Update dependency matrix-js-sdk to v38 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
matrix-js-sdk	^25.0.0 → ^38.0.0

---

matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor

CVE-2024-42369 / GHSA-vhr5-g3pm-49fm

More information

Details

Impact

A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug.

Even if the CVSS score would be 4.1 (AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L) we classify this as High severity issue.

Patches

This was patched in matrix-js-sdk 34.3.1.

Workarounds

Sanity check rooms before passing them to the matrix-js-sdk or avoid calling either getRoomUpgradeHistory or leaveRoomChain.

References

N/A.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

References

• https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm
• https://nvd.nist.gov/vuln/detail/CVE-2024-42369
• https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6
• https://github.com/advisories/GHSA-vhr5-g3pm-49fm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Matrix JavaScript SDK's key history sharing could share keys to malicious devices

CVE-2024-47080 / GHSA-4jf8-g8wp-cx7c

More information

Details

Impact

In matrix-js-sdk versions 9.11.0 through 34.7.0, the method MatrixClient.sendSharedHistoryKeys is vulnerable to interception by malicious homeservers. The method implements functionality proposed in MSC3061 and can be used by clients to share historical message keys with newly invited users, granting them access to past messages in the room.

However, it unconditionally sends these "shared" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows the attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks.

Note that this only affects clients running the SDK with the legacy crypto stack. Clients using the new Rust cryptography stack (i.e. those that call MatrixClient.initRustCrypto() instead of MatrixClient.initCrypto()) are unaffected by this vulnerability, because MatrixClient.sendSharedHistoryKeys() raises an exception in such environments.

Patches

Fixed in matrix-js-sdk 34.8.0 by removing the vulnerable functionality.

Workarounds

Remove use of affected functionality from clients.

References

• MSC3061

For more information

If you have any questions or comments about this advisory, please email us at security at matrix.org.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

• https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c
• https://nvd.nist.gov/vuln/detail/CVE-2024-47080
• https://github.com/matrix-org/matrix-spec-proposals/pull/3061
• https://github.com/matrix-org/matrix-js-sdk/commit/2fb1e659c81f75253c047832dc9dcc2beddfac5f
• https://github.com/advisories/GHSA-4jf8-g8wp-cx7c

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal

CVE-2024-50336 / GHSA-xvg8-m4x3-w6xr

More information

Details

Summary

matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver.

Details

The Matrix specification demands homeservers to perform validation of the server-name and media-id components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent client-side path traversal. matrix-js-sdk fails to perform this validation.

Patches

Fixed in matrix-js-sdk 34.11.1.

Workarounds

None.

References

• https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5
• https://blog.doyensec.com/2024/07/02/cspt2csrf.html

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

References

• https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr
• https://nvd.nist.gov/vuln/detail/CVE-2024-50336
• https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5
• https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html
• https://github.com/advisories/GHSA-xvg8-m4x3-w6xr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

matrix-js-sdk has insufficient validation when considering a room to be upgraded by another

CVE-2025-59160 / GHSA-mp7c-m3rh-r56v

More information

Details

Impact

matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room.

Patches

The issue has been patched and users should upgrade to 38.2.0.

Workarounds

Avoid using MatrixClient::getJoinedRooms in favour of getRooms() and filtering upgraded rooms separately.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v
• https://nvd.nist.gov/vuln/detail/CVE-2025-59160
• https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4
• https://github.com/matrix-org/matrix-js-sdk/releases/tag/v38.2.0
• https://www.npmjs.com/package/matrix-js-sdk/v/38.2.0
• https://github.com/advisories/GHSA-mp7c-m3rh-r56v

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

matrix-org/matrix-js-sdk (matrix-js-sdk)

v38.2.0

Compare Source

==================================================================================================
Fix CVE-2025-59160 / GHSA-mp7c-m3rh-r56v

v38.1.0

Compare Source

==================================================================================================

✨ Features

• Remove custom org.matrix.msc4075.rtc.notification.parent relation type (#​4979). Contributed by @​toger5.
• MatrixRTC: Add RTC decline event (#​4978). Contributed by @​toger5.
• Make a MatrixRTCSession emit once the RTCNotification is sent (#​4976). Contributed by @​toger5.
• Use hydra semantics for unknown room versions (#​4957). Contributed by @​dbkr.
• Expose the StatusChanged event through the RTCSession (#​4974). Contributed by @​toger5.
• Add probablyLeft event to the MatrixRTCSession (#​4962). Contributed by @​toger5.

