse 1.143.0rc1 (2025-11-18)
+
+## Dropping support for PostgreSQL 13
+
+In line with our [deprecation policy](https://github.com/element-hq/synapse/blob/develop/docs/deprecation_policy.md), we've dropped
+support for PostgreSQL 13, as it is no longer supported upstream.
+This release of Synapse requires PostgreSQL 14+.
+
+## Features
+
+- Support multiple config files in `register_new_matrix_user`. ([\#18784](https://github.com/element-hq/synapse/issues/18784))
+- Remove authentication from `POST /_matrix/client/v1/delayed_events`, and allow calling this endpoint with the update action to take (`send`/`cancel`/`restart`) in the request path instead of the body. ([\#19152](https://github.com/element-hq/synapse/issues/19152))
+
+## Bugfixes
+
+- Fixed a longstanding bug where background updates were only run on the `main` database. ([\#19181](https://github.com/element-hq/synapse/issues/19181))
+- Fixed a bug introduced in v1.142.0 preventing subpaths in MAS endpoints from working. ([\#19186](https://github.com/element-hq/synapse/issues/19186))
+- Fix the SQLite-to-PostgreSQL migration script to correctly migrate a boolean column in the `delayed_events` table. ([\#19155](https://github.com/element-hq/synapse/issues/19155))
+
+## Improved Documentation
+
+- Improve documentation around streams, particularly ID generators and adding new streams. ([\#18943](https://github.com/element-hq/synapse/issues/18943))
+
+## Deprecations and Removals
+
+- Remove support for PostgreSQL 13. ([\#19170](https://github.com/element-hq/synapse/issues/19170))
+
+## Internal Changes
+
+- Provide additional servers with federation room directory results. ([\#18970](https://github.com/element-hq/synapse/issues/18970))
+- Add a shortcut return when there are no events to purge. ([\#19093](https://github.com/element-hq/synapse/issues/19093))
+- Write union types as `X | Y` where possible, as per PEP 604, added in Python 3.10. ([\#19111](https://github.com/element-hq/synapse/issues/19111))
+- Reduce cardinality of `synapse_storage_events_persisted_events_sep_total` metric by removing `origin_entity` label. This also separates out events sent by local application services by changing the `origin_type` for such events to `application_service`. The `type` field also only tracks common event types, and anything else is bucketed under `*other*`. ([\#19133](https://github.com/element-hq/synapse/issues/19133), [\#19168](https://github.com/element-hq/synapse/issues/19168))
+- Run trial tests on Python 3.14 for PRs. ([\#19135](https://github.com/element-hq/synapse/issues/19135))
+- Update `pyproject.toml` project metadata to be compatible with standard Python packaging tooling. ([\#19137](https://github.com/element-hq/synapse/issues/19137))
+- Minor speed up of processing of inbound replication. ([\#19138](https://github.com/element-hq/synapse/issues/19138), [\#19145](https://github.com/element-hq/synapse/issues/19145), [\#19146](https://github.com/element-hq/synapse/issues/19146))
+- Ignore recent Python language refactors from git blame (`.git-blame-ignore-revs`). ([\#19150](https://github.com/element-hq/synapse/issues/19150))
+- Bump lower bounds of dependencies `parameterized` to `0.9.0` and `idna` to `3.3` as those are the first to advertise support for Python 3.10. ([\#19167](https://github.com/element-hq/synapse/issues/19167))
+- Point out which event caused the exception when checking [MSC4293](https://github.com/matrix-org/matrix-spec-proposals/pull/4293) redactions. ([\#19169](https://github.com/element-hq/synapse/issues/19169))
+- Restore printing `sentinel` for the log record `request` when no logcontext is active. ([\#19172](https://github.com/element-hq/synapse/issues/19172))
+- Add debug logs to track `Clock` utilities. ([\#19173](https://github.com/element-hq/synapse/issues/19173))
+- Remove explicit python version skips in `cibuildwheel` config as it's no longer required after [#19137](https://github.com/element-hq/synapse/pull/19137). ([\#19177](https://github.com/element-hq/synapse/issues/19177))
+- Fix potential lost logcontext when `PerDestinationQueue.shutdown(...)` is called. ([\#19178](https://github.com/element-hq/synapse/issues/19178))
+- Fix bad deferred logcontext handling across the codebase. ([\#19180](https://github.com/element-hq/synapse/issues/19180))
+
+
+
+### Updates to locked dependencies
+
+* Bump bytes from 1.10.1 to 1.11.0. ([\#19193](https://github.com/element-hq/synapse/issues/19193))
+* Bump click from 8.1.8 to 8.3.1. ([\#19195](https://github.com/element-hq/synapse/issues/19195))
+* Bump cryptography from 43.0.3 to 45.0.7. ([\#19159](https://github.com/element-hq/synapse/issues/19159))
+* Bump docker/metadata-action from 5.8.0 to 5.9.0. ([\#19161](https://github.com/element-hq/synapse/issues/19161))
+* Bump pydantic from 2.12.3 to 2.12.4. ([\#19158](https://github.com/element-hq/synapse/issues/19158))
+* Bump pyo3-log from 0.13.1 to 0.13.2. ([\#19156](https://github.com/element-hq/synapse/issues/19156))
+* Bump ruff from 0.14.3 to 0.14.5. ([\#19196](https://github.com/element-hq/synapse/issues/19196))
+* Bump sentry-sdk from 2.34.1 to 2.43.0. ([\#19157](https://github.com/element-hq/synapse/issues/19157))
+* Bump sentry-sdk from 2.43.0 to 2.44.0. ([\#19197](https://github.com/element-hq/synapse/issues/19197))
+* Bump tomli from 2.2.1 to 2.3.0. ([\#19194](https://github.com/element-hq/synapse/issues/19194))
+* Bump types-netaddr from 1.3.0.20240530 to 1.3.0.20251108. ([\#19160](https://github.com/element-hq/synapse/issues/19160))
+
+
+
+# Synapse 1.142.1 (2025-11-18)
+
+## Bugfixes
+
+- Fixed a bug introduced in v1.142.0 preventing subpaths in MAS endpoints from working. ([\#19186](https://github.com/element-hq/synapse/issues/19186))
+
+
+
+
+# Synapse 1.142.0 (2025-11-11)
+
+## Dropped support for Python 3.9
+
+This release drops support for Python 3.9, in line with our [dependency
+deprecation
+policy](https://element-hq.github.io/synapse/latest/deprecation_policy.html#platform-dependencies),
+as it is now [end of life](https://endoflife.date/python).
+
+## SQLite 3.40.0+ is now required
+
+The minimum supported SQLite version has been increased from 3.27.0 to 3.40.0.
+
+If you use current versions of the
+[matrixorg/synapse](setup/installation.html#docker-images-and-ansible-playbooks)
+Docker images, no action is required.
+
+
+## Deprecation of MacOS Python wheels
+
+The team has decided to deprecate and eventually stop publishing python wheels
+for MacOS. This is a burden on the team, and we're not aware of any parties
+that use them. Synapse docker images will continue to work on MacOS, as will
+building Synapse from source (though note this requires a Rust compiler).
+
+At present, publishing MacOS Python wheels will continue for the next release
+(1.143.0), but will not be available after that (1.144.0+). If you do make use
+of these wheels downstream, please reach out to us in
+[#synapse-dev:matrix.org](https://matrix.to/#/#synapse-dev:matrix.org). We'd
+love to hear from you!
+
+## Internal Changes
+
+- Properly stop building wheels for Python 3.9 and free-threaded CPython. ([\#19154](https://github.com/element-hq/synapse/issues/19154))
+
+
+
+
+# Synapse 1.142.0rc4 (2025-11-07)
+
+## Bugfixes
+
+- Fix a bug introduced in 1.142.0rc1 where any attempt to configure `matrix_authentication_service.secret_path` would prevent the homeserver from starting up. ([\#19144](https://github.com/element-hq/synapse/issues/19144))
+
+
+
+
+# Synapse 1.142.0rc3 (2025-11-04)
+
+## Internal Changes
+
+- Update release scripts to prevent building wheels for free-threaded Python, as Synapse does not currently support it. ([\#19140](https://github.com/element-hq/synapse/issues/19140))
+
+
+# Synapse 1.142.0rc2 (2025-11-04)
+
+
+## Internal Changes
+
+- Manually skip building Python 3.9 wheels, to prevent errors in the release workflow. ([\#19119](https://github.com/element-hq/synapse/issues/19119))
+
+
+
+
+# Synapse 1.142.0rc1 (2025-11-04)
+
+## Features
+
+- Add support for Python 3.14. ([\#19055](https://github.com/element-hq/synapse/issues/19055), [\#19134](https://github.com/element-hq/synapse/issues/19134))
+- Add an [Admin API](https://element-hq.github.io/synapse/latest/usage/administration/admin_api/index.html)
+  to allow an admin to fetch the space/room hierarchy for a given space. ([\#19021](https://github.com/element-hq/synapse/issues/19021))
+
+## Bugfixes
+
+- Fix a bug introduced in 1.111.0 where failed attempts to download authenticated remote media would not be handled correctly. ([\#19062](https://github.com/element-hq/synapse/issues/19062))
+- Update the `oidc_session_no_samesite` cookie to have the `Secure` attribute, so the only difference between it and the paired `oidc_session` cookie, is the configuration of the `SameSite` attribute as described in the comments / cookie names. Contributed by @kieranlane. ([\#19079](https://github.com/element-hq/synapse/issues/19079))
+- Fix a bug introduced in 1.140.0 where lost logcontext warnings would be emitted from timeouts in sync and requests made by Synapse itself. ([\#19090](https://github.com/element-hq/synapse/issues/19090))
+- Fix a bug introdued in 1.140.0 where lost logcontext warning were emitted when using `HomeServer.shutdown()`. ([\#19108](https://github.com/element-hq/synapse/issues/19108))
+
+## Improved Documentation
+
+- Update the link to the Debian oldstable package for SQLite. ([\#19047](https://github.com/element-hq/synapse/issues/19047))
+- Point out additional Redis configuration options available in the worker docs. Contributed by @servisbryce. ([\#19073](https://github.com/element-hq/synapse/issues/19073))
+- Update the list of Debian releases that the downstream Debian package is maintained for. ([\#19100](https://github.com/element-hq/synapse/issues/19100))
+- Add [a page](https://element-hq.github.io/synapse/latest/development/internal_documentation/release_notes_review_checklist.html) to the documentation describing the steps the Synapse team takes to review the release notes before publishing them. ([\#19109](https://github.com/element-hq/synapse/issues/19109))
+
+## Deprecations and Removals
+
+- Drop support for Python 3.9. ([\#19099](https://github.com/element-hq/synapse/issues/19099))
+- Remove support for SQLite < 3.37.2. ([\#19047](https://github.com/element-hq/synapse/issues/19047))
+
+## Internal Changes
+
+- Fix CI linter for schema delta files to correctly handle all types of `CREATE TABLE` syntax. ([\#19020](https://github.com/element-hq/synapse/issues/19020))
+- Use type hinting generics in standard collections, as per [PEP 585](https://peps.python.org/pep-0585/), added in Python 3.9. ([\#19046](https://github.com/element-hq/synapse/issues/19046))
+- Always treat `RETURNING` as supported by SQL engines, now that the minimum-supported versions of both SQLite and PostgreSQL support it. ([\#19047](https://github.com/element-hq/synapse/issues/19047))
+- Move `oidc.load_metadata()` startup into `_base.start()`. ([\#19056](https://github.com/element-hq/synapse/issues/19056))
+- Remove logcontext problems caused by awaiting raw `deferLater(...)`. ([\#19058](https://github.com/element-hq/synapse/issues/19058))
+- Prevent duplicate logging setup when running multiple Synapse instances. ([\#19067](https://github.com/element-hq/synapse/issues/19067))
+- Be mindful of other logging context filters in 3rd-party code and avoid overwriting log record fields unless we know the log record is relevant to Synapse. ([\#19068](https://github.com/element-hq/synapse/issues/19068))
+- Update pydantic to v2. ([\#19071](https://github.com/element-hq/synapse/issues/19071))
+- Update deprecated code in the release script to prevent a warning message from being printed. ([\#19080](https://github.com/element-hq/synapse/issues/19080))
+- Update the deprecated poetry development dependencies group name in `pyproject.toml`. ([\#19081](https://github.com/element-hq/synapse/issues/19081))
+- Remove `pp38*` skip selector from cibuildwheel to silence warning. ([\#19085](https://github.com/element-hq/synapse/issues/19085))
+- Don't immediately exit the release script if the checkout is dirty. Instead, allow the user to clear the dirty changes and retry. ([\#19088](https://github.com/element-hq/synapse/issues/19088))
+- Update the release script's generated announcement text to include a title and extra text for RC's. ([\#19089](https://github.com/element-hq/synapse/issues/19089))
+- Fix lints on main branch. ([\#19092](https://github.com/element-hq/synapse/issues/19092))
+- Use cheaper random string function in logcontext utilities. ([\#19094](https://github.com/element-hq/synapse/issues/19094))
+- Avoid clobbering other `SIGHUP` handlers in 3rd-party code. ([\#19095](https://github.com/element-hq/synapse/issues/19095))
+- Prevent duplicate GitHub draft releases being created during the Synapse release process. ([\#19096](https://github.com/element-hq/synapse/issues/19096))
+- Use Pillow's `Image.getexif` method instead of the experimental `Image._getexif`. ([\#19098](https://github.com/element-hq/synapse/issues/19098))
+- Prevent uv `/usr/local/.lock` file from appearing in built Synapse docker images. ([\#19107](https://github.com/element-hq/synapse/issues/19107))
+- Allow Synapse's runtime dependency checking code to take packaging markers (i.e. `python <= 3.14`) into account when checking dependencies. ([\#19110](https://github.com/element-hq/synapse/issues/19110))
+- Move exception handling up the stack (avoid `exit(1)` in our composable functions). ([\#19116](https://github.com/element-hq/synapse/issues/19116))
+- Fix a lint error related to lifetimes in Rust 1.90. ([\#19118](https://github.com/element-hq/synapse/issues/19118))
+- Refactor and align app entrypoints (avoid `exit(1)` in our composable functions). ([\#19121](https://github.com/element-hq/synapse/issues/19121), [\#19131](https://github.com/element-hq/synapse/issues/19131))
+- Speed up pruning of ratelimiters. ([\#19129](https://github.com/element-hq/synapse/issues/19129))
+
+
+
+### Updates to locked dependencies
+
+* Bump actions/download-artifact from 5.0.0 to 6.0.0. ([\#19102](https://github.com/element-hq/synapse/issues/19102))
+* Bump actions/upload-artifact from 4 to 5. ([\#19106](https://github.com/element-hq/synapse/issues/19106))
+* Bump hiredis from 3.2.1 to 3.3.0. ([\#19103](https://github.com/element-hq/synapse/issues/19103))
+* Bump icu_segmenter from 2.0.0 to 2.0.1. ([\#19126](https://github.com/element-hq/synapse/issues/19126))
+* Bump idna from 3.10 to 3.11. ([\#19053](https://github.com/element-hq/synapse/issues/19053))
+* Bump ijson from 3.4.0 to 3.4.0.post0. ([\#19051](https://github.com/element-hq/synapse/issues/19051))
+* Bump markdown-it-py from 3.0.0 to 4.0.0. ([\#19123](https://github.com/element-hq/synapse/issues/19123))
+* Bump msgpack from 1.1.1 to 1.1.2. ([\#19050](https://github.com/element-hq/synapse/issues/19050))
+* Bump psycopg2 from 2.9.10 to 2.9.11. ([\#19125](https://github.com/element-hq/synapse/issues/19125))
+* Bump pyyaml from 6.0.2 to 6.0.3. ([\#19105](https://github.com/element-hq/synapse/issues/19105))
+* Bump regex from 1.11.3 to 1.12.2. ([\#19074](https://github.com/element-hq/synapse/issues/19074))
+* Bump reqwest from 0.12.23 to 0.12.24. ([\#19077](https://github.com/element-hq/synapse/issues/19077))
+* Bump ruff from 0.12.10 to 0.14.3. ([\#19124](https://github.com/element-hq/synapse/issues/19124))
+* Bump sigstore/cosign-installer from 3.10.0 to 4.0.0. ([\#19075](https://github.com/element-hq/synapse/issues/19075))
+* Bump stefanzweifel/git-auto-commit-action from 6.0.1 to 7.0.0. ([\#19052](https://github.com/element-hq/synapse/issues/19052))
+* Bump tokio from 1.47.1 to 1.48.0. ([\#19076](https://github.com/element-hq/synapse/issues/19076))
+* Bump types-psycopg2 from 2.9.21.20250915 to 2.9.21.20251012. ([\#19054](https://github.com/element-hq/synapse/issues/19054))
+
+# Synapse 1.141.0 (2025-10-29)
+
+## Deprecation of MacOS Python wheels
+
+The team has decided to deprecate and eventually stop publishing python wheels
+for MacOS. This is a burden on the team, and we're not aware of any parties
+that use them. Synapse docker images will continue to work on MacOS, as will
+building Synapse from source (though note this requires a Rust compiler).
+
+Publishing MacOS Python wheels will continue for the next few releases. If you
+do make use of these wheels downstream, please reach out to us in
+[#synapse-dev:matrix.org](https://matrix.to/#/#synapse-dev:matrix.org). We'd
+love to hear from you!
+
+
+## Docker images now based on Debian `trixie` with Python 3.13
+
+The Docker images are now based on Debian `trixie` and use Python 3.13. If you
+are using the Docker images as a base image you may need to e.g. adjust the
+paths you mount any additional Python packages at.
+
+No significant changes since 1.141.0rc2.
+
+
+
+
+# Synapse 1.141.0rc2 (2025-10-28)
+
+## Bugfixes
+
+- Fix users being unable to log in if their password, or the server's configured pepper, was too long. ([\#19101](https://github.com/element-hq/synapse/issues/19101))
+
+
+
+
+# Synapse 1.141.0rc1 (2025-10-21)
+
+## Features
+
+- Allow using [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) behavior without the opt-in registration flag. Contributed by @tulir @ Beeper. ([\#19031](https://github.com/element-hq/synapse/issues/19031))
+- Stabilized support for [MSC4326](https://github.com/matrix-org/matrix-spec-proposals/pull/4326): Device masquerading for appservices. Contributed by @tulir @ Beeper. ([\#19033](https://github.com/element-hq/synapse/issues/19033))
+
+## Bugfixes
+
+- Fix a bug introduced in 1.136.0 that would prevent Synapse from being able to be `reload`-ed more than once when running under systemd. ([\#19060](https://github.com/element-hq/synapse/issues/19060))
+- Fix a bug introduced in 1.140.0 where an internal server error could be raised when hashing user passwords that are too long. ([\#19078](https://github.com/element-hq/synapse/issues/19078))
+
+## Updates to the Docker image
+
+- Update docker image to use Debian trixie as the base and thus Python 3.13. ([\#19064](https://github.com/element-hq/synapse/issues/19064))
+
+## Internal Changes
+
+- Move unique snowflake homeserver background tasks to `start_background_tasks` (the standard pattern for this kind of thing). ([\#19037](https://github.com/element-hq/synapse/issues/19037))
+- Drop a deprecated field of the `PyGitHub` dependency in the release script and raise the dependency's minimum version to `1.59.0`. ([\#19039](https://github.com/element-hq/synapse/issues/19039))
+- Update TODO list of conflicting areas where we encounter metrics being clobbered (`ApplicationService`). ([\#19040](https://github.com/element-hq/synapse/issues/19040))
+
+
+
+
+# Synapse 1.140.0 (2025-10-14)
+
+## Compatibility notice for users of `synapse-s3-storage-provider`
+
+Deployments that make use of the
+[synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider)
+module must upgrade to
+[v1.6.0](https://github.com/matrix-org/synapse-s3-storage-provider/releases/tag/v1.6.0).
+Using older versions of the module with this release of Synapse will prevent
+users from being able to upload or download media.
+
+
+No significant changes since 1.140.0rc1.
+
+
+
+
+# Synapse 1.140.0rc1 (2025-10-10)
+
+## Features
+
+- Add [a new Media Query by ID Admin API](https://element-hq.github.io/synapse/v1.140/admin_api/media_admin_api.html#query-a-piece-of-media-by-id) that allows server admins to query and investigate the metadata of local or cached remote media via
+  the `origin/media_id` identifier found in a [Matrix Content URI](https://spec.matrix.org/v1.14/client-server-api/#matrix-content-mxc-uris). ([\#18911](https://github.com/element-hq/synapse/issues/18911))
+- Add [a new Fetch Event Admin API](https://element-hq.github.io/synapse/v1.140/admin_api/fetch_event.html) to fetch an event by ID. ([\#18963](https://github.com/element-hq/synapse/issues/18963))
+- Update [MSC4284: Policy Servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) implementation to support signatures when available. ([\#18934](https://github.com/element-hq/synapse/issues/18934))
+- Add experimental implementation of the `GET /_matrix/client/v1/rtc/transports` endpoint for the latest draft of [MSC4143: MatrixRTC](https://github.com/matrix-org/matrix-spec-proposals/pull/4143). ([\#18967](https://github.com/element-hq/synapse/issues/18967))
+- Expose a `defer_to_threadpool` function in the Synapse Module API that allows modules to run a function on a separate thread in a custom threadpool. ([\#19032](https://github.com/element-hq/synapse/issues/19032))
+
+## Bugfixes
+
+- Fix room upgrade `room_config` argument and documentation for `user_may_create_room` spam-checker callback. ([\#18721](https://github.com/element-hq/synapse/issues/18721))
+- Compute a user's last seen timestamp from their devices' last seen timestamps instead of IPs, because the latter are automatically cleared according to `user_ips_max_age`. ([\#18948](https://github.com/element-hq/synapse/issues/18948))
+- Fix bug where ephemeral events were not filtered by room ID. Contributed by @frastefanini. ([\#19002](https://github.com/element-hq/synapse/issues/19002))
+- Update Synapse main process version string to include git info. ([\#19011](https://github.com/element-hq/synapse/issues/19011))
+
+## Improved Documentation
+
+- Explain how `Deferred` callbacks interact with logcontexts. ([\#18914](https://github.com/element-hq/synapse/issues/18914))
+- Fix documentation for `rc_room_creation` and `rc_reports` to clarify that a `per_user` rate limit is not supported. ([\#18998](https://github.com/element-hq/synapse/issues/18998))
+
+## Deprecations and Removals
+
+- Remove deprecated `LoggingContext.set_current_context`/`LoggingContext.current_context` methods which already have equivalent bare methods in `synapse.logging.context`. ([\#18989](https://github.com/element-hq/synapse/issues/18989))
+- Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. ([\#18996](https://github.com/element-hq/synapse/issues/18996))
+
+## Internal Changes
+
+- Cleanly shutdown `SynapseHomeServer` object, allowing artifacts of embedded small hosts to be properly garbage collected. ([\#18828](https://github.com/element-hq/synapse/issues/18828))
+- Update OEmbed providers to use 'X' instead of 'Twitter' in URL previews, following a rebrand. Contributed by @HammyHavoc. ([\#18767](https://github.com/element-hq/synapse/issues/18767))
+- Fix `server_name` in logging context for multiple Synapse instances in one process. ([\#18868](https://github.com/element-hq/synapse/issues/18868))
+- Wrap the Rust HTTP client with `make_deferred_yieldable` so it follows Synapse logcontext rules. ([\#18903](https://github.com/element-hq/synapse/issues/18903))
+- Fix the GitHub Actions workflow that moves issues labeled "X-Needs-Info" to the "Needs info" column on the team's internal triage board. ([\#18913](https://github.com/element-hq/synapse/issues/18913))
+- Disconnect background process work from request trace. ([\#18932](https://github.com/element-hq/synapse/issues/18932))
+- Reduce overall number of calls to `_get_e2e_cross_signing_signatures_for_devices` by increasing the batch size of devices the query is called with, reducing DB load. ([\#18939](https://github.com/element-hq/synapse/issues/18939))
+- Update error code used when an appservice tries to masquerade as an unknown device using [MSC4326](https://github.com/matrix-org/matrix-spec-proposals/pull/4326). Contributed by @tulir @ Beeper. ([\#18947](https://github.com/element-hq/synapse/issues/18947))
+- Fix `no active span when trying to log` tracing error on startup (when OpenTracing is enabled). ([\#18959](https://github.com/element-hq/synapse/issues/18959))
+- Fix `run_coroutine_in_background(...)` incorrectly handling logcontext. ([\#18964](https://github.com/element-hq/synapse/issues/18964))
+- Add debug logs wherever we change current logcontext. ([\#18966](https://github.com/element-hq/synapse/issues/18966))
+- Update dockerfile metadata to fix broken link; point to documentation website. ([\#18971](https://github.com/element-hq/synapse/issues/18971))
+- Note that the code is additionally licensed under the [Element Commercial license](https://github.com/element-hq/synapse/blob/develop/LICENSE-COMMERCIAL) in SPDX expression field configs. ([\#18973](https://github.com/element-hq/synapse/issues/18973))
+- Fix logcontext handling in `timeout_deferred` tests. ([\#18974](https://github.com/element-hq/synapse/issues/18974))
+- Remove internal `ReplicationUploadKeysForUserRestServlet` as a follow-up to the work in https://github.com/element-hq/synapse/pull/18581 that moved device changes off the main process. ([\#18988](https://github.com/element-hq/synapse/issues/18988))
+- Switch task scheduler from raw logcontext manipulation to using the dedicated logcontext utils. ([\#18990](https://github.com/element-hq/synapse/issues/18990))
+- Remove `MockClock()` in tests. ([\#18992](https://github.com/element-hq/synapse/issues/18992))
+- Switch back to our own custom `LogContextScopeManager` instead of OpenTracing's `ContextVarsScopeManager` which was causing problems when using the experimental `SYNAPSE_ASYNC_IO_REACTOR` option with tracing enabled. ([\#19007](https://github.com/element-hq/synapse/issues/19007))
+- Remove `version_string` argument from `HomeServer` since it's always the same. ([\#19012](https://github.com/element-hq/synapse/issues/19012))
+- Remove duplicate call to `hs.start_background_tasks()` introduced from a bad merge. ([\#19013](https://github.com/element-hq/synapse/issues/19013))
+- Split homeserver creation (`create_homeserver`) and setup (`setup`). ([\#19015](https://github.com/element-hq/synapse/issues/19015))
+- Swap near-end-of-life `macos-13` GitHub Actions runner for the `macos-15-intel` variant. ([\#19025](https://github.com/element-hq/synapse/issues/19025))
+- Introduce `RootConfig.validate_config()` which can be subclassed in `HomeServerConfig` to do cross-config class validation. ([\#19027](https://github.com/element-hq/synapse/issues/19027))
+- Allow any command of the `release.py` script to accept a `--gh-token` argument. ([\#19035](https://github.com/element-hq/synapse/issues/19035))
+
+
+
+### Updates to locked dependencies
+
+* Bump Swatinem/rust-cache from 2.8.0 to 2.8.1. ([\#18949](https://github.com/element-hq/synapse/issues/18949))
+* Bump actions/cache from 4.2.4 to 4.3.0. ([\#18983](https://github.com/element-hq/synapse/issues/18983))
+* Bump anyhow from 1.0.99 to 1.0.100. ([\#18950](https://github.com/element-hq/synapse/issues/18950))
+* Bump authlib from 1.6.3 to 1.6.4. ([\#18957](https://github.com/element-hq/synapse/issues/18957))
+* Bump authlib from 1.6.4 to 1.6.5. ([\#19019](https://github.com/element-hq/synapse/issues/19019))
+* Bump bcrypt from 4.3.0 to 5.0.0. ([\#18984](https://github.com/element-hq/synapse/issues/18984))
+* Bump docker/login-action from 3.5.0 to 3.6.0. ([\#18978](https://github.com/element-hq/synapse/issues/18978))
+* Bump lxml from 6.0.0 to 6.0.2. ([\#18979](https://github.com/element-hq/synapse/issues/18979))
+* Bump phonenumbers from 9.0.13 to 9.0.14. ([\#18954](https://github.com/element-hq/synapse/issues/18954))
+* Bump phonenumbers from 9.0.14 to 9.0.15. ([\#18991](https://github.com/element-hq/synapse/issues/18991))
+* Bump prometheus-client from 0.22.1 to 0.23.1. ([\#19016](https://github.com/element-hq/synapse/issues/19016))
+* Bump pydantic from 2.11.9 to 2.11.10. ([\#19017](https://github.com/element-hq/synapse/issues/19017))
+* Bump pygithub from 2.7.0 to 2.8.1. ([\#18952](https://github.com/element-hq/synapse/issues/18952))
+* Bump regex from 1.11.2 to 1.11.3. ([\#18981](https://github.com/element-hq/synapse/issues/18981))
+* Bump serde from 1.0.224 to 1.0.226. ([\#18953](https://github.com/element-hq/synapse/issues/18953))
+* Bump serde from 1.0.226 to 1.0.228. ([\#18982](https://github.com/element-hq/synapse/issues/18982))
+* Bump setuptools-rust from 1.11.1 to 1.12.0. ([\#18980](https://github.com/element-hq/synapse/issues/18980))
+* Bump twine from 6.1.0 to 6.2.0. ([\#18985](https://github.com/element-hq/synapse/issues/18985))
+* Bump types-pyyaml from 6.0.12.20250809 to 6.0.12.20250915. ([\#19018](https://github.com/element-hq/synapse/issues/19018))
+* Bump types-requests from 2.32.4.20250809 to 2.32.4.20250913. ([\#18951](https://github.com/element-hq/synapse/issues/18951))
+* Bump typing-extensions from 4.14.1 to 4.15.0. ([\#18956](https://github.com/element-hq/synapse/issues/18956))
+
 # Synapse 1.139.2 (2025-10-07)

