This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Affected surfaces
Summary
AI summaryBroad release touches Bugfixes, Internal Changes, Synapse 1.153.0rc1, and https://github.com/element-hq/synapse/issues/19714.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Make ACLs apply to EDUs per MSC4163. Make ACLs apply to EDUs per MSC4163. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Medium |
Implement partial MSC4311: `m.room.create` required in stripped invite_state/knock_state. Implement partial MSC4311: `m.room.create` required in stripped invite_state/knock_state. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Medium |
Have Simplified Sliding Sync return new response immediately on room subscription change. Have Simplified Sliding Sync return new response immediately on room subscription change. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Medium |
Expose tombstoned and replacement_room in admin API room details endpoint. Expose tombstoned and replacement_room in admin API room details endpoint. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Dependency | Medium |
Configure Dependabot to update Python dependencies only in lockfile unless widening upper bounds. Configure Dependabot to update Python dependencies only in lockfile unless widening upper bounds. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Performance | Medium |
Add a Rust canonical JSON serializer. Add a Rust canonical JSON serializer. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Performance | Medium |
Reduce WORKER_LOCK_MAX_RETRY_INTERVAL to 5 seconds to reduce idle time after lock release. Reduce WORKER_LOCK_MAX_RETRY_INTERVAL to 5 seconds to reduce idle time after lock release. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Deprecation | Medium |
Remove experimental config flag msc3266_enabled, stabilizing Room summary API. Remove experimental config flag msc3266_enabled, stabilizing Room summary API. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Bugfix | Medium |
Allow self-requested user erasure upon account deactivation even if profile changes disabled. Allow self-requested user erasure upon account deactivation even if profile changes disabled. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Bugfix | Medium |
Fix Fedora/EPEL packaging issue caused by unnecessary authlib version bump in pyproject.toml. Fix Fedora/EPEL packaging issue caused by unnecessary authlib version bump in pyproject.toml. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Bugfix | Medium |
Fix Synapse not backfilling new history with pagination tokens near backward extremity. Fix Synapse not backfilling new history with pagination tokens near backward extremity. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Bugfix | Medium |
Fix mutation of power level event when upgrading a room to version 12. Fix mutation of power level event when upgrading a room to version 12. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Bugfix | Medium |
Revert Simplified Sliding Sync change due to performance problems. Revert Simplified Sliding Sync change due to performance problems. Source: granite4.1:30b@2026-05-19-audit Confidence: low |
— |
| Refactor | Medium |
Port Event.signatures field to Rust. Port Event.signatures field to Rust. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Refactor | Medium |
Port Event.unsigned field to Rust. Port Event.unsigned field to Rust. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Refactor | Medium |
Force keyword-only arguments for Duration so time units must be specified. Force keyword-only arguments for Duration so time units must be specified. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Other | Medium |
Add warning about known problems when configuring use_frozen_dicts. Add warning about known problems when configuring use_frozen_dicts. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
Full changelog
Synapse 1.153.0 (2026-05-19)
No significant changes since 1.153.0rc3.
Synapse 1.153.0rc3 (2026-05-15)
Bugfixes
- Revert 'Have MSC4186: Simplified Sliding Sync return a new response immediately if a room subscription has changed and produced a new response. (#19714)' (introduced in 1.153.0rc1) due to performance problems. (#19784)
Synapse 1.153.0rc2 (2026-05-13)
Bugfixes
- Correctly handle arbitrary precision integers in
unsignedfield of events. The bug was introduced in 1.153.0rc1. (#19769)
Synapse 1.153.0rc1 (2026-05-08)
Features
- Make ACLs apply to EDUs per MSC4163. (#18475)
- Stabilize MSC3266: Room summary API, removing the experimental config flag
msc3266_enabled. Contributed by @dasha-uwu. (#19720) - Partial MSC4311 implementation:
m.room.createis now a required part of strippedinvite_state/knock_state. Contributed by @FrenchGithubUser @Famedly. (#19722) - Expose
tombstonedandreplacement_roomin room details on admin API endpointGET /_synapse/admin/v1/rooms/<room_id>. Contributed by Noah Markert. (#19737)
Bugfixes
- Allow self-requested user erasure (upon account deactivation) to succeed even if Synapse has disabled profile changes. Contributed by Famedly. (#19398)
- Fix Synapse not backfilling new history when attempting to use a pagination token near a backward extremity. (#19611)
- Have MSC4186: Simplified Sliding Sync return a new response immediately if a room subscription has changed and produced a new response. (#19714)
- Fix a bug where when upgrading a room to room version 12, the power level event in the old room got temporarily mutated to remove the user upgrading the room's power. (#19727)
- Fix packaging for Fedora and EPEL caused by unnecessary bumping
authlibminimum version requirement inpyproject.tomlfile. Contributed by Oleg Girko. (#19742)
Improved Documentation
- Add warning about known problems when configuring
use_frozen_dicts. (#19711)
Internal Changes
- Port
Event.signaturesfield to Rust. (#19706) - Port
Event.unsignedfield to Rust. (#19708) - Add a Rust canonical JSON serializer. (#19739, #19763)
- Configure Dependabot to only update Python dependencies in the lockfile, unless widening upper bounds. (#19743)
- Reduce
WORKER_LOCK_MAX_RETRY_INTERVALto 5 seconds to reduce idle time after lock is released. (#19755) - Force keyword-only arguments for
Durationso time units have to be specified. (#19756)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]