🐛 Bug Fixes

• Fix m.topic format (#​4984). Contributed by @​tulir.
• Fix stable-suffixed MSC4133 support (#​4983). Contributed by @​dbkr.
• Fix thread edit aggregation race condition (#​4980). Contributed by @​basnijholt.

v38.0.0

Compare Source

==================================================================================================

🚨 BREAKING CHANGES

• Release tranche of breaking changes (#​4975).
• Remove support for FetchHttpApi onlyData = false
• Remove deprecated IJoinRoomOpts.syncRoom
• Remove deprecated methods which are unsupported in rust crypto
• Remove deprecated getAuthIssuer method
• Remove deprecated beginKeyVerification method
• Remove deprecated isEncryptedDisabledForUnverifiedDevices getter
• Remove deprecated UndecryptableToDeviceEvent MatrixClient emit
• Remove deprecated defer utility method
• Remove deprecated UIAResponse dummy type
• Remove deprecated MatrixRTCSession MembershipConfig fields
• Remove deprecated findVerificationRequestDMInProgress and storeSessionBackupPrivateKey methods in favour of overloads

✨ Features

• Allow multiple rtc sessions per room (with different sessionDescriptions) (#​4945). Contributed by @​toger5.
• Add support for login_hint in authorization url generation (#​4943). Contributed by @​odelcroi.
• Only process MatrixRTC sessions associated with calls for callMembershipsForRoom (#​4960). Contributed by @​fkwp.

v37.13.0

Compare Source

====================================================================================================
This release supports new v12 Matrix rooms and consequently has a breaking change, removing powerLevelNorm from the RoomMember object as this can't be supported with infinite power levels. Apps should use the non-normalised powerLevel instead.

🚨 BREAKING CHANGES

• [Backport staging] Support for creator power level (#​4954). Contributed by @​RiotRobot.

✨ Features

• [Backport staging] Support v12 rooms in maySendEvent (#​4956). Contributed by @​RiotRobot.
• [Backport staging] Support for creator power level (#​4954). Contributed by @​RiotRobot.
• Experimental support for sharing encrypted history on invite (#​4920). Contributed by @​richvdh.
• Use the logger associated with MatrixClient in rust sdk (#​4918). Contributed by @​richvdh.
• Update to matrix-sdk-crypto-wasm 15.1.0, and add new ShieldStateCode.MismatchedSender (#​4916). Contributed by @​richvdh.

🐛 Bug Fixes

• Fix unknown/broken state in the RTC Membership Manager causing unnecassary error logging. (#​4944). Contributed by @​toger5.

v37.12.0

Compare Source

====================================================================================================

🦖 Deprecations

• Deprecate non-functional IJoinRoomOpts.syncRoom (#​4913). Contributed by @​richvdh.

✨ Features

• Custom abort timeout logic for restarting delayed events that is compatible with the widget api (#​4927). Contributed by @​toger5.
• Allow sending notification events when starting a call (#​4826). Contributed by @​robintown.

🐛 Bug Fixes

• Fix deep import incompatibility (#​4924) (#​4925). Contributed by @​toriningen.
• Fix more incorrect logger use (#​4904). Contributed by @​richvdh.

v37.11.0

Compare Source

====================================================================================================

✨ Features

• Update README to make Element sponsorship explicit (#​4901). Contributed by @​neilisfragile.
• Use client logger in more places (crypto code) (#​4900). Contributed by @​richvdh.
• Use client logger in MatrixRTCSessionManager (#​4898). Contributed by @​richvdh.
• Use client logger in more places (core code) (#​4899). Contributed by @​richvdh.
• crypto: Add new ClientEvent.ReceivedToDeviceMessage with proper OlmEncryptionInfo support (#​4891). Contributed by @​BillCarsonFr.

v37.10.0

Compare Source

====================================================================================================

✨ Features

• Update matrix-sdk-crypto-wasm to 15.0.0 (#​4882). Contributed by @​richvdh.
• Allow customizing the IndexedDB database prefix used by Rust crypto. (#​4878). Contributed by @​clokep.
• Remove @matrix-org/olm from dependency list (#​4876). Contributed by @​richvdh.
• Redact on ban: Client implementation (#​4867). Contributed by @​turt2live.

v37.9.0

Compare Source

==================================================================================================

🐛 Bug Fixes

• Ensure we send spec-compliant filter strings by stripping out null values (#​4865). Contributed by @​t3chguy.
• Fix MatrixRTC membership manager failing to rejoin in a race condition (sync vs not found response) (#​4861). Contributed by @​toger5.
• Include extraParams in all HTTP requests (#​4860). Contributed by @​rsb-tbg.

v37.8.0

Compare Source

==================================================================================================

🐛 Bug Fixes

• [Backport staging] Update dependency @​matrix-org/matrix-sdk-crypto-wasm to v14.2.1 (#​4869). Contributed by @​RiotRobot.

v37.7.0

Compare Source

==================================================================================================

🦖 Deprecations

• MatrixRTC: Rename MembershipConfig parameters (#​4714). Contributed by @​toger5.