 ## Bugfixes
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2,21 +2,6 @@
 # It is not intended for manual editing.
 version = 3

-[[package]]
-name = "addr2line"
-version = "0.24.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1"
-dependencies = [
- "gimli",
-]
-
-[[package]]
-name = "adler2"
-version = "2.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
-
 [[package]]
 name = "aho-corasick"
 version = "1.1.3"
@@ -50,21 +35,6 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"

-[[package]]
-name = "backtrace"
-version = "0.3.75"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6806a6321ec58106fea15becdad98371e28d92ccbc7c8f1b3b6dd724fe8f1002"
-dependencies = [
- "addr2line",
- "cfg-if",
- "libc",
- "miniz_oxide",
- "object",
- "rustc-demangle",
- "windows-targets",
-]
-
 [[package]]
 name = "base64"
 version = "0.22.1"
@@ -103,9 +73,9 @@ checksum = "46c5e41b57b8bba42a04676d81cb89e9ee8e859a1a66f80a5a72e1cb76b34d43"

 [[package]]
 name = "bytes"
-version = "1.10.1"
+version = "1.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
+checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"

 [[package]]
 name = "cc"
@@ -341,12 +311,6 @@ dependencies = [
 "wasm-bindgen",
 ]

-[[package]]
-name = "gimli"
-version = "0.31.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
-
 [[package]]
 name = "h2"
 version = "0.4.11"
@@ -625,9 +589,9 @@ dependencies = [

 [[package]]
 name = "icu_segmenter"
-version = "2.0.0"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e185fc13b6401c138cf40db12b863b35f5edf31b88192a545857b41aeaf7d3d3"
+checksum = "38e30e593cf9c3ca2f51aa312eb347cd1ba95715e91a842ec3fc9058eab2af4b"
 dependencies = [
 "core_maths",
 "displaydoc",
@@ -684,17 +648,6 @@ version = "2.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f4c7245a08504955605670dbf141fceab975f15ca21570696aebe9d2e71576bd"

-[[package]]
-name = "io-uring"
-version = "0.7.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d93587f37623a1a17d94ef2bc9ada592f5465fe7732084ab7beefabe5c77c0c4"
-dependencies = [
- "bitflags",
- "cfg-if",
- "libc",
-]
-
 [[package]]
 name = "ipnet"
 version = "2.11.0"
@@ -784,15 +737,6 @@ version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"

-[[package]]
-name = "miniz_oxide"
-version = "0.8.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
-dependencies = [
- "adler2",
-]
-
 [[package]]
 name = "mio"
 version = "1.0.4"
@@ -804,15 +748,6 @@ dependencies = [
 "windows-sys 0.59.0",
 ]

-[[package]]
-name = "object"
-version = "0.36.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62948e14d923ea95ea2c7c86c71013138b66525b86bdc08d2dcc262bdb497b87"
-dependencies = [
- "memchr",
-]
-
 [[package]]
 name = "once_cell"
 version = "1.21.3"
@@ -879,9 +814,9 @@ dependencies = [

 [[package]]
 name = "pyo3"
-version = "0.25.1"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8970a78afe0628a3e3430376fc5fd76b6b45c4d43360ffd6cdd40bdde72b682a"
+checksum = "7ba0117f4212101ee6544044dae45abe1083d30ce7b29c4b5cbdfa2354e07383"
 dependencies = [
 "anyhow",
 "indoc",
@@ -897,19 +832,18 @@ dependencies = [

 [[package]]
 name = "pyo3-build-config"
-version = "0.25.1"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "458eb0c55e7ece017adeba38f2248ff3ac615e53660d7c71a238d7d2a01c7598"
+checksum = "4fc6ddaf24947d12a9aa31ac65431fb1b851b8f4365426e182901eabfb87df5f"
 dependencies = [
- "once_cell",
 "target-lexicon",
 ]

 [[package]]
 name = "pyo3-ffi"
-version = "0.25.1"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7114fe5457c61b276ab77c5055f206295b812608083644a5c5b2640c3102565c"
+checksum = "025474d3928738efb38ac36d4744a74a400c901c7596199e20e45d98eb194105"
 dependencies = [
 "libc",
 "pyo3-build-config",
@@ -917,9 +851,9 @@ dependencies = [

 [[package]]
 name = "pyo3-log"
-version = "0.12.4"
+version = "0.13.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "45192e5e4a4d2505587e27806c7b710c231c40c56f3bfc19535d0bb25df52264"
+checksum = "2f8bae9ad5ba08b0b0ed2bb9c2bdbaeccc69cafca96d78cf0fbcea0d45d122bb"
 dependencies = [
 "arc-swap",
 "log",
@@ -928,9 +862,9 @@ dependencies = [

 [[package]]
 name = "pyo3-macros"
-version = "0.25.1"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8725c0a622b374d6cb051d11a0983786448f7785336139c3c94f5aa6bef7e50"
+checksum = "2e64eb489f22fe1c95911b77c44cc41e7c19f3082fc81cce90f657cdc42ffded"
 dependencies = [
 "proc-macro2",
 "pyo3-macros-backend",
@@ -940,9 +874,9 @@ dependencies = [

 [[package]]
 name = "pyo3-macros-backend"
-version = "0.25.1"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4109984c22491085343c05b0dbc54ddc405c3cf7b4374fc533f5c3313a572ccc"
+checksum = "100246c0ecf400b475341b8455a9213344569af29a3c841d29270e53102e0fcf"
 dependencies = [
 "heck",
 "proc-macro2",
@@ -953,9 +887,9 @@ dependencies = [

 [[package]]
 name = "pythonize"
-version = "0.25.0"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "597907139a488b22573158793aa7539df36ae863eba300c75f3a0d65fc475e27"
+checksum = "11e06e4cff9be2bbf2bddf28a486ae619172ea57e79787f856572878c62dcfe2"
 dependencies = [
 "pyo3",
 "serde",
@@ -1062,9 +996,9 @@ dependencies = [

 [[package]]
 name = "regex"
-version = "1.11.3"
+version = "1.12.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b5288124840bee7b386bc413c487869b360b2b4ec421ea56425128692f2a82c"
+checksum = "843bc0191f75f3e22651ae5f1e72939ab2f72a4bc30fa80a066bd66edefc24d4"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -1074,9 +1008,9 @@ dependencies = [

 [[package]]
 name = "regex-automata"
-version = "0.4.11"
+version = "0.4.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "833eb9ce86d40ef33cb1306d8accf7bc8ec2bfea4355cbdebb3df68b40925cad"
+checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -1091,9 +1025,9 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"

 [[package]]
 name = "reqwest"
-version = "0.12.23"
+version = "0.12.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d429f34c8092b2d42c7c93cec323bb4adeb7c67698f70839adec842ec10c7ceb"
+checksum = "9d0946410b9f7b082a427e4ef5c8ff541a88b357bc6c637c40db3a68ac70a36f"
 dependencies = [
 "base64",
 "bytes",
@@ -1145,12 +1079,6 @@ dependencies = [
 "windows-sys 0.52.0",
 ]

-[[package]]
-name = "rustc-demangle"
-version = "0.1.26"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56f7d92ca342cea22a06f2121d944b4fd82af56988c270852495420f961d4ace"
-
 [[package]]
 name = "rustc-hash"
 version = "2.1.1"
@@ -1489,19 +1417,16 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"

 [[package]]
 name = "tokio"
-version = "1.47.1"
+version = "1.48.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89e49afdadebb872d3145a5638b59eb0691ea23e46ca484037cfab3b76b95038"
+checksum = "ff360e02eab121e0bc37a2d3b4d4dc622e6eda3a8e5253d5435ecf5bd4c68408"
 dependencies = [
- "backtrace",
 "bytes",
- "io-uring",
 "libc",
 "mio",
 "pin-project-lite",
- "slab",
 "socket2 0.6.0",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -1782,6 +1707,12 @@ dependencies = [
 "wasm-bindgen",
 ]

+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
@@ -1800,6 +1731,15 @@ dependencies = [
 "windows-targets",
 ]

+[[package]]
+name = "windows-sys"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
+dependencies = [
+ "windows-link",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
--- a/build_rust.py
+++ b/build_rust.py
@@ -2,13 +2,13 @@

 import itertools
 import os
-from typing import Any, Dict
+from typing import Any

 from packaging.specifiers import SpecifierSet
 from setuptools_rust import Binding, RustExtension


-def build(setup_kwargs: Dict[str, Any]) -> None:
+def build(setup_kwargs: dict[str, Any]) -> None:
    original_project_dir = os.path.dirname(os.path.realpath(__file__))
    cargo_toml_path = os.path.join(original_project_dir, "rust", "Cargo.toml")

@@ -27,12 +27,12 @@ def build(setup_kwargs: Dict[str, Any]) -> None:
    setup_kwargs["zip_safe"] = False

    # We look up the minimum supported Python version with
-    # `python_requires` (e.g. ">=3.9.0,<4.0.0") and finding the first Python
+    # `python_requires` (e.g. ">=3.10.0,<4.0.0") and finding the first Python
    # version that matches. We then convert that into the `py_limited_api` form,
-    # e.g. cp39 for Python 3.9.
+    # e.g. cp310 for Python 3.10.
    py_limited_api: str
    python_bounds = SpecifierSet(setup_kwargs["python_requires"])
-    for minor_version in itertools.count(start=8):
+    for minor_version in itertools.count(start=10):
        if f"3.{minor_version}.0" in python_bounds:
            py_limited_api = f"cp3{minor_version}"
            break
--- a/changelog.d/17097.misc
+++ b/changelog.d/17097.misc
@@ -1 +0,0 @@
-Extend validation of uploaded device keys.
--- a/changelog.d/18721.bugfix
+++ b/changelog.d/18721.bugfix
@@ -1 +0,0 @@
-Fix room upgrade `room_config` argument and documentation for `user_may_create_room` spam-checker callback.
--- a/changelog.d/18767.misc
+++ b/changelog.d/18767.misc
@@ -1 +0,0 @@
-Update OEmbed providers to use 'X' instead of 'Twitter' in URL previews, following a rebrand. Contributed by @HammyHavoc.
--- a/changelog.d/18828.feature
+++ b/changelog.d/18828.feature
@@ -1 +0,0 @@
-Cleanly shutdown `SynapseHomeServer` object.
--- a/changelog.d/18868.misc
+++ b/changelog.d/18868.misc
@@ -1 +0,0 @@
-Fix `server_name` in logging context for multiple Synapse instances in one process.
--- a/changelog.d/18903.misc
+++ b/changelog.d/18903.misc
@@ -1 +0,0 @@
-Wrap the Rust HTTP client with `make_deferred_yieldable` so it follows Synapse logcontext rules.
--- a/changelog.d/18911.feature
+++ b/changelog.d/18911.feature
@@ -1,2 +0,0 @@
-Add an Admin API that allows server admins to to query and investigate the metadata of local or cached remote media via
-the `origin/media_id` identifier found in a [Matrix Content URI](https://spec.matrix.org/v1.14/client-server-api/#matrix-content-mxc-uris).
--- a/changelog.d/18913.misc
+++ b/changelog.d/18913.misc
@@ -1 +0,0 @@
-Fix the GitHub Actions workflow that moves issues labeled "X-Needs-Info" to the "Needs info" column on the team's internal triage board.
--- a/changelog.d/18914.doc
+++ b/changelog.d/18914.doc
@@ -1 +0,0 @@
-Explain how Deferred callbacks interact with logcontexts.
--- a/changelog.d/18932.misc
+++ b/changelog.d/18932.misc
@@ -1 +0,0 @@
-Disconnect background process work from request trace.
--- a/changelog.d/18934.feature
+++ b/changelog.d/18934.feature
@@ -1 +0,0 @@
-Update [MSC4284: Policy Servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) implementation to support signatures when available.
--- a/changelog.d/18939.misc
+++ b/changelog.d/18939.misc
@@ -1 +0,0 @@
-Reduce overall number of calls to `_get_e2e_cross_signing_signatures_for_devices` by increasing the batch size of devices the query is called with, reducing DB load.
--- a/changelog.d/18947.misc
+++ b/changelog.d/18947.misc
@@ -1 +0,0 @@
-Update error code used when an appservice tries to masquerade as an unknown device using [MSC4326](https://github.com/matrix-org/matrix-spec-proposals/pull/4326). Contributed by @tulir @ Beeper.
--- a/changelog.d/18948.bugfix
+++ b/changelog.d/18948.bugfix
@@ -1 +0,0 @@
-Compute a user's last seen timestamp from their devices' last seen timestamps instead of IPs, because the latter are automatically cleared according to `user_ips_max_age`.
--- a/changelog.d/18959.misc
+++ b/changelog.d/18959.misc
@@ -1 +0,0 @@
-Fix `no active span when trying to log` tracing error on startup (when OpenTracing is enabled).
--- a/changelog.d/18963.feature
+++ b/changelog.d/18963.feature
@@ -1 +0,0 @@
-Add an Admin API to fetch an event by ID.
--- a/changelog.d/18964.misc
+++ b/changelog.d/18964.misc
@@ -1 +0,0 @@
-Fix `run_coroutine_in_background(...)` incorrectly handling logcontext.
--- a/changelog.d/18966.misc
+++ b/changelog.d/18966.misc
@@ -1 +0,0 @@
-Add debug logs wherever we change current logcontext.
--- a/changelog.d/18967.feature
+++ b/changelog.d/18967.feature
@@ -1 +0,0 @@
-Add experimental implementation for the latest draft of [MSC4143](https://github.com/matrix-org/matrix-spec-proposals/pull/4143).
--- a/changelog.d/18971.misc
+++ b/changelog.d/18971.misc
@@ -1 +0,0 @@
-Update dockerfile metadata to fix broken link; point to documentation website.
--- a/changelog.d/18973.misc
+++ b/changelog.d/18973.misc
@@ -1 +0,0 @@
-Note that the code is additionally licensed under the [Element Commercial license](https://github.com/element-hq/synapse/blob/develop/LICENSE-COMMERCIAL) in SPDX expression field configs.
--- a/changelog.d/18974.misc
+++ b/changelog.d/18974.misc
@@ -1 +0,0 @@
-Fix logcontext handling in `timeout_deferred` tests.
--- a/changelog.d/18988.misc
+++ b/changelog.d/18988.misc
@@ -1 +0,0 @@
-Remove internal `ReplicationUploadKeysForUserRestServlet` as a follow-up to the work in https://github.com/element-hq/synapse/pull/18581 that moved device changes off the main process.
--- a/changelog.d/18989.removal
+++ b/changelog.d/18989.removal
@@ -1 +0,0 @@
-Remove deprecated `LoggingContext.set_current_context`/`LoggingContext.current_context` methods which already have equivalent bare methods in `synapse.logging.context`.
--- a/changelog.d/18990.misc
+++ b/changelog.d/18990.misc
@@ -1 +0,0 @@
-Switch task scheduler from raw logcontext manipulation to using the dedicated logcontext utils.
--- a/changelog.d/18992.misc
+++ b/changelog.d/18992.misc
@@ -1 +0,0 @@
-Remove `MockClock()` in tests.
--- a/changelog.d/18996.removal
+++ b/changelog.d/18996.removal
@@ -1 +0,0 @@
-Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal.
--- a/changelog.d/18998.doc
+++ b/changelog.d/18998.doc
@@ -1 +0,0 @@
-Fix documentation for `rc_room_creation` and `rc_reports` to clarify that a `per_user` rate limit is not supported.
--- a/changelog.d/19002.bugfix
+++ b/changelog.d/19002.bugfix
@@ -1 +0,0 @@
-Fix bug where ephemeral events were not filtered by room ID. Contributed by @frastefanini.
--- a/changelog.d/19007.misc
+++ b/changelog.d/19007.misc
@@ -1 +0,0 @@
-Switch back to our own custom `LogContextScopeManager` instead of OpenTracing's `ContextVarsScopeManager` which was causing problems when using the experimental `SYNAPSE_ASYNC_IO_REACTOR` option with tracing enabled.
--- a/changelog.d/19011.bugfix
+++ b/changelog.d/19011.bugfix
@@ -1 +0,0 @@
-Update Synapse main process version string to include git info.
--- a/changelog.d/19012.misc
+++ b/changelog.d/19012.misc
@@ -1 +0,0 @@
-Remove `version_string` argument from `HomeServer` since it's always the same.
--- a/changelog.d/19013.misc
+++ b/changelog.d/19013.misc
@@ -1 +0,0 @@
-Remove duplicate call to `hs.start_background_tasks()` introduced from a bad merge.
--- a/changelog.d/19015.misc
+++ b/changelog.d/19015.misc
@@ -1 +0,0 @@
-Split homeserver creation (`create_homeserver`) and setup (`setup`).
--- a/changelog.d/19023.bugfix
+++ b/changelog.d/19023.bugfix
@@ -1 +0,0 @@
-Fix a bug introduced in 1.139.1 where a client could receive an Internal Server Error if they set `device_keys: null` in the request to [`POST /_matrix/client/v3/keys/upload`](https://spec.matrix.org/v1.16/client-server-api/#post_matrixclientv3keysupload).
--- a/changelog.d/19025.misc
+++ b/changelog.d/19025.misc
@@ -1 +0,0 @@
-Swap near-end-of-life `macos-13` GitHub Actions runner for the `macos-15-intel` variant.
--- a/changelog.d/19027.misc
+++ b/changelog.d/19027.misc
@@ -1 +0,0 @@
-Introduce `RootConfig.validate_config()` which can be subclassed in `HomeServerConfig` to do cross-config class validation.
--- a/changelog.d/19032.feature
+++ b/changelog.d/19032.feature
@@ -1 +0,0 @@
-Expose a `defer_to_threadpool` function in the Synapse Module API that allows modules to run a function on a separate thread in a custom threadpool.
--- a/changelog.d/19035.misc
+++ b/changelog.d/19035.misc
@@ -1 +0,0 @@
-Allow any command of the `release.py` to accept a `--gh-token` argument.
--- a/changelog.d/19208.misc
+++ b/changelog.d/19208.misc
@@ -0,0 +1 @@
+Export `SYNAPSE_SUPPORTED_COMPLEMENT_TEST_PACKAGES` environment variable from `scripts-dev/complement.sh`.
--- a/changelog.d/19209.misc
+++ b/changelog.d/19209.misc
@@ -0,0 +1 @@
+Refactor `scripts-dev/complement.sh` logic to avoid `exit` to facilitate being able to source it from other scripts (composable).
--- a/changelog.d/19211.misc
+++ b/changelog.d/19211.misc
@@ -0,0 +1 @@
+Expire sliding sync connections that are too old or have too much pending data.
--- a/changelog.d/19221.misc
+++ b/changelog.d/19221.misc
@@ -0,0 +1 @@
+Auto-fix trailing spaces in multi-line strings and comments when running the lint script.
--- a/changelog.d/19224.misc
+++ b/changelog.d/19224.misc
@@ -0,0 +1 @@
+Improve robustness of the SQL schema linting in CI.
--- a/contrib/cmdclient/console.py
+++ b/contrib/cmdclient/console.py
@@ -33,7 +33,6 @@ import sys
 import time
 import urllib
 from http import TwistedHttpClient
-from typing import Optional

 import urlparse
 from signedjson.key import NACL_ED25519, decode_verify_key_bytes
@@ -726,7 +725,7 @@ class SynapseCmd(cmd.Cmd):
        method,
        path,
        data=None,
-        query_params: Optional[dict] = None,
+        query_params: dict | None = None,
        alt_text=None,
    ):
        """Runs an HTTP request and pretty prints the output.
--- a/contrib/cmdclient/http.py
+++ b/contrib/cmdclient/http.py
@@ -22,7 +22,6 @@
 import json
 import urllib
 from pprint import pformat
-from typing import Optional

 from twisted.internet import defer, reactor
 from twisted.web.client import Agent, readBody
@@ -90,7 +89,7 @@ class TwistedHttpClient(HttpClient):
        body = yield readBody(response)
        return json.loads(body)