✨ Features

• Allow the embedded client to work without update_state support (#​4849). Contributed by @​robintown.
• Check for unknown variant on to-device sending and fall back to room event encryption. (#​4847). Contributed by @​toger5.
• Reapply "Distinguish room state and timeline events in embedded clients" (#​4790). Contributed by @​robintown.

v37.6.0

Compare Source

==================================================================================================

🦖 Deprecations

• Deprecate utils function defer in favour of Promise.withResolvers (#​4829). Contributed by @​t3chguy.

✨ Features

• Update to Node 22 LTS (#​4832). Contributed by @​t3chguy.

🐛 Bug Fixes

• Fix autodiscovery handling of 2xx (non-200) codes (#​4833). Contributed by @​t3chguy.

v37.5.0

Compare Source

==================================================================================================

✨ Features

• Stabilise MSC3765 (#​4767). Contributed by @​Johennes.
• Inherit methodFactory extensions from the parent to the child loggers. (#​4809). Contributed by @​toger5.

🐛 Bug Fixes

• [Backport staging] Fix token refresh behaviour for non-expired tokens (#​4827). Contributed by @​RiotRobot.
• Refactor how token refreshing works to be more resilient (#​4819). Contributed by @​t3chguy.

v37.4.0

Compare Source

==================================================================================================

✨ Features

• MatrixRTC: Add combined toDeviceAndRoomKeyTransport (#​4792). Contributed by @​toger5.
• Make logging consistent for matrixRTC (#​4788). Contributed by @​toger5.
• MatrixRTC: ToDevice distribution for media stream keys (#​4785). Contributed by @​BillCarsonFr.

🐛 Bug Fixes

• Fix token refresh racing with other requests and not using new token (#​4798). Contributed by @​t3chguy.
• Fix fallback to MemoryCryptoStore when LocalStorage unavailable (#​4797). Contributed by @​t3chguy.
• Remove duplicate deleteSecretStorage in RustCrypto.resetEncryption (#​4789). Contributed by @​florianduros.
• Fix RustCrypto.resetEncryption failure (#​4772). Contributed by @​florianduros.

v37.3.0

Compare Source

==================================================================================================

✨ Features

• MatrixRTC MembershipManger: remove redundant sendDelayedEventAction and expose status (#​4747). Contributed by @​toger5.
• Abstract logout-causing error type from tokenRefreshFunction calls (#​4765). Contributed by @​t3chguy.
• Improve PushProcessor::getPushRuleGlobRegex (#​4764). Contributed by @​t3chguy.
• Export push processor & method for converting matrix glob to regexp (#​4763). Contributed by @​t3chguy.
• Add authenticated media parameter to getMediaConfig (#​4762). Contributed by @​m004.
• Rust crypto: set a timeout on outgoing HTTP requests (#​4761). Contributed by @​richvdh.
• Switch sliding sync support to simplified sliding sync (#​4400). Contributed by @​dbkr.

v37.2.0

Compare Source

==================================================================================================

✨ Features

• Add reportRoom API (#​4753). Contributed by @​Half-Shot.
• MatrixRTC: New membership manager (#​4726). Contributed by @​toger5.
• Add disableKeyStorage() to crypto API (#​4742). Contributed by @​dbkr.

🐛 Bug Fixes

• Allow port differing in OIDC dynamic registration URIs (#​4749). Contributed by @​t3chguy.
• OIDC: only pass logo_uri, policy_uri, tos_uri if they conform to "common base" (#​4748). Contributed by @​t3chguy.

v37.1.0

Compare Source

==================================================================================================

🦖 Deprecations

• MatrixRTC: MembershipManager test cases and deprecation of MatrixRTCSession.room (#​4713). Contributed by @​toger5.

✨ Features

• Add EventType.SecretRequest and EventType.SecretSend (#​4728). Contributed by @​richvdh.
• Attest npm package provenance (#​4724). Contributed by @​t3chguy.
• Report backup key import progress on start and improve types (#​4711). Contributed by @​ajbura.