-    def _create_put_request(self, url, json_data, headers_dict: Optional[dict] = None):
+    def _create_put_request(self, url, json_data, headers_dict: dict | None = None):
        """Wrapper of _create_request to issue a PUT request"""
        headers_dict = headers_dict or {}

@@ -101,7 +100,7 @@ class TwistedHttpClient(HttpClient):
            "PUT", url, producer=_JsonProducer(json_data), headers_dict=headers_dict
        )

-    def _create_get_request(self, url, headers_dict: Optional[dict] = None):
+    def _create_get_request(self, url, headers_dict: dict | None = None):
        """Wrapper of _create_request to issue a GET request"""
        return self._create_request("GET", url, headers_dict=headers_dict or {})

@@ -113,7 +112,7 @@ class TwistedHttpClient(HttpClient):
        data=None,
        qparams=None,
        jsonreq=True,
-        headers: Optional[dict] = None,
+        headers: dict | None = None,
    ):
        headers = headers or {}

@@ -138,7 +137,7 @@ class TwistedHttpClient(HttpClient):

    @defer.inlineCallbacks
    def _create_request(
-        self, method, url, producer=None, headers_dict: Optional[dict] = None
+        self, method, url, producer=None, headers_dict: dict | None = None
    ):
        """Creates and sends a request to the given url"""
        headers_dict = headers_dict or {}
--- a/contrib/grafana/synapse.json
+++ b/contrib/grafana/synapse.json
@@ -2166,10 +2166,10 @@
              "datasource": {
                "uid": "${DS_PROMETHEUS}"
              },
-              "expr": "rate(synapse_storage_events_persisted_by_source_type{instance=\"$instance\",job=~\"$job\",index=~\"$index\"}[$bucket_size])",
+              "expr": "rate(synapse_storage_events_persisted_events_sep_total{instance=\"$instance\",job=~\"$job\",index=~\"$index\"}[$bucket_size])",
              "format": "time_series",
              "intervalFactor": 2,
-              "legendFormat": "{{type}}",
+              "legendFormat": "{{origin_type}}",
              "refId": "D"
            }
          ],
@@ -2254,7 +2254,7 @@
              "datasource": {
                "uid": "${DS_PROMETHEUS}"
              },
-              "expr": "rate(synapse_storage_events_persisted_by_event_type{job=~\"$job\",index=~\"$index\",instance=\"$instance\"}[$bucket_size])",
+              "expr": "sum by(type) (rate(synapse_storage_events_persisted_events_sep_total{job=~\"$job\",index=~\"$index\",instance=\"$instance\"}[$bucket_size]))",
              "format": "time_series",
              "instant": false,
              "intervalFactor": 2,
@@ -2294,99 +2294,6 @@
            "align": false
          }
        },
-        {
-          "aliasColors": {
-            "irc-freenode (local)": "#EAB839"
-          },
-          "bars": false,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": {
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "decimals": 1,
-          "fill": 1,
-          "fillGradient": 0,
-          "gridPos": {
-            "h": 7,
-            "w": 12,
-            "x": 0,
-            "y": 44
-          },
-          "hiddenSeries": false,
-          "id": 44,
-          "legend": {
-            "alignAsTable": true,
-            "avg": false,
-            "current": false,
-            "hideEmpty": true,
-            "hideZero": true,
-            "max": false,
-            "min": false,
-            "show": true,
-            "total": false,
-            "values": false
-          },
-          "lines": true,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "options": {
-            "alertThreshold": true
-          },
-          "percentage": false,
-          "pluginVersion": "9.2.2",
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
-          "targets": [
-            {
-              "datasource": {
-                "uid": "${DS_PROMETHEUS}"
-              },
-              "expr": "rate(synapse_storage_events_persisted_by_origin{job=~\"$job\",index=~\"$index\",instance=\"$instance\"}[$bucket_size])",
-              "format": "time_series",
-              "intervalFactor": 2,
-              "legendFormat": "{{origin_entity}} ({{origin_type}})",
-              "refId": "A",
-              "step": 20
-            }
-          ],
-          "thresholds": [],
-          "timeRegions": [],
-          "title": "Events/s by Origin",
-          "tooltip": {
-            "shared": false,
-            "sort": 2,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "mode": "time",
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "hertz",
-              "logBase": 1,
-              "min": "0",
-              "show": true
-            },
-            {
-              "format": "short",
-              "logBase": 1,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false
-          }
-        },
        {
          "aliasColors": {},
          "bars": false,
--- a/contrib/graph/graph.py
+++ b/contrib/graph/graph.py
@@ -24,7 +24,6 @@ import datetime
 import html
 import json
 import urllib.request
-from typing import List

 import pydot

@@ -33,7 +32,7 @@ def make_name(pdu_id: str, origin: str) -> str:
    return f"{pdu_id}@{origin}"


-def make_graph(pdus: List[dict], filename_prefix: str) -> None:
+def make_graph(pdus: list[dict], filename_prefix: str) -> None:
    """
    Generate a dot and SVG file for a graph of events in the room based on the
    topological ordering by querying a homeserver.
@@ -127,7 +126,7 @@ def make_graph(pdus: List[dict], filename_prefix: str) -> None:
    graph.write_svg("%s.svg" % filename_prefix, prog="dot")


-def get_pdus(host: str, room: str) -> List[dict]:
+def get_pdus(host: str, room: str) -> list[dict]:
    transaction = json.loads(
        urllib.request.urlopen(
            f"http://{host}/_matrix/federation/v1/context/{room}/"
--- a/contrib/prometheus/synapse-v2.rules
+++ b/contrib/prometheus/synapse-v2.rules
@@ -44,31 +44,3 @@ groups:
  ###
  ### End of 'Prometheus Console Only' rules block
  ###
-
-
-  ###
-  ### Grafana Only
-  ### The following rules are only needed if you use the Grafana dashboard
-  ### in contrib/grafana/synapse.json
-  ###
-  - record: synapse_storage_events_persisted_by_source_type
-    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_type="remote"})
-    labels:
-      type: remote
-  - record: synapse_storage_events_persisted_by_source_type
-    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_entity="*client*",origin_type="local"})
-    labels:
-      type: local
-  - record: synapse_storage_events_persisted_by_source_type
-    expr: sum without(type, origin_type, origin_entity) (synapse_storage_events_persisted_events_sep_total{origin_entity!="*client*",origin_type="local"})
-    labels:
-      type: bridges
-
-  - record: synapse_storage_events_persisted_by_event_type
-    expr: sum without(origin_entity, origin_type) (synapse_storage_events_persisted_events_sep_total)
-
-  - record: synapse_storage_events_persisted_by_origin
-    expr: sum without(type) (synapse_storage_events_persisted_events_sep_total)
-  ###
-  ### End of 'Grafana Only' rules block
-  ###
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,81 @@
+matrix-synapse-py3 (1.143.0~rc2) stable; urgency=medium
+
+  * New Synapse release 1.143.0rc2.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 18 Nov 2025 17:36:08 -0700
+
+matrix-synapse-py3 (1.143.0~rc1) stable; urgency=medium
+
+  * New Synapse release 1.143.0rc1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 18 Nov 2025 13:08:39 -0700
+
+matrix-synapse-py3 (1.142.1) stable; urgency=medium
+
+  * New Synapse release 1.142.1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 18 Nov 2025 12:25:23 -0700
+
+matrix-synapse-py3 (1.142.0) stable; urgency=medium
+
+  * New Synapse release 1.142.0.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 11 Nov 2025 09:45:51 +0000
+
+matrix-synapse-py3 (1.142.0~rc4) stable; urgency=medium
+
+  * New Synapse release 1.142.0rc4.
+
+ -- Synapse Packaging team <packages@matrix.org>  Fri, 07 Nov 2025 10:54:42 +0000
+
+matrix-synapse-py3 (1.142.0~rc3) stable; urgency=medium
+
+  * New Synapse release 1.142.0rc3.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 04 Nov 2025 17:39:11 +0000
+
+matrix-synapse-py3 (1.142.0~rc2) stable; urgency=medium
+
+  * New Synapse release 1.142.0rc2.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 04 Nov 2025 16:21:30 +0000
+
+matrix-synapse-py3 (1.142.0~rc1) stable; urgency=medium
+
+  * New Synapse release 1.142.0rc1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 04 Nov 2025 13:20:15 +0000
+
+matrix-synapse-py3 (1.141.0) stable; urgency=medium
+
+  * New Synapse release 1.141.0.
+
+ -- Synapse Packaging team <packages@matrix.org>  Wed, 29 Oct 2025 11:01:43 +0000
+
+matrix-synapse-py3 (1.141.0~rc2) stable; urgency=medium
+
+  * New Synapse release 1.141.0rc2.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 28 Oct 2025 10:20:26 +0000
+
+matrix-synapse-py3 (1.141.0~rc1) stable; urgency=medium
+
+  * New Synapse release 1.141.0rc1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 21 Oct 2025 11:01:44 +0100
+
+matrix-synapse-py3 (1.140.0) stable; urgency=medium
+
+  * New Synapse release 1.140.0.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 14 Oct 2025 15:22:36 +0100
+
+matrix-synapse-py3 (1.140.0~rc1) stable; urgency=medium
+
+  * New Synapse release 1.140.0rc1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Fri, 10 Oct 2025 10:56:51 +0100
+
 matrix-synapse-py3 (1.139.2) stable; urgency=medium

  * New Synapse release 1.139.2.
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -20,8 +20,8 @@
 # `poetry export | pip install -r /dev/stdin`, but beware: we have experienced bugs in
 # in `poetry export` in the past.

-ARG DEBIAN_VERSION=bookworm
-ARG PYTHON_VERSION=3.12
+ARG DEBIAN_VERSION=trixie
+ARG PYTHON_VERSION=3.13
 ARG POETRY_VERSION=2.1.1

 ###
@@ -142,10 +142,10 @@ RUN \
      libwebp7 \
      xmlsec1 \
      libjemalloc2 \
-      libicu \
    | grep '^\w' > /tmp/pkg-list && \
  for arch in arm64 amd64; do \
    mkdir -p /tmp/debs-${arch} && \
+    chown _apt:root /tmp/debs-${arch} && \
    cd /tmp/debs-${arch} && \
    apt-get -o APT::Architecture="${arch}" download $(cat /tmp/pkg-list); \
  done
@@ -176,15 +176,15 @@ LABEL org.opencontainers.image.documentation='https://element-hq.github.io/synap
 LABEL org.opencontainers.image.source='https://github.com/element-hq/synapse.git'
 LABEL org.opencontainers.image.licenses='AGPL-3.0-or-later OR LicenseRef-Element-Commercial'

-# On the runtime image, /lib is a symlink to /usr/lib, so we need to copy the
-# libraries to the right place, else the `COPY` won't work.
-# On amd64, we'll also have a /lib64 folder with ld-linux-x86-64.so.2, which is
-# already present in the runtime image.
-COPY --from=runtime-deps /install-${TARGETARCH}/lib /usr/lib
 COPY --from=runtime-deps /install-${TARGETARCH}/etc /etc
 COPY --from=runtime-deps /install-${TARGETARCH}/usr /usr
 COPY --from=runtime-deps /install-${TARGETARCH}/var /var
-COPY --from=builder /install /usr/local
+
+# Copy the installed python packages from the builder stage.
+#
+# uv will generate a `.lock` file when installing packages, which we don't want
+# to copy to the final image.
+COPY --from=builder  --exclude=.lock /install /usr/local
 COPY ./docker/start.py /start.py
 COPY ./docker/conf /conf

--- a/docker/Dockerfile-workers
+++ b/docker/Dockerfile-workers
@@ -1,9 +1,10 @@
-# syntax=docker/dockerfile:1
+# syntax=docker/dockerfile:1-labs

 ARG SYNAPSE_VERSION=latest
 ARG FROM=matrixdotorg/synapse:$SYNAPSE_VERSION
-ARG DEBIAN_VERSION=bookworm
-ARG PYTHON_VERSION=3.12
+ARG DEBIAN_VERSION=trixie
+ARG PYTHON_VERSION=3.13
+ARG REDIS_VERSION=7.2

 # first of all, we create a base image with dependencies which we can copy into the
 # target image. For repeated rebuilds, this is much faster than apt installing
@@ -11,15 +12,27 @@ ARG PYTHON_VERSION=3.12

 FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base

+    ARG DEBIAN_VERSION
+    ARG REDIS_VERSION
+
    # Tell apt to keep downloaded package files, as we're using cache mounts.
    RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

+    # The upstream redis-server deb has fewer dynamic libraries than Debian's package which makes it easier to copy later on
+    RUN \
+      curl -fsSL https://packages.redis.io/gpg | gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg && \
+      chmod 644 /usr/share/keyrings/redis-archive-keyring.gpg && \
+      echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb ${DEBIAN_VERSION} main" | tee /etc/apt/sources.list.d/redis.list
+
    RUN \
       --mount=type=cache,target=/var/cache/apt,sharing=locked \
       --mount=type=cache,target=/var/lib/apt,sharing=locked \
      apt-get update -qq && \
      DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends \
-          nginx-light
+          nginx-light \
+          redis-server="6:${REDIS_VERSION}.*" redis-tools="6:${REDIS_VERSION}.*" \
+          # libicu is required by postgres, see `docker/complement/Dockerfile`
+          libicu76

    RUN \
    # remove default page
@@ -35,19 +48,12 @@ FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base

    RUN mkdir -p /uv/etc/supervisor/conf.d

-# Similarly, a base to copy the redis server from.
-#
-# The redis docker image has fewer dynamic libraries than the debian package,
-# which makes it much easier to copy (but we need to make sure we use an image
-# based on the same debian version as the synapse image, to make sure we get
-# the expected version of libc.
-FROM docker.io/library/redis:7-${DEBIAN_VERSION} AS redis_base
-
 # now build the final image, based on the the regular Synapse docker image
 FROM $FROM

    # Copy over dependencies
-    COPY --from=redis_base /usr/local/bin/redis-server /usr/local/bin
+    COPY --from=deps_base --parents /usr/lib/*-linux-gnu/libicu* /
+    COPY --from=deps_base /usr/bin/redis-server /usr/local/bin
    COPY --from=deps_base /uv /
    COPY --from=deps_base /usr/sbin/nginx /usr/sbin
    COPY --from=deps_base /usr/share/nginx /usr/share/nginx
--- a/docker/complement/Dockerfile
+++ b/docker/complement/Dockerfile
@@ -9,24 +9,24 @@
 ARG SYNAPSE_VERSION=latest
 # This is an intermediate image, to be built locally (not pulled from a registry).
 ARG FROM=matrixdotorg/synapse-workers:$SYNAPSE_VERSION
-ARG DEBIAN_VERSION=bookworm
+ARG DEBIAN_VERSION=trixie

-FROM docker.io/library/postgres:13-${DEBIAN_VERSION} AS postgres_base
+FROM docker.io/library/postgres:14-${DEBIAN_VERSION} AS postgres_base

 FROM $FROM
 # First of all, we copy postgres server from the official postgres image,
 # since for repeated rebuilds, this is much faster than apt installing
 # postgres each time.