🐛 Bug Fixes

• Handle unexpected token refresh failures gracefully (#​4731). Contributed by @​t3chguy.
• Fix idempotency issue around token refresh (#​4730). Contributed by @​t3chguy.
• Delete the dehydrated device when resetEncryption is called (#​4727). Contributed by @​uhoreg.

v37.0.0

Compare Source

==================================================================================================

🚨 BREAKING CHANGES

• Remove deprecated PrefixedLogger interface (#​4705). Contributed by @​richvdh.
• Remove legacy crypto (#​4653). Contributed by @​florianduros.

🦖 Deprecations

• Improve types around User Interactive Auth (#​4709). Contributed by @​t3chguy.

✨ Features

• Fix typos in client.ts (#​4715). Contributed by @​toger5.
• Enable key upload to backups where we have the decryption key (#​4677). Contributed by @​ajbura.
• Remove deprecated PrefixedLogger interface (#​4705). Contributed by @​richvdh.
• MatrixClient.setAccountData: await remote echo. (#​4695). Contributed by @​richvdh.

🐛 Bug Fixes

• Improve types around User Interactive Auth (#​4709). Contributed by @​t3chguy.
• Fix resetEncryption to remove secrets in 4S (#​4683). Contributed by @​florianduros.

v36.2.0

Compare Source

==================================================================================================

🦖 Deprecations

• [Backport staging] Deprecate parameter and functions using legacy crypto in models/event.ts (#​4700). Contributed by @​RiotRobot.

✨ Features

• Improve types around Terms (#​4674). Contributed by @​t3chguy.
• Provide more options for starting dehydration (#​4664). Contributed by @​uhoreg.
• Device Dehydration | js-sdk: store/load dehydration key (#​4599). Contributed by @​BillCarsonFr.
• Add unspecced backup disable flag (#​4661). Contributed by @​dbkr.
• Switch OIDC primarily to new /auth_metadata API (#​4626). Contributed by @​t3chguy.
• Add CryptoApi.resetEncryption (#​4614). Contributed by @​florianduros.

🐛 Bug Fixes

• Fix topic types (#​4678). Contributed by @​Half-Shot.
• Handle empty m.room.topic (#​4673). Contributed by @​Half-Shot.
• CryptoApi.resetEncryption should always create a new key backup (#​4648). Contributed by @​florianduros.

v36.1.0

Compare Source

==================================================================================================

✨ Features

• Deprecate MatrixClient.login and replace with loginRequest (#​4632). Contributed by @​richvdh.
• Use SyncCryptoCallback api instead of legacy crypto in sliding sync (#​4624). Contributed by @​florianduros.
• Distinguish room state and timeline events in embedded clients (#​4574). Contributed by @​robintown.
• Allow setting default secret storage key id to null (#​4615). Contributed by @​florianduros.
• Add authenticated media to getAvatarUrl in room and room-member models (#​4616). Contributed by @​m004.
• Send MSC3981 'recurse' param on /relations endpoint on Matrix 1.10 servers (#​4023). Contributed by @​dbkr.

🐛 Bug Fixes

• [Backport staging] Revert "Distinguish room state and timeline events in embedded clients (#​4574)" (#​4657). Contributed by @​RiotRobot.
• Change randomString et al to be secure (#​4621). Contributed by @​dbkr.
• Fix issue with sentinels being incorrect on m.room.member events (#​4609). Contributed by @​t3chguy.

v36.0.0

Compare Source

==================================================================================================

🚨 BREAKING CHANGES

• Remove support for "legacy" MSC3898 group calling in MatrixRTCSession and CallMembership (#​4583). Contributed by @​toger5.

✨ Features

• MatrixRTC: Implement expiry logic for CallMembership and additional test coverage (#​4587). Contributed by @​toger5.

🐛 Bug Fixes

• Don't retry on 4xx responses (#​4601). Contributed by @​dbkr.
• Upgrade matrix-sdk-crypto-wasm to 12.1.0 (#​4596). Contributed by @​andybalaam.
• Avoid key prompts when resetting crypto (#​4586). Contributed by @​dbkr.
• Handle when aud OIDC claim is an Array (#​4584). Contributed by @​liamdiprose.
• Save the key backup key to 4S during bootstrapSecretStorage (#​4542). Contributed by @​dbkr.
• Only re-prepare MatrixrRTC delayed disconnection event on 404 (#​4575). Contributed by @​toger5.

v35.1.0

Compare Source

==================================================================================================
This release updates matrix-sdk-crypto-wasm to fix a bug which could prevent loading stored crypto state from storage.