-# This trick only works because (a) the Synapse image happens to have all the
-# shared libraries that postgres wants, (b) we use a postgres image based on
-# the same debian version as Synapse's docker image (so the versions of the
-# shared libraries match).
+# This trick only works because we use a postgres image based on the same
+# debian version as Synapse's docker image (so the versions of the shared
+# libraries match). Any missing libraries need to be added to either the
+# Synapse image or docker/Dockerfile-workers.
 RUN adduser --system --uid 999 postgres --home /var/lib/postgresql
 COPY --from=postgres_base /usr/lib/postgresql /usr/lib/postgresql
 COPY --from=postgres_base /usr/share/postgresql /usr/share/postgresql
 COPY --from=postgres_base --chown=postgres /var/run/postgresql /var/run/postgresql
-ENV PATH="${PATH}:/usr/lib/postgresql/13/bin"
+ENV PATH="${PATH}:/usr/lib/postgresql/14/bin"
 ENV PGDATA=/var/lib/postgresql/data

 # We also initialize the database at build time, rather than runtime, so that it's faster to spin up the image.
--- a/docker/configure_workers_and_start.py
+++ b/docker/configure_workers_and_start.py
@@ -65,13 +65,9 @@ from itertools import chain
 from pathlib import Path
 from typing import (
    Any,
-    Dict,
-    List,
    Mapping,
    MutableMapping,
    NoReturn,
-    Optional,
-    Set,
    SupportsIndex,
 )

@@ -96,7 +92,7 @@ WORKER_PLACEHOLDER_NAME = "placeholder_name"
 # Watching /_matrix/media and related needs a "media" listener
 # Stream Writers require "client" and "replication" listeners because they
 #   have to attach by instance_map to the master process and have client endpoints.
-WORKERS_CONFIG: Dict[str, Dict[str, Any]] = {
+WORKERS_CONFIG: dict[str, dict[str, Any]] = {
    "pusher": {
        "app": "synapse.app.generic_worker",
        "listener_resources": [],
@@ -408,7 +404,7 @@ def convert(src: str, dst: str, **template_vars: object) -> None:

 def add_worker_roles_to_shared_config(
    shared_config: dict,
-    worker_types_set: Set[str],
+    worker_types_set: set[str],
    worker_name: str,
    worker_port: int,
 ) -> None:
@@ -471,9 +467,9 @@ def add_worker_roles_to_shared_config(


 def merge_worker_template_configs(
-    existing_dict: Optional[Dict[str, Any]],
-    to_be_merged_dict: Dict[str, Any],
-) -> Dict[str, Any]:
+    existing_dict: dict[str, Any] | None,
+    to_be_merged_dict: dict[str, Any],
+) -> dict[str, Any]:
    """When given an existing dict of worker template configuration consisting with both
        dicts and lists, merge new template data from WORKERS_CONFIG(or create) and
        return new dict.
@@ -484,7 +480,7 @@ def merge_worker_template_configs(
            existing_dict.
    Returns: The newly merged together dict values.
    """
-    new_dict: Dict[str, Any] = {}
+    new_dict: dict[str, Any] = {}
    if not existing_dict:
        # It doesn't exist yet, just use the new dict(but take a copy not a reference)
        new_dict = to_be_merged_dict.copy()
@@ -509,8 +505,8 @@ def merge_worker_template_configs(


 def insert_worker_name_for_worker_config(
-    existing_dict: Dict[str, Any], worker_name: str
-) -> Dict[str, Any]:
+    existing_dict: dict[str, Any], worker_name: str
+) -> dict[str, Any]:
    """Insert a given worker name into the worker's configuration dict.

    Args:
@@ -526,7 +522,7 @@ def insert_worker_name_for_worker_config(
    return dict_to_edit


-def apply_requested_multiplier_for_worker(worker_types: List[str]) -> List[str]:
+def apply_requested_multiplier_for_worker(worker_types: list[str]) -> list[str]:
    """
    Apply multiplier(if found) by returning a new expanded list with some basic error
    checking.
@@ -587,7 +583,7 @@ def is_sharding_allowed_for_worker_type(worker_type: str) -> bool:

 def split_and_strip_string(
    given_string: str, split_char: str, max_split: SupportsIndex = -1
-) -> List[str]:
+) -> list[str]:
    """
    Helper to split a string on split_char and strip whitespace from each end of each
        element.
@@ -616,8 +612,8 @@ def generate_base_homeserver_config() -> None:


 def parse_worker_types(
-    requested_worker_types: List[str],
-) -> Dict[str, Set[str]]:
+    requested_worker_types: list[str],
+) -> dict[str, set[str]]:
    """Read the desired list of requested workers and prepare the data for use in
        generating worker config files while also checking for potential gotchas.

@@ -633,14 +629,14 @@ def parse_worker_types(
    # A counter of worker_base_name -> int. Used for determining the name for a given
    # worker when generating its config file, as each worker's name is just
    # worker_base_name followed by instance number
-    worker_base_name_counter: Dict[str, int] = defaultdict(int)
+    worker_base_name_counter: dict[str, int] = defaultdict(int)

    # Similar to above, but more finely grained. This is used to determine we don't have
    # more than a single worker for cases where multiples would be bad(e.g. presence).
-    worker_type_shard_counter: Dict[str, int] = defaultdict(int)
+    worker_type_shard_counter: dict[str, int] = defaultdict(int)

    # The final result of all this processing
-    dict_to_return: Dict[str, Set[str]] = {}
+    dict_to_return: dict[str, set[str]] = {}

    # Handle any multipliers requested for given workers.
    multiple_processed_worker_types = apply_requested_multiplier_for_worker(
@@ -684,7 +680,7 @@ def parse_worker_types(

        # Split the worker_type_string on "+", remove whitespace from ends then make
        # the list a set so it's deduplicated.
-        worker_types_set: Set[str] = set(
+        worker_types_set: set[str] = set(
            split_and_strip_string(worker_type_string, "+")
        )

@@ -743,7 +739,7 @@ def generate_worker_files(
    environ: Mapping[str, str],
    config_path: str,
    data_dir: str,
-    requested_worker_types: Dict[str, Set[str]],
+    requested_worker_types: dict[str, set[str]],
 ) -> None:
    """Read the desired workers(if any) that is passed in and generate shared
        homeserver, nginx and supervisord configs.
@@ -764,7 +760,7 @@ def generate_worker_files(
    # First read the original config file and extract the listeners block. Then we'll
    # add another listener for replication. Later we'll write out the result to the
    # shared config file.
-    listeners: List[Any]
+    listeners: list[Any]
    if using_unix_sockets:
        listeners = [
            {
@@ -792,12 +788,12 @@ def generate_worker_files(
    # base shared worker jinja2 template. This config file will be passed to all
    # workers, included Synapse's main process. It is intended mainly for disabling
    # functionality when certain workers are spun up, and adding a replication listener.
-    shared_config: Dict[str, Any] = {"listeners": listeners}
+    shared_config: dict[str, Any] = {"listeners": listeners}

    # List of dicts that describe workers.
    # We pass this to the Supervisor template later to generate the appropriate
    # program blocks.
-    worker_descriptors: List[Dict[str, Any]] = []
+    worker_descriptors: list[dict[str, Any]] = []

    # Upstreams for load-balancing purposes. This dict takes the form of the worker
    # type to the ports of each worker. For example:
@@ -805,14 +801,14 @@ def generate_worker_files(
    #   worker_type: {1234, 1235, ...}}
    # }
    # and will be used to construct 'upstream' nginx directives.
-    nginx_upstreams: Dict[str, Set[int]] = {}
+    nginx_upstreams: dict[str, set[int]] = {}

    # A map of: {"endpoint": "upstream"}, where "upstream" is a str representing what
    # will be placed after the proxy_pass directive. The main benefit to representing
    # this data as a dict over a str is that we can easily deduplicate endpoints
    # across multiple instances of the same worker. The final rendering will be combined
    # with nginx_upstreams and placed in /etc/nginx/conf.d.
-    nginx_locations: Dict[str, str] = {}
+    nginx_locations: dict[str, str] = {}

    # Create the worker configuration directory if it doesn't already exist
    os.makedirs("/conf/workers", exist_ok=True)
@@ -846,7 +842,7 @@ def generate_worker_files(
    # yaml config file
    for worker_name, worker_types_set in requested_worker_types.items():
        # The collected and processed data will live here.
-        worker_config: Dict[str, Any] = {}
+        worker_config: dict[str, Any] = {}

        # Merge all worker config templates for this worker into a single config
        for worker_type in worker_types_set:
@@ -1029,7 +1025,7 @@ def generate_worker_log_config(
    Returns: the path to the generated file
    """
    # Check whether we should write worker logs to disk, in addition to the console
-    extra_log_template_args: Dict[str, Optional[str]] = {}
+    extra_log_template_args: dict[str, str | None] = {}
    if environ.get("SYNAPSE_WORKERS_WRITE_LOGS_TO_DISK"):
        extra_log_template_args["LOG_FILE_PATH"] = f"{data_dir}/logs/{worker_name}.log"

@@ -1053,7 +1049,7 @@ def generate_worker_log_config(
    return log_config_filepath


-def main(args: List[str], environ: MutableMapping[str, str]) -> None:
+def main(args: list[str], environ: MutableMapping[str, str]) -> None:
    parser = ArgumentParser()
    parser.add_argument(
        "--generate-only",
@@ -1087,7 +1083,7 @@ def main(args: List[str], environ: MutableMapping[str, str]) -> None:
        if not worker_types_env:
            # No workers, just the main process
            worker_types = []
-            requested_worker_types: Dict[str, Any] = {}
+            requested_worker_types: dict[str, Any] = {}
        else:
            # Split type names by comma, ignoring whitespace.
            worker_types = split_and_strip_string(worker_types_env, ",")
--- a/docker/editable.Dockerfile
+++ b/docker/editable.Dockerfile
@@ -3,14 +3,14 @@
 #
 # Used by `complement.sh`. Not suitable for production use.

-ARG PYTHON_VERSION=3.9
+ARG PYTHON_VERSION=3.10

 ###
 ### Stage 0: generate requirements.txt
 ###
-# We hardcode the use of Debian bookworm here because this could change upstream
-# and other Dockerfiles used for testing are expecting bookworm.
-FROM docker.io/library/python:${PYTHON_VERSION}-slim-bookworm
+# We hardcode the use of Debian trixie here because this could change upstream
+# and other Dockerfiles used for testing are expecting trixie.
+FROM docker.io/library/python:${PYTHON_VERSION}-slim-trixie

 # Install Rust and other dependencies (stolen from normal Dockerfile)
 # install the OS build deps
--- a/docker/start.py
+++ b/docker/start.py
@@ -6,7 +6,7 @@ import os
 import platform
 import subprocess
 import sys
-from typing import Any, Dict, List, Mapping, MutableMapping, NoReturn, Optional
+from typing import Any, Mapping, MutableMapping, NoReturn

 import jinja2

@@ -50,7 +50,7 @@ def generate_config_from_template(
    config_dir: str,
    config_path: str,
    os_environ: Mapping[str, str],
-    ownership: Optional[str],
+    ownership: str | None,
 ) -> None:
    """Generate a homeserver.yaml from environment variables

@@ -69,7 +69,7 @@ def generate_config_from_template(
            )

    # populate some params from data files (if they exist, else create new ones)
-    environ: Dict[str, Any] = dict(os_environ)
+    environ: dict[str, Any] = dict(os_environ)
    secrets = {
        "registration": "SYNAPSE_REGISTRATION_SHARED_SECRET",
        "macaroon": "SYNAPSE_MACAROON_SECRET_KEY",
@@ -147,7 +147,7 @@ def generate_config_from_template(
    subprocess.run(args, check=True)


-def run_generate_config(environ: Mapping[str, str], ownership: Optional[str]) -> None:
+def run_generate_config(environ: Mapping[str, str], ownership: str | None) -> None:
    """Run synapse with a --generate-config param to generate a template config file

    Args:
@@ -200,7 +200,7 @@ def run_generate_config(environ: Mapping[str, str], ownership: Optional[str]) ->
    subprocess.run(args, check=True)


-def main(args: List[str], environ: MutableMapping[str, str]) -> None:
+def main(args: list[str], environ: MutableMapping[str, str]) -> None:
    mode = args[1] if len(args) > 1 else "run"

    # if we were given an explicit user to switch to, do so
--- a/docs/SUMMARY.md
+++ b/docs/SUMMARY.md
@@ -116,6 +116,8 @@
      - [The Auth Chain Difference Algorithm](auth_chain_difference_algorithm.md)
    - [Media Repository](media_repository.md)
    - [Room and User Statistics](room_and_user_statistics.md)
+    - [Releasing]()
+      - [Release Notes Review Checklist](development/internal_documentation/release_notes_review_checklist.md)
  - [Scripts]()

 # Other
--- a/docs/admin_api/rooms.md
+++ b/docs/admin_api/rooms.md
@@ -1115,3 +1115,76 @@ Example response:
  ]
 }
 ```
+
+# Admin Space Hierarchy Endpoint
+
+This API allows an admin to fetch the space/room hierarchy for a given space, 
+returning details about that room and any children the room may have, paginating
+over the space tree in a depth-first manner to locate child rooms. This is
+functionally similar to the [CS Hierarchy](https://spec.matrix.org/v1.16/client-server-api/#get_matrixclientv1roomsroomidhierarchy) endpoint but does not check for
+room membership when returning room summaries.
+
+The endpoint does not query other servers over federation about remote rooms
+that the server has not joined. This is a deliberate trade-off: while this
+means it will leave some holes in the hierarchy that we could otherwise
+sometimes fill in, it significantly improves the endpoint's response time and
+the admin endpoint is designed for managing rooms local to the homeserver
+anyway.
+
+**Parameters**
+
+The following query parameters are available:
+
+* `from` - An optional pagination token, provided when there are more rooms to 
+    return than the limit. 
+* `limit` - Maximum amount of rooms to return. Must be a non-negative integer,
+   defaults to `50`.
+* `max_depth` - The maximum depth in the tree to explore, must be a non-negative
+   integer. 0 would correspond to just the root room, 1 would include just the
+   root room's children, etc.  If not provided will recurse into the space tree without limit.
+
+Request:
+
+```http
+GET /_synapse/admin/v1/rooms/<room_id>/hierarchy
+```
+
+Response:
+
+```json
+{
+  "rooms":
+      [
+        { "children_state": [
+            {
+              "content": {
+                "via": ["local_test_server"]
+              },
+              "origin_server_ts": 1500,
+              "sender": "@user:test",
+              "state_key": "!QrMkkqBSwYRIFNFCso:test",
+              "type": "m.space.child"
+            }
+        ],
+        "name": "space room",
+        "guest_can_join": false,
+        "join_rule": "public",
+        "num_joined_members": 1,
+        "room_id": "!sPOpNyMHbZAoAOsOFL:test",
+        "room_type": "m.space",
+        "world_readable": false
+      },
+
+      {
+        "children_state": [],
+        "guest_can_join": true,
+        "join_rule": "invite",
+        "name": "nefarious",
+        "num_joined_members": 1,
+        "room_id": "!QrMkkqBSwYRIFNFCso:test",
+        "topic": "being bad",
+        "world_readable": false}
+    ],
+  "next_batch": "KUYmRbeSpAoaAIgOKGgyaCEn"
+}
+```
--- a/docs/deprecation_policy.md
+++ b/docs/deprecation_policy.md
@@ -21,7 +21,7 @@ people building from source should ensure they can fetch recent versions of Rust
 (e.g. by using [rustup](https://rustup.rs/)).

 The oldest supported version of SQLite is the version
-[provided](https://packages.debian.org/bullseye/libsqlite3-0) by
+[provided](https://packages.debian.org/oldstable/libsqlite3-0) by
 [Debian oldstable](https://wiki.debian.org/DebianOldStable).


--- a/docs/development/contributing_guide.md
+++ b/docs/development/contributing_guide.md
@@ -320,7 +320,7 @@ The following command will let you run the integration test with the most common
 configuration:

 ```sh
-$ docker run --rm -it -v /path/where/you/have/cloned/the/repository\:/src:ro -v /path/to/where/you/want/logs\:/logs matrixdotorg/sytest-synapse:bullseye
+$ docker run --rm -it -v /path/where/you/have/cloned/the/repository\:/src:ro -v /path/to/where/you/want/logs\:/logs matrixdotorg/sytest-synapse:bookworm
 ```
 (Note that the paths must be full paths! You could also write `$(realpath relative/path)` if needed.)

--- a/docs/development/dependencies.md
+++ b/docs/development/dependencies.md
@@ -79,17 +79,17 @@ phonenumbers = [
 We can see this pinned version inside the docker image for that release:

 ```
-$ docker pull vectorim/synapse:v1.97.0
+$ docker pull matrixdotorg/synapse:latest
 ...
-$ docker run --entrypoint pip vectorim/synapse:v1.97.0 show phonenumbers
+$ docker run --entrypoint pip matrixdotorg/synapse:latest show phonenumbers
 Name: phonenumbers
-Version: 8.12.44
+Version: 9.0.15
 Summary: Python version of Google's common library for parsing, formatting, storing and validating international phone numbers.
 Home-page: https://github.com/daviddrysdale/python-phonenumbers
 Author: David Drysdale
 Author-email: dmd@lurklurk.org
 License: Apache License 2.0
-Location: /usr/local/lib/python3.9/site-packages
+Location: /usr/local/lib/python3.12/site-packages
 Requires:
 Required-by: matrix-synapse
 ```
--- a/docs/development/internal_documentation/release_notes_review_checklist.md
+++ b/docs/development/internal_documentation/release_notes_review_checklist.md
@@ -0,0 +1,12 @@
+# Release notes review checklist
+
+The Synapse release process includes a step to review the changelog before
+publishing it. The following is a list of common points to check for:
+
+1. Check whether any similar entries that can be merged together (make sure to include all mentioned PRs at the end of the line, i.e. (#1234, #1235, ...)).
+2. Link any MSCXXXX lines to the Matrix Spec Change itself: <https://github.com/matrix-org/matrix-spec-proposals/pull/xxxx>.
+3. Wrap any class names, variable names, etc. in back-ticks, if needed.
+4. Hoist any relevant security, deprecation, etc. announcements to the top of this version's changelog for visibility. This includes any announcements in RCs for this release.
+5. Check the upgrade notes for any important announcements, and link to them from the changelog if warranted.
+6. Quickly skim and check that each entry is in the appropriate section.
+7. Entries under the Bugfixes section should ideally state what Synapse version the bug was introduced in. For example: "Fixed a bug introduced in v1.x.y" or if no version can be identified, "Fixed a long-standing bug ...".
--- a/docs/development/synapse_architecture/cancellation.md
+++ b/docs/development/synapse_architecture/cancellation.md
@@ -299,7 +299,7 @@ logcontext is not finished before the `async` processing completes.

 **Bad**:
 ```python
-cache: Optional[ObservableDeferred[None]] = None
+cache: ObservableDeferred[None] | None = None

 async def do_something_else(
    to_resolve: Deferred[None]
@@ -326,7 +326,7 @@ with LoggingContext("request-1"):

 **Good**:
 ```python
-cache: Optional[ObservableDeferred[None]] = None
+cache: ObservableDeferred[None] | None = None

 async def do_something_else(
    to_resolve: Deferred[None]
@@ -358,7 +358,7 @@ with LoggingContext("request-1"):

 **OK**:
 ```python
-cache: Optional[ObservableDeferred[None]] = None
+cache: ObservableDeferred[None] | None = None

 async def do_something_else(
    to_resolve: Deferred[None]
--- a/docs/development/synapse_architecture/streams.md
+++ b/docs/development/synapse_architecture/streams.md
@@ -1,4 +1,4 @@
-## Streams
+# Streams

 Synapse has a concept of "streams", which are roughly described in [`id_generators.py`](
    https://github.com/element-hq/synapse/blob/develop/synapse/storage/util/id_generators.py
@@ -19,7 +19,7 @@ To that end, let's describe streams formally, paraphrasing from the docstring of
    https://github.com/element-hq/synapse/blob/a719b703d9bd0dade2565ddcad0e2f3a7a9d4c37/synapse/storage/util/id_generators.py#L96
 ).

-### Definition
+## Definition

 A stream is an append-only log `T1, T2, ..., Tn, ...` of facts[^1] which grows over time.
 Only "writers" can add facts to a stream, and there may be multiple writers.
@@ -47,7 +47,7 @@ But unhappy cases (e.g. transaction rollback due to an error) also count as comp
 Once completed, the rows written with that stream ID are fixed, and no new rows
 will be inserted with that ID.

-### Current stream ID
+## Current stream ID

 For any given stream reader (including writers themselves), we may define a per-writer current stream ID:

@@ -93,7 +93,7 @@ Consider a single-writer stream which is initially at ID 1.
 | Complete 6 | 6                 |                                                 |


-### Multi-writer streams
+## Multi-writer streams

 There are two ways to view a multi-writer stream.

@@ -115,7 +115,7 @@ The facts this stream holds are instructions to "you should now invalidate these
 We only ever treat this as a multiple single-writer streams as there is no important ordering between cache invalidations.
 (Invalidations are self-contained facts; and the invalidations commute/are idempotent).

-### Writing to streams
+## Writing to streams

 Writers need to track:
 - track their current position (i.e. its own per-writer stream ID).
@@ -133,7 +133,7 @@ To complete a fact, first remove it from your map of facts currently awaiting co
 Then, if no earlier fact is awaiting completion, the writer can advance its current position in that stream.
 Upon doing so it should emit an `RDATA` message[^3], once for every fact between the old and the new stream ID.

-### Subscribing to streams
+## Subscribing to streams

 Readers need to track the current position of every writer.

@@ -146,10 +146,44 @@ The `RDATA` itself is not a self-contained representation of the fact;
 readers will have to query the stream tables for the full details.
 Readers must also advance their record of the writer's current position for that stream.

-# Summary
+## Summary

 In a nutshell: we have an append-only log with a "buffer/scratchpad" at the end where we have to wait for the sequence to be linear and contiguous.

+---
+
+## Cheatsheet for creating a new stream
+
+These rough notes and links may help you to create a new stream and add all the
+necessary registration and event handling.
+
+**Create your stream:**
+- [create a stream class and stream row class](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/replication/tcp/streams/_base.py#L728)
+  - will need an [ID generator](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/storage/databases/main/thread_subscriptions.py#L75)
+    - may need [writer configuration](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/config/workers.py#L177), if there isn't already an obvious source of configuration for which workers should be designated as writers to your new stream.
+      - if adding new writer configuration, add Docker-worker configuration, which lets us configure the writer worker in Complement tests: [[1]](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/docker/configure_workers_and_start.py#L331), [[2]](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/docker/configure_workers_and_start.py#L440)
+- most of the time, you will likely introduce a new datastore class for the concept represented by the new stream, unless there is already an obvious datastore that covers it.
+- consider whether it may make sense to introduce a handler
+
+**Register your stream in:**
+- [`STREAMS_MAP`](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/replication/tcp/streams/__init__.py#L71)
+
+**Advance your stream in:**
+- [`process_replication_position` of your appropriate datastore](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/storage/databases/main/thread_subscriptions.py#L111)
+  - don't forget the super call
+
+**If you're going to do any caching that needs invalidation from new rows:**
+- add invalidations to [`process_replication_rows` of your appropriate datastore](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/storage/databases/main/thread_subscriptions.py#L91)
+  - don't forget the super call
+- add local-only [invalidations to your writer transactions](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/storage/databases/main/thread_subscriptions.py#L201)
+
+**For streams to be used in sync:**
+- add a new field to [`StreamToken`](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/types/__init__.py#L1003)
+  - add a new [`StreamKeyType`](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/types/__init__.py#L999)
+- add appropriate wake-up rules
+  - in [`on_rdata`](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/replication/tcp/client.py#L260)
+  - locally on the same worker when completing a write, [e.g. in your handler](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/handlers/thread_subscriptions.py#L139)
+- add the stream in [`bound_future_token`](https://github.com/element-hq/synapse/blob/4367fb2d078c52959aeca0fe6874539c53e8360d/synapse/streams/events.py#L127)

 ---

--- a/docs/modules/account_data_callbacks.md
+++ b/docs/modules/account_data_callbacks.md
@@ -15,7 +15,7 @@ _First introduced in Synapse v1.57.0_
 ```python
 async def on_account_data_updated(
    user_id: str,
-    room_id: Optional[str],
+    room_id: str | None,
    account_data_type: str,
    content: "synapse.module_api.JsonDict",
 ) -> None:
@@ -82,7 +82,7 @@ class CustomAccountDataModule:
    async def log_new_account_data(
        self,
        user_id: str,
-        room_id: Optional[str],
+        room_id: str | None,
        account_data_type: str,
        content: JsonDict,
    ) -> None:
--- a/docs/modules/account_validity_callbacks.md
+++ b/docs/modules/account_validity_callbacks.md
@@ -12,7 +12,7 @@ The available account validity callbacks are:
 _First introduced in Synapse v1.39.0_

 ```python
-async def is_user_expired(user: str) -> Optional[bool]
+async def is_user_expired(user: str) -> bool | None
 ```

 Called when processing any authenticated request (except for logout requests). The module
--- a/docs/modules/media_repository_callbacks.md
+++ b/docs/modules/media_repository_callbacks.md
@@ -11,7 +11,7 @@ The available media repository callbacks are:
 _First introduced in Synapse v1.132.0_

 ```python
-async def get_media_config_for_user(user_id: str) -> Optional[JsonDict]
+async def get_media_config_for_user(user_id: str) -> JsonDict | None
 ```

 **<span style="color:red">
@@ -70,7 +70,7 @@ implementations of this callback.
 _First introduced in Synapse v1.139.0_

 ```python
-async def get_media_upload_limits_for_user(user_id: str, size: int) -> Optional[List[synapse.module_api.MediaUploadLimit]]
+async def get_media_upload_limits_for_user(user_id: str, size: int) -> list[synapse.module_api.MediaUploadLimit] | None
 ```

 **<span style="color:red">
--- a/docs/modules/password_auth_provider_callbacks.md
+++ b/docs/modules/password_auth_provider_callbacks.md
@@ -23,12 +23,7 @@ async def check_auth(
    user: str,
    login_type: str,
    login_dict: "synapse.module_api.JsonDict",
-) -> Optional[
-    Tuple[
-        str, 
-        Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]]
-    ]
-]
+) -> tuple[str, Callable[["synapse.module_api.LoginResponse"], Awaitable[None]] | None] | None
 ```

 The login type and field names should be provided by the user in the
@@ -67,12 +62,7 @@ async def check_3pid_auth(
    medium: str, 
    address: str,
    password: str,
-) -> Optional[
-    Tuple[
-        str, 
-        Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]]
-    ]
-]
+) -> tuple[str, Callable[["synapse.module_api.LoginResponse"], Awaitable[None]] | None]
 ```

 Called when a user attempts to register or log in with a third party identifier,
@@ -98,7 +88,7 @@ _First introduced in Synapse v1.46.0_
 ```python
 async def on_logged_out(
    user_id: str,
-    device_id: Optional[str],
+    device_id: str | None,
    access_token: str
 ) -> None
 ``` 
@@ -119,7 +109,7 @@ _First introduced in Synapse v1.52.0_
 async def get_username_for_registration(
    uia_results: Dict[str, Any],
    params: Dict[str, Any],
-) -> Optional[str]
+) -> str | None
 ```

 Called when registering a new user. The module can return a username to set for the user
@@ -180,7 +170,7 @@ _First introduced in Synapse v1.54.0_
 async def get_displayname_for_registration(
    uia_results: Dict[str, Any],
    params: Dict[str, Any],
-) -> Optional[str]
+) -> str | None
 ```

 Called when registering a new user. The module can return a display name to set for the
@@ -259,12 +249,7 @@ class MyAuthProvider:
        username: str,
        login_type: str,
        login_dict: "synapse.module_api.JsonDict",
-    ) -> Optional[
-        Tuple[
-            str,
-            Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]],
-        ]
-    ]:
+    ) -> tuple[str, Callable[["synapse.module_api.LoginResponse"], Awaitable[None]] | None] | None:
        if login_type != "my.login_type":
            return None

@@ -276,12 +261,7 @@ class MyAuthProvider:
        username: str,
        login_type: str,
        login_dict: "synapse.module_api.JsonDict",
-    ) -> Optional[
-        Tuple[
-            str,
-            Optional[Callable[["synapse.module_api.LoginResponse"], Awaitable[None]]],
-        ]
-    ]:
+    ) -> tuple[str, Callable[["synapse.module_api.LoginResponse"], Awaitable[None]] | None] | None:
        if login_type != "m.login.password":
            return None

--- a/docs/modules/presence_router_callbacks.md
+++ b/docs/modules/presence_router_callbacks.md
@@ -23,7 +23,7 @@ _First introduced in Synapse v1.42.0_
 ```python 
 async def get_users_for_states(
    state_updates: Iterable["synapse.api.UserPresenceState"],
-) -> Dict[str, Set["synapse.api.UserPresenceState"]]
+) -> dict[str, set["synapse.api.UserPresenceState"]]
 ```
 **Requires** `get_interested_users` to also be registered

@@ -45,7 +45,7 @@ _First introduced in Synapse v1.42.0_
 ```python
 async def get_interested_users(
    user_id: str
-) -> Union[Set[str], "synapse.module_api.PRESENCE_ALL_USERS"]
+) -> set[str] | "synapse.module_api.PRESENCE_ALL_USERS"
 ```
 **Requires** `get_users_for_states` to also be registered

@@ -73,7 +73,7 @@ that `@alice:example.org` receives all presence updates from `@bob:example.com`
 `@charlie:somewhere.org`, regardless of whether Alice shares a room with any of them.

 ```python
-from typing import Dict, Iterable, Set, Union
+from typing import Iterable

 from synapse.module_api import ModuleApi

@@ -90,7 +90,7 @@ class CustomPresenceRouter:
    async def get_users_for_states(
        self,
        state_updates: Iterable["synapse.api.UserPresenceState"],
-    ) -> Dict[str, Set["synapse.api.UserPresenceState"]]:
+    ) -> dict[str, set["synapse.api.UserPresenceState"]]:
        res = {}
        for update in state_updates:
            if (
@@ -104,7 +104,7 @@ class CustomPresenceRouter:
    async def get_interested_users(
        self,
        user_id: str,
-    ) -> Union[Set[str], "synapse.module_api.PRESENCE_ALL_USERS"]:
+    ) -> set[str] | "synapse.module_api.PRESENCE_ALL_USERS":
        if user_id == "@alice:example.com":
            return {"@bob:example.com", "@charlie:somewhere.org"}

--- a/docs/modules/ratelimit_callbacks.md
+++ b/docs/modules/ratelimit_callbacks.md
@@ -11,7 +11,7 @@ The available ratelimit callbacks are:
 _First introduced in Synapse v1.132.0_

 ```python
-async def get_ratelimit_override_for_user(user: str, limiter_name: str) -> Optional[synapse.module_api.RatelimitOverride]
+async def get_ratelimit_override_for_user(user: str, limiter_name: str) -> synapse.module_api.RatelimitOverride | None
 ```

 **<span style="color:red">
--- a/docs/modules/spam_checker_callbacks.md
+++ b/docs/modules/spam_checker_callbacks.md
@@ -331,9 +331,9 @@ search results; otherwise return `False`.
 The profile is represented as a dictionary with the following keys:

 * `user_id: str`. The Matrix ID for this user.
-* `display_name: Optional[str]`. The user's display name, or `None` if this user
+* `display_name: str | None`. The user's display name, or `None` if this user
  has not set a display name.
-* `avatar_url: Optional[str]`. The `mxc://` URL to the user's avatar, or `None`
+* `avatar_url: str | None`. The `mxc://` URL to the user's avatar, or `None`
  if this user has not set an avatar.

 The module is given a copy of the original dictionary, so modifying it from within the
@@ -352,10 +352,10 @@ _First introduced in Synapse v1.37.0_

 ```python
 async def check_registration_for_spam(
-    email_threepid: Optional[dict],
-    username: Optional[str],
+    email_threepid: dict | None,
+    username: str | None,
    request_info: Collection[Tuple[str, str]],
-    auth_provider_id: Optional[str] = None,
+    auth_provider_id: str | None = None,
 ) -> "synapse.spam_checker_api.RegistrationBehaviour"
 ```

@@ -438,10 +438,10 @@ _First introduced in Synapse v1.87.0_
 ```python
 async def check_login_for_spam(
    user_id: str,
-    device_id: Optional[str],
-    initial_display_name: Optional[str],
-    request_info: Collection[Tuple[Optional[str], str]],
-    auth_provider_id: Optional[str] = None,
+    device_id: str | None,
+    initial_display_name: str | None,
+    request_info: Collection[tuple[str | None, str]],
+    auth_provider_id: str | None = None,
 ) -> Union["synapse.module_api.NOT_SPAM", "synapse.module_api.errors.Codes"]
 ```

@@ -509,7 +509,7 @@ class ListSpamChecker:
            resource=IsUserEvilResource(config),
        )

-    async def check_event_for_spam(self, event: "synapse.events.EventBase") -> Union[Literal["NOT_SPAM"], Codes]:
+    async def check_event_for_spam(self, event: "synapse.events.EventBase") -> Literal["NOT_SPAM"] | Codes:
        if event.sender in self.evil_users:
          return Codes.FORBIDDEN
        else:
--- a/docs/modules/third_party_rules_callbacks.md
+++ b/docs/modules/third_party_rules_callbacks.md
@@ -16,7 +16,7 @@ _First introduced in Synapse v1.39.0_
 async def check_event_allowed(
    event: "synapse.events.EventBase",
    state_events: "synapse.types.StateMap",
-) -> Tuple[bool, Optional[dict]]
+) -> tuple[bool, dict | None]
 ```

 **<span style="color:red">
@@ -340,7 +340,7 @@ class EventCensorer:
        self,
        event: "synapse.events.EventBase",
        state_events: "synapse.types.StateMap",
-    ) -> Tuple[bool, Optional[dict]]:
+    ) -> Tuple[bool, dict | None]:
        event_dict = event.get_dict()
        new_event_content = await self.api.http_client.post_json_get_json(
            uri=self._endpoint, post_json=event_dict,
--- a/docs/presence_router_module.md
+++ b/docs/presence_router_module.md
@@ -76,7 +76,7 @@ possible.
 #### `get_interested_users`

 ```python
-async def get_interested_users(self, user_id: str) -> Union[Set[str], str]
+async def get_interested_users(self, user_id: str) -> set[str] | str
 ```

 **Required.** An asynchronous method that is passed a single Matrix User ID. This
@@ -182,7 +182,7 @@ class ExamplePresenceRouter:
    async def get_interested_users(
        self,
        user_id: str,
-    ) -> Union[Set[str], PresenceRouter.ALL_USERS]:
+    ) -> set[str] | PresenceRouter.ALL_USERS:
        """
        Retrieve a list of users that `user_id` is interested in receiving the
        presence of. This will be in addition to those they share a room with.
--- a/docs/reverse_proxy.md
+++ b/docs/reverse_proxy.md
@@ -86,6 +86,45 @@ server {
 }
 ```

+### Nginx Proxy Manager or NPMPlus
+
+```nginx
+Add New Proxy-Host
+	- Tab Details
+		- Domain Names: matrix.example.com
+		- Scheme: http
+		- Forward Hostname / IP: localhost # IP address or hostname where Synapse is hosted. Bare-metal or Container.
+		- Forward Port: 8008
+
+	- Tab Custom locations
+		- Add Location
+		- Define Location: /_matrix
+		- Scheme: http
+		- Forward Hostname / IP: localhost # IP address or hostname where Synapse is hosted. Bare-metal or Container.
+		- Forward Port: 8008
+		- Click on the gear icon to display a custom configuration field. Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+			- Enter this in the Custom Field: client_max_body_size 50M;
+
+	- Tab SSL/TLS
+		- Choose your SSL/TLS certificate and preferred settings.
+
+	- Tab Advanced
+		- Enter this in the Custom Field. This means that port 8448 no longer needs to be opened in your Firewall.
+		  The Federation communication use now Port 443.
+
+			location /.well-known/matrix/server {
+			  return 200 '{"m.server": "matrix.example.com:443"}';
+      		  add_header Content-Type application/json;
+			}
+
+ 			location /.well-known/matrix/client {
+      		  return 200 '{"m.homeserver": {"base_url": "https://matrix.example.com"}}';
+      		  add_header Content-Type application/json;
+      		  add_header "Access-Control-Allow-Origin" *;
+			}
+
+```
+
 ### Caddy v2

 ```
--- a/docs/setup/installation.md
+++ b/docs/setup/installation.md
@@ -87,17 +87,13 @@ file when you upgrade the Debian package to a later version.
 Andrej Shadura maintains a
 [`matrix-synapse`](https://packages.debian.org/sid/matrix-synapse) package in
 the Debian repositories.
-For `bookworm` and `sid`, it can be installed simply with:
+For `forky` (14) and `sid` (rolling release), it can be installed simply with:

 ```sh
 sudo apt install matrix-synapse
 ```

-Synapse is also available in `bullseye-backports`.  Please
-see the [Debian documentation](https://backports.debian.org/Instructions/)
-for information on how to use backports.
-
-`matrix-synapse` is no longer maintained for `buster` and older.
+The downstream Debian `matrix-synapse` package is not available for `trixie` (13) and older. Consider using the Matrix.org packages (above).

 ##### Downstream Ubuntu packages

@@ -208,7 +204,7 @@ When following this route please make sure that the [Platform-specific prerequis
 System requirements:

 - POSIX-compliant system (tested on Linux & OS X)
- Python 3.9 or later, up to Python 3.13.
+- Python 3.10 or later, up to Python 3.13.
 - At least 1GB of free RAM if you want to join large public rooms like #matrix:matrix.org

 If building on an uncommon architecture for which pre-built wheels are
@@ -311,11 +307,16 @@ sudo dnf group install "Development Tools"

 ##### Red Hat Enterprise Linux / Rocky Linux / Oracle Linux

-*Note: The term "RHEL" below refers to Red Hat Enterprise Linux, Oracle Linux and Rocky Linux. The distributions are 1:1 binary compatible.*
+*Note: The term "RHEL" below refers to Red Hat Enterprise Linux, Oracle Linux and Rocky Linux.
+The distributions are 1:1 binary compatible.*

 It's recommended to use the latest Python versions.

-RHEL 8 in particular ships with Python 3.6 by default which is EOL and therefore no longer supported by Synapse. RHEL 9 ships with Python 3.9 which is still supported by the Python core team as of this writing. However, newer Python versions provide significant performance improvements and they're available in official distributions' repositories. Therefore it's recommended to use them.
+RHEL 8 & 9 in particular ship with Python 3.6 & 3.9 respectively by default
+which are EOL and therefore no longer supported by Synapse.
+However, newer Python versions provide significant performance improvements
+and they're available in official distributions' repositories.
+Therefore it's recommended to use them.

 Python 3.11 and 3.12 are available for both RHEL 8 and 9.

--- a/docs/upgrade.md
+++ b/docs/upgrade.md
@@ -117,6 +117,52 @@ each upgrade are complete before moving on to the next upgrade, to avoid
 stacking them up. You can monitor the currently running background updates with
 [the Admin API](usage/administration/admin_api/background_updates.html#status).

+# Upgrading to v1.143.0
+
+## Dropping support for PostgreSQL 13
+
+In line with our [deprecation policy](deprecation_policy.md), we've dropped
+support for PostgreSQL 13, as it is no longer supported upstream.
+This release of Synapse requires PostgreSQL 14+.
+
+# Upgrading to v1.142.0
+
+## Python 3.10+ is now required
+
+The minimum supported Python version has been increased from v3.9 to v3.10.
+You will need Python 3.10+ to run Synapse v1.142.0.
+
+If you use current versions of the
+[matrixorg/synapse](setup/installation.html#docker-images-and-ansible-playbooks)
+Docker images, no action is required.
+
+## SQLite 3.40.0+ is now required
+
+The minimum supported SQLite version has been increased from 3.27.0 to 3.40.0.
+
+If you use current versions of the
+[matrixorg/synapse](setup/installation.html#docker-images-and-ansible-playbooks)
+Docker images, no action is required.
+
+
+# Upgrading to v1.141.0
+
+## Docker images now based on Debian `trixie` with Python 3.13
+
+The Docker images are now based on Debian `trixie` and use Python 3.13. If you
+are using the Docker images as a base image you may need to e.g. adjust the
+paths you mount any additional Python packages at.
+
+# Upgrading to v1.140.0
+
+## Users of `synapse-s3-storage-provider` must update the module to `v1.6.0`
+
+Deployments that make use of the
+[synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider/)
+module must update it to
+[v1.6.0](https://github.com/matrix-org/synapse-s3-storage-provider/releases/tag/v1.6.0),
+otherwise users will be unable to upload or download media.
+
 # Upgrading to v1.139.0

 ## `/register` requests from old application service implementations may break when using MAS
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@@ -3815,7 +3815,7 @@ This setting has the following sub-options:

 * `localdb_enabled` (boolean): Set to false to disable authentication against the local password database. This is ignored if `enabled` is false, and is only useful if you have other `password_providers`. Defaults to `true`.

-* `pepper` (string|null): Set the value here to a secret random string for extra security. DO NOT CHANGE THIS AFTER INITIAL SETUP! Defaults to `null`.
+* `pepper` (string|null): A secret random string that will be appended to user's passwords before they are hashed. This improves the security of short passwords. DO NOT CHANGE THIS AFTER INITIAL SETUP! Defaults to `null`.

 * `policy` (object): Define and enforce a password policy, such as minimum lengths for passwords, etc. This is an implementation of MSC2000.

--- a/docs/workers.md
+++ b/docs/workers.md
@@ -120,6 +120,9 @@ worker_replication_secret: ""

 redis:
    enabled: true
+    # For additional Redis configuration options (TLS, authentication, etc.), 
+    # see the Synapse configuration documentation:
+    # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#redis

 instance_map:
    main:
--- a/mypy.ini
+++ b/mypy.ini
@@ -37,7 +37,7 @@ strict_equality = True

 # Run mypy type checking with the minimum supported Python version to catch new usage
 # that isn't backwards-compatible (types, overloads, etc).
-python_version = 3.9
+python_version = 3.10

 files =
  docker/,
@@ -69,7 +69,7 @@ warn_unused_ignores = False
 ;;     https://github.com/python/typeshed/tree/master/stubs
 ;; and for each package `foo` there's a corresponding `types-foo` package on PyPI,
 ;; which we can pull in as a dev dependency by adding to `pyproject.toml`'s
-;; `[tool.poetry.dev-dependencies]` list.
+;; `[tool.poetry.group.dev.dependencies]` list.

 # https://github.com/lepture/authlib/issues/460
 [mypy-authlib.*]
--- a/poetry.lock
+++ b/poetry.lock
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,3 +1,183 @@
+[project]
+name = "matrix-synapse"
+version = "1.143.0rc2"
+description = "Homeserver for the Matrix decentralised comms protocol"
+readme = "README.rst"
+authors = [
+    { name = "Matrix.org Team and Contributors", email = "packages@matrix.org" }
+]
+requires-python = ">=3.10.0,<4.0.0"
+license = "AGPL-3.0-or-later OR LicenseRef-Element-Commercial"
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Topic :: Communications :: Chat",
+]
+
+# Mandatory Dependencies
+dependencies = [
+    # we use the TYPE_CHECKER.redefine method added in jsonschema 3.0.0
+    "jsonschema>=3.0.0",
+    # 0.25.0 is the first version to support Python 3.14.
+    # We can remove this once https://github.com/python-jsonschema/jsonschema/issues/1426 is fixed
+    # and included in a release.
+    "rpds-py>=0.25.0",
+    # We choose 2.0 as a lower bound: the most recent backwards incompatible release.
+    # It seems generally available, judging by https://pkgs.org/search/?q=immutabledict
+    "immutabledict>=2.0",
+    # We require 2.1.0 or higher for type hints. Previous guard was >= 1.1.0
+    "unpaddedbase64>=2.1.0",
+    # We require 2.0.0 for immutabledict support.
+    "canonicaljson>=2.0.0,<3.0.0",
+    # we use the type definitions added in signedjson 1.1.
+    "signedjson>=1.1.0,<2.0.0",
+    # validating SSL certs for IP addresses requires service_identity 18.1.
+    "service-identity>=18.1.0",
+    # Twisted 18.9 introduces some logger improvements that the structured
+    # logger utilises
+    # Twisted 19.7.0 moves test helpers to a new module and deprecates the old location.
+    # Twisted 21.2.0 introduces contextvar support.
+    # We could likely bump this to 22.1 without making distro packagers'
+    # lives hard (as of 2025-07, distro support is Ubuntu LTS: 22.1, Debian stable: 22.4,
+    # RHEL 9: 22.10)
+    "Twisted[tls]>=21.2.0",
+    "treq>=21.5.0",
+    # Twisted has required pyopenssl 16.0 since about Twisted 16.6.
+    "pyOpenSSL>=16.0.0",
+    "PyYAML>=5.3",
+    "pyasn1>=0.1.9",
+    "pyasn1-modules>=0.0.7",
+    "bcrypt>=3.1.7",
+    # 10.0.1 minimum is mandatory here because of libwebp CVE-2023-4863.
+    # Packagers that already took care of libwebp can lower that down to 5.4.0.
+    "Pillow>=10.0.1",
+    # We use SortedDict.peekitem(), which was added in sortedcontainers 1.5.2.
+    # 2.0.5 updates collections.abc imports to avoid Python 3.10 incompatibility.
+    "sortedcontainers>=2.0.5",
+    "pymacaroons>=0.13.0",
+    "msgpack>=0.5.2",
+    "phonenumbers>=8.2.0",
+    # we use GaugeHistogramMetric, which was added in prom-client 0.4.0.
+    # `prometheus_client.metrics` was added in 0.5.0, so we require that too.
+    # We chose 0.6.0 as that is the current version in Debian Buster (oldstable).
+    "prometheus-client>=0.6.0",
+    # we use `order`, which arrived in attrs 19.2.0.
+    # Note: 21.1.0 broke `/sync`, see https://github.com/matrix-org/synapse/issues/9936
+    "attrs>=19.2.0,!=21.1.0",
+    "netaddr>=0.7.18",
+    # Jinja 2.x is incompatible with MarkupSafe>=2.1. To ensure that admins do not
+    # end up with a broken installation, with recent MarkupSafe but old Jinja, we
+    # add a lower bound to the Jinja2 dependency.
+    "Jinja2>=3.0",
+    # 3.2.0 updates collections.abc imports to avoid Python 3.10 incompatibility.
+    "bleach>=3.2.0",
+    # pydantic 2.12 depends on typing-extensions>=4.14.1
+    "typing-extensions>=4.14.1",
+    # We enforce that we have a `cryptography` version that bundles an `openssl`
+    # with the latest security patches.
+    "cryptography>=3.4.7",
+    # ijson 3.1.4 fixes a bug with "." in property names
+    "ijson>=3.1.4",
+    "matrix-common>=1.3.0,<2.0.0",
+    # We need packaging.verison.Version(...).major added in 20.0.
+    "packaging>=20.0",
+    "pydantic>=2.8;python_version < '3.14'",
+    "pydantic>=2.12;python_version >= '3.14'",
+
+    # This is for building the rust components during "poetry install", which
+    # currently ignores the `build-system.requires` directive (c.f.
+    # https://github.com/python-poetry/poetry/issues/6154). Both `pip install` and
+    # `poetry build` do the right thing without this explicit dependency.
+    #
+    # This isn't really a dev-dependency, as `poetry install --without dev` will fail,
+    # but the alternative is to add it to the main list of deps where it isn't
+    # needed.
+    "setuptools_rust>=1.3",
+
+    # This is used for parsing multipart responses
+    "python-multipart>=0.0.9",
+]
+
+[project.optional-dependencies]
+matrix-synapse-ldap3 = ["matrix-synapse-ldap3>=0.1"]
+postgres = [
+    "psycopg2>=2.8;platform_python_implementation != 'PyPy'",
+    "psycopg2cffi>=2.8;platform_python_implementation == 'PyPy'",
+    "psycopg2cffi-compat==1.1;platform_python_implementation == 'PyPy'",
+]
+saml2 = ["pysaml2>=4.5.0"]
+oidc = ["authlib>=0.15.1"]
+# systemd-python is necessary for logging to the systemd journal via
+# `systemd.journal.JournalHandler`, as is documented in
+# `contrib/systemd/log_config.yaml`.
+systemd = ["systemd-python>=231"]
+url-preview = ["lxml>=4.6.3"]
+sentry = ["sentry-sdk>=0.7.2"]
+opentracing = ["jaeger-client>=4.2.0", "opentracing>=2.2.0"]
+jwt = ["authlib"]
+# hiredis is not a *strict* dependency, but it makes things much faster.
+# (if it is not installed, we fall back to slow code.)
+redis = ["txredisapi>=1.4.7", "hiredis"]
+# Required to use experimental `caches.track_memory_usage` config option.
+cache-memory = ["pympler"]
+# If this is updated, don't forget to update the equivalent lines in
+# tool.poetry.group.dev.dependencies.
+test = ["parameterized>=0.9.0", "idna>=3.3"]
+
+# The duplication here is awful.
+#
+# TODO: This can be resolved via PEP 735 dependency groups, which poetry supports
+# since 2.2.0. However, switching to that would require updating the command
+# developers use to install the `all` group. This would require some coordination.
+#
+# NB: the strings in this list must be *package* names, not extra names.
+# Some of our extra names _are_ package names, which can lead to great confusion.
+all = [
+    # matrix-synapse-ldap3
+    "matrix-synapse-ldap3>=0.1",
+    # postgres
+    "psycopg2>=2.8;platform_python_implementation != 'PyPy'",
+    "psycopg2cffi>=2.8;platform_python_implementation == 'PyPy'",
+    "psycopg2cffi-compat==1.1;platform_python_implementation == 'PyPy'",
+    # saml2
+    "pysaml2>=4.5.0",
+    # oidc and jwt
+    "authlib>=0.15.1",
+    # url-preview
+    "lxml>=4.6.3",
+    # sentry
+    "sentry-sdk>=0.7.2",
+    # opentracing
+    "jaeger-client>=4.2.0", "opentracing>=2.2.0",
+    # redis
+    "txredisapi>=1.4.7", "hiredis",
+    # cache-memory
+    "pympler",
+    # omitted:
+    #   - test: it's useful to have this separate from dev deps in the olddeps job
+    #   - systemd: this is a system-based requirement
+]
+
+[project.urls]
+repository = "https://github.com/element-hq/synapse"
+documentation = "https://element-hq.github.io/synapse/latest"
+"Issue Tracker" = "https://github.com/element-hq/synapse/issues"
+
+[project.scripts]
+synapse_homeserver = "synapse.app.homeserver:main"
+synapse_worker = "synapse.app.generic_worker:main"
+synctl = "synapse._scripts.synctl:main"
+
+export_signing_key = "synapse._scripts.export_signing_key:main"
+generate_config = "synapse._scripts.generate_config:main"
+generate_log_config = "synapse._scripts.generate_log_config:main"
+generate_signing_key = "synapse._scripts.generate_signing_key:main"
+hash_password = "synapse._scripts.hash_password:main"
+register_new_matrix_user = "synapse._scripts.register_new_matrix_user:main"
+synapse_port_db = "synapse._scripts.synapse_port_db:main"
+synapse_review_recent_signups = "synapse._scripts.review_recent_signups:main"
+update_synapse_database = "synapse._scripts.update_synapse_database:main"
+
+
 [tool.towncrier]
    package = "synapse"
    filename = "CHANGES.md"
@@ -36,7 +216,7 @@

 [tool.ruff]
 line-length = 88
-target-version = "py39"
+target-version = "py310"

 [tool.ruff.lint]
 # See https://beta.ruff.rs/docs/rules/#error-e
@@ -78,6 +258,19 @@ select = [
    "LOG",
    # flake8-logging-format
    "G",
+    # pyupgrade
+    "UP006",
+    "UP007",
+    "UP045",
+]
+extend-safe-fixes = [
+    # pyupgrade rules compatible with Python >= 3.9
+    "UP006",
+    "UP007",
+    # pyupgrade rules compatible with Python >= 3.10
+    "UP045",
+    # Allow ruff to automatically fix trailing spaces within a multi-line string/comment.
+    "W293"
 ]

 [tool.ruff.lint.isort]
@@ -100,20 +293,9 @@ manifest-path = "rust/Cargo.toml"
 module-name = "synapse.synapse_rust"

 [tool.poetry]
-name = "matrix-synapse"
-version = "1.139.2"
-description = "Homeserver for the Matrix decentralised comms protocol"
-authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
-license = "AGPL-3.0-or-later OR LicenseRef-Element-Commercial"
-readme = "README.rst"
-repository = "https://github.com/element-hq/synapse"
 packages = [
    { include = "synapse" },
 ]
-classifiers = [
-    "Development Status :: 5 - Production/Stable",
-    "Topic :: Communications :: Chat",
-]
 include = [
    { path = "AUTHORS.rst", format = "sdist" },
    { path = "book.toml", format = "sdist" },
@@ -143,190 +325,12 @@ exclude = [
 script = "build_rust.py"
 generate-setup-file = true

-[tool.poetry.scripts]
-synapse_homeserver = "synapse.app.homeserver:main"
-synapse_worker = "synapse.app.generic_worker:main"
-synctl = "synapse._scripts.synctl:main"
-
-export_signing_key = "synapse._scripts.export_signing_key:main"
-generate_config = "synapse._scripts.generate_config:main"
-generate_log_config = "synapse._scripts.generate_log_config:main"
-generate_signing_key = "synapse._scripts.generate_signing_key:main"
-hash_password = "synapse._scripts.hash_password:main"
-register_new_matrix_user = "synapse._scripts.register_new_matrix_user:main"
-synapse_port_db = "synapse._scripts.synapse_port_db:main"
-synapse_review_recent_signups = "synapse._scripts.review_recent_signups:main"
-update_synapse_database = "synapse._scripts.update_synapse_database:main"
-
-[tool.poetry.dependencies]
-python = "^3.9.0"
-
-# Mandatory Dependencies
-# ----------------------
-# we use the TYPE_CHECKER.redefine method added in jsonschema 3.0.0
-jsonschema = ">=3.0.0"
-# We choose 2.0 as a lower bound: the most recent backwards incompatible release.
-# It seems generally available, judging by https://pkgs.org/search/?q=immutabledict
-immutabledict = ">=2.0"
-# We require 2.1.0 or higher for type hints. Previous guard was >= 1.1.0
-unpaddedbase64 = ">=2.1.0"
-# We require 2.0.0 for immutabledict support.
-canonicaljson = "^2.0.0"
-# we use the type definitions added in signedjson 1.1.
-signedjson = "^1.1.0"
-# validating SSL certs for IP addresses requires service_identity 18.1.
-service-identity = ">=18.1.0"
-# Twisted 18.9 introduces some logger improvements that the structured
-# logger utilises
-# Twisted 19.7.0 moves test helpers to a new module and deprecates the old location.
-# Twisted 21.2.0 introduces contextvar support.
-# We could likely bump this to 22.1 without making distro packagers'
-# lives hard (as of 2025-07, distro support is Ubuntu LTS: 22.1, Debian stable: 22.4,
-# RHEL 9: 22.10)
-Twisted = {extras = ["tls"], version = ">=21.2.0"}
-treq = ">=21.5.0"
-# Twisted has required pyopenssl 16.0 since about Twisted 16.6.
-pyOpenSSL = ">=16.0.0"
-PyYAML = ">=5.3"
-pyasn1 = ">=0.1.9"
-pyasn1-modules = ">=0.0.7"
-bcrypt = ">=3.1.7"
-# 10.0.1 minimum is mandatory here because of libwebp CVE-2023-4863.
-# Packagers that already took care of libwebp can lower that down to 5.4.0.
-Pillow = ">=10.0.1"
-# We use SortedDict.peekitem(), which was added in sortedcontainers 1.5.2.
-sortedcontainers = ">=1.5.2"
-pymacaroons = ">=0.13.0"
-msgpack = ">=0.5.2"
-phonenumbers = ">=8.2.0"
-# we use GaugeHistogramMetric, which was added in prom-client 0.4.0.
-# `prometheus_client.metrics` was added in 0.5.0, so we require that too.
-# We chose 0.6.0 as that is the current version in Debian Buster (oldstable).
-prometheus-client = ">=0.6.0"
-# we use `order`, which arrived in attrs 19.2.0.
-# Note: 21.1.0 broke `/sync`, see https://github.com/matrix-org/synapse/issues/9936
-attrs = ">=19.2.0,!=21.1.0"
-netaddr = ">=0.7.18"
-# Jinja 2.x is incompatible with MarkupSafe>=2.1. To ensure that admins do not
-# end up with a broken installation, with recent MarkupSafe but old Jinja, we
-# add a lower bound to the Jinja2 dependency.
-Jinja2 = ">=3.0"
-bleach = ">=1.4.3"
-# We use `assert_never`, which were added in `typing-extensions` 4.1.
-typing-extensions = ">=4.1"
-# We enforce that we have a `cryptography` version that bundles an `openssl`
-# with the latest security patches.
-cryptography = ">=3.4.7"
-# ijson 3.1.4 fixes a bug with "." in property names
-ijson = ">=3.1.4"
-matrix-common = "^1.3.0"
-# We need packaging.verison.Version(...).major added in 20.0.
-packaging = ">=20.0"
-# We support pydantic v1 and pydantic v2 via the pydantic.v1 compat module.
-# See https://github.com/matrix-org/synapse/issues/15858
-pydantic = ">=1.7.4, <3"
-
-# This is for building the rust components during "poetry install", which
-# currently ignores the `build-system.requires` directive (c.f.
-# https://github.com/python-poetry/poetry/issues/6154). Both `pip install` and
-# `poetry build` do the right thing without this explicit dependency.
-#
-# This isn't really a dev-dependency, as `poetry install --without dev` will fail,
-# but the alternative is to add it to the main list of deps where it isn't
-# needed.
-setuptools_rust = ">=1.3"
-
-# This is used for parsing multipart responses
-python-multipart = ">=0.0.9"
-
-# Optional Dependencies
-# ---------------------
-matrix-synapse-ldap3 = { version = ">=0.1", optional = true }
-psycopg2 = { version = ">=2.8", markers = "platform_python_implementation != 'PyPy'", optional = true }
-psycopg2cffi = { version = ">=2.8", markers = "platform_python_implementation == 'PyPy'", optional = true }
-psycopg2cffi-compat = { version = "==1.1", markers = "platform_python_implementation == 'PyPy'", optional = true }
-pysaml2 = { version = ">=4.5.0", optional = true }
-authlib = { version = ">=0.15.1", optional = true }
-# systemd-python is necessary for logging to the systemd journal via
-# `systemd.journal.JournalHandler`, as is documented in
-# `contrib/systemd/log_config.yaml`.
-# Note: systemd-python 231 appears to have been yanked from pypi
-systemd-python = { version = ">=231", optional = true }
-lxml = { version = ">=4.5.2", optional = true }
-sentry-sdk = { version = ">=0.7.2", optional = true }
-opentracing = { version = ">=2.2.0", optional = true }
-jaeger-client = { version = ">=4.0.0", optional = true }
-txredisapi = { version = ">=1.4.7", optional = true }
-hiredis = { version = "*", optional = true }
-Pympler = { version = "*", optional = true }
-parameterized = { version = ">=0.7.4", optional = true }
-idna = { version = ">=2.5", optional = true }
-
-[tool.poetry.extras]
-# NB: Packages that should be part of `pip install matrix-synapse[all]` need to be specified
-# twice: once here, and once in the `all` extra.
-matrix-synapse-ldap3 = ["matrix-synapse-ldap3"]
-postgres = ["psycopg2", "psycopg2cffi", "psycopg2cffi-compat"]
-saml2 = ["pysaml2"]
-oidc = ["authlib"]
-# systemd-python is necessary for logging to the systemd journal via
-# `systemd.journal.JournalHandler`, as is documented in
-# `contrib/systemd/log_config.yaml`.
-systemd = ["systemd-python"]
-url-preview = ["lxml"]
-sentry = ["sentry-sdk"]
-opentracing = ["jaeger-client", "opentracing"]
-jwt = ["authlib"]
-# hiredis is not a *strict* dependency, but it makes things much faster.
-# (if it is not installed, we fall back to slow code.)
-redis = ["txredisapi", "hiredis"]
-# Required to use experimental `caches.track_memory_usage` config option.
-cache-memory = ["pympler"]
-test = ["parameterized", "idna"]
-
-# The duplication here is awful. I hate hate hate hate hate it. However, for now I want
-# to ensure you can still `pip install matrix-synapse[all]` like today. Two motivations:
-# 1) for new installations, I want instructions in existing documentation and tutorials
-#    out there to still work.
-# 2) I don't want to hard-code a list of extras into CI if I can help it. The ideal
-#    solution here would be something like https://github.com/python-poetry/poetry/issues/3413
-# Poetry 1.2's dependency groups might make this easier. But I'm not trying that out
-# until there's a stable release of 1.2.
-#
-# NB: the strings in this list must be *package* names, not extra names.
-# Some of our extra names _are_ package names, which can lead to great confusion.
-all = [
-    # matrix-synapse-ldap3
-    "matrix-synapse-ldap3",
-    # postgres
-    "psycopg2", "psycopg2cffi", "psycopg2cffi-compat",
-    # saml2
-    "pysaml2",
-    # oidc and jwt
-    "authlib",
-    # url-preview
-    "lxml",
-    # sentry
-    "sentry-sdk",
-    # opentracing
-    "jaeger-client", "opentracing",
-    # redis
-    "txredisapi", "hiredis",
-    # cache-memory
-    "pympler",
-    # omitted:
-    #   - test: it's useful to have this separate from dev deps in the olddeps job
-    #   - systemd: this is a system-based requirement
-]
-
-[tool.poetry.dev-dependencies]
+[tool.poetry.group.dev.dependencies]
 # We pin development dependencies in poetry.lock so that our tests don't start
 # failing on new releases. Keeping lower bounds loose here means that dependabot
 # can bump versions without having to update the content-hash in the lockfile.
 # This helps prevents merge conflicts when running a batch of dependabot updates.
-ruff = "0.12.10"
-# Type checking only works with the pydantic.v1 compat module from pydantic v2
-pydantic = "^2"
+ruff = "0.14.5"

 # Typechecking
 lxml-stubs = ">=0.4.0"
@@ -346,17 +350,18 @@ types-setuptools = ">=57.4.0"
 # Dependencies which are exclusively required by unit test code. This is
 # NOT a list of all modules that are necessary to run the unit tests.
 # Tests assume that all optional dependencies are installed.
-# parameterized<0.7.4 can create classes with names that would normally be invalid
-# identifiers. trial really does not like this when running with multiple workers.
-parameterized = ">=0.7.4"
-idna = ">=2.5"
+#
+# If this is updated, don't forget to update the equivalent lines in
+# project.optional-dependencies.test.
+parameterized = ">=0.9.0"
+idna = ">=3.3"

 # The following are used by the release script
 click = ">=8.1.3"
 # GitPython was == 3.1.14; bumped to 3.1.20, the first release with type hints.
 GitPython = ">=3.1.20"
 markdown-it-py = ">=3.0.0"
-pygithub = ">=1.55"
+pygithub = ">=1.59"
 # The following are executed as commands by the release script.
 twine = "*"
 # Towncrier min version comes from https://github.com/matrix-org/synapse/pull/3425. Rationale unclear.
@@ -365,6 +370,9 @@ towncrier = ">=18.6.0rc1"
 # Used for checking the Poetry lockfile
 tomli = ">=1.2.3"

+# Used for checking the schema delta files
+sqlglot = ">=28.0.0"
+

 [build-system]
 # The upper bounds here are defensive, intended to prevent situations like
@@ -373,19 +381,27 @@ tomli = ">=1.2.3"
 # runtime errors caused by build system changes.
 # We are happy to raise these upper bounds upon request,
 # provided we check that it's safe to do so (i.e. that CI passes).
-requires = ["poetry-core>=1.1.0,<=2.1.3", "setuptools_rust>=1.3,<=1.11.1"]
+requires = ["poetry-core>=2.0.0,<=2.1.3", "setuptools_rust>=1.3,<=1.11.1"]
 build-backend = "poetry.core.masonry.api"


 [tool.cibuildwheel]
 # Skip unsupported platforms (by us or by Rust).
-# See https://cibuildwheel.readthedocs.io/en/stable/options/#build-skip for the list of build targets.
+#
+# See https://cibuildwheel.readthedocs.io/en/stable/options/#build-skip for the
+# list of supported build targets.
+#
+# Also see `.github/workflows/release-artifacts.yml` for the list of
+# architectures we build for (based on the runner OS types we use), as well as
+# the platforms we exclude from testing in CI.
+#
 # We skip:
-#  - CPython and PyPy 3.8: EOLed
-#  - musllinux i686: excluded to reduce number of wheels we build.
-#    c.f. https://github.com/matrix-org/synapse/pull/12595#discussion_r963107677
-skip = "cp38* pp38* *-musllinux_i686"
-# Enable non-default builds.
+#  - free-threaded cpython builds: these are not currently supported.
+#  - i686: We don't support 32-bit platforms.
+skip = "cp3??t-* *i686*"
+# Enable non-default builds. See the list of available options:
+# https://cibuildwheel.pypa.io/en/stable/options#enable
+#
 # "pypy" used to be included by default up until cibuildwheel 3.
 enable = "pypy"

--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				Fix room upgrade `room_config` argument and documentation for `user_may_create_room` spam-checker callback.
				`@@ -1 +0,0 @@`
				`Update OEmbed providers to use 'X' instead of 'Twitter' in URL previews, following a rebrand. Contributed by @HammyHavoc.`
				`@@ -1 +0,0 @@`
				Fix `server_name` in logging context for multiple Synapse instances in one process.
				`@@ -1 +0,0 @@`
				Wrap the Rust HTTP client with `make_deferred_yieldable` so it follows Synapse logcontext rules.
				`@@ -1 +0,0 @@`
				`Fix the GitHub Actions workflow that moves issues labeled "X-Needs-Info" to the "Needs info" column on the team's internal triage board.`
				`@@ -1 +0,0 @@`
				`Explain how Deferred callbacks interact with logcontexts.`
				`@@ -1 +0,0 @@`
				`Disconnect background process work from request trace.`
				`@@ -1 +0,0 @@`
				`Update [MSC4284: Policy Servers](https://github.com/matrix-org/matrix-spec-proposals/pull/4284) implementation to support signatures when available.`
				`@@ -1 +0,0 @@`
				Reduce overall number of calls to `_get_e2e_cross_signing_signatures_for_devices` by increasing the batch size of devices the query is called with, reducing DB load.
				`@@ -1 +0,0 @@`
				`Update error code used when an appservice tries to masquerade as an unknown device using [MSC4326](https://github.com/matrix-org/matrix-spec-proposals/pull/4326). Contributed by @tulir @ Beeper.`