🐛 Bug Fixes

• Upgrade matrix-sdk-crypto-wasm to 1.11.0 (#​4593).

v35.0.0

Compare Source

==================================================================================================

🚨 BREAKING CHANGES

This release contains several breaking changes which will need code changes in your app. Most notably, initCrypto()
no longer exists and has been moved to initLegacyCrypto() in preparation for the eventual removal of Olm. You can
continue to use legacy Olm crypto for now by calling initLegacyCrypto() instead.

You may also need to make further changes if you use more advanced APIs. See the individual PRs (listed in order of size of change) for specific APIs changed and how to migrate.

• Rename MatrixClient.initCrypto into MatrixClient.initLegacyCrypto (#​4567). Contributed by @​florianduros.
• Support MSC4222 state_after (#​4487). Contributed by @​dbkr.
• Avoid use of Buffer as it does not exist in the Web natively (#​4569). Contributed by @​t3chguy.

🦖 Deprecations

• Deprecate remaining legacy functions and move CryptoEvent.LegacyCryptoStoreMigrationProgress handler (#​4560). Contributed by @​florianduros.

✨ Features

• Rename MatrixClient.initCrypto into MatrixClient.initLegacyCrypto (#​4567). Contributed by @​florianduros.
• Avoid use of Buffer as it does not exist in the Web natively (#​4569). Contributed by @​t3chguy.
• Re-send MatrixRTC media encryption keys for a new joiner even if a rotation is in progress (#​4561). Contributed by @​hughns.
• Support MSC4222 state_after (#​4487). Contributed by @​dbkr.
• Revert "Fix room state being updated with old (now overwritten) state and emitting for those updates. (#​4242)" (#​4532). Contributed by @​toger5.

🐛 Bug Fixes

• Fix age field check in event echo processing (#​3635). Contributed by @​stas-demydiuk.

v34.13.0

Compare Source

====================================================================================================

🦖 Deprecations

• Deprecate MatrixClient.isEventSenderVerified (#​4527). Contributed by @​florianduros.
• Add restoreKeybackup to CryptoApi. (#​4476). Contributed by @​florianduros.

✨ Features

• Ensure we disambiguate display names which look like MXIDs (#​4540). Contributed by @​t3chguy.
• Add CryptoApi.getBackupInfo (#​4512). Contributed by @​florianduros.
• Fix local echo in embedded mode (#​4498). Contributed by @​toger5.
• Add restoreKeybackup to CryptoApi. (#​4476). Contributed by @​florianduros.

🐛 Bug Fixes

• Fix RustBackupManager remaining values after current backup removal (#​4537). Contributed by @​florianduros.

v34.12.0

Compare Source

====================================================================================================

🦖 Deprecations

• Deprecate MatrixClient.getKeyBackupVersion (#​4505). Contributed by @​florianduros.
• Deprecate unused callbacks in CryptoCallbacks (#​4501). Contributed by @​florianduros.

✨ Features

• Handle M_MAX_DELAY_EXCEEDED errors (#​4511). Contributed by @​AndrewFerr.
• Allow configuration of MatrixRTC timers when calling joinRoomSession() (#​4510). Contributed by @​hughns.
• When state says you've left ongoing call, rejoin (#​4342). Contributed by @​AndrewFerr.
• Remove redundant type arguments in function call (#​4507). Contributed by @​AndrewFerr.
• MatrixRTCSession: handle rate limit errors (#​4494). Contributed by @​AndrewFerr.
• Send/receive error details with widgets (#​4492). Contributed by @​AndrewFerr.
• Capture HTTP error response headers & handle Retry-After header (MSC4041) (#​4471). Contributed by @​AndrewFerr.
• Add RoomWidgetClient.sendToDeviceViaWidgetApi() (#​4475). Contributed by @​hughns.

v34.11.1

Compare Source

====================================================================================================

v34.10.0

Compare Source

====================================================================================================

🦖 Deprecations

• Deprecate CreateSecretStorageOpts.keyBackupInfo used in CryptoApi.bootstrapSecretStorage. (#​4474). Contributed by @​florianduros.
• Add CryptoApi.encryptToDeviceMessages() and deprecate Crypto.encryptAndSendToDevices() (#​4380). Contributed by @​hughns.
• Remove abandoned MSC3886, MSC3903, MSC3906 experimental implementations (#​4469). Contributed by @​t3chguy.
• Deprecate MatrixClient.getDehydratedDevice (#​4467). Contributed by @​florianduros.
• Deprecate top level crypto events re-export (#​4444). Contributed by @​florianduros.

✨ Features

• Add CryptoApi.encryptToDeviceMessages() and deprecate Crypto.encryptAndSendToDevices() (#​4380). Contributed by @​hughns.
• Do not rotate MatrixRTC media encryption key when a new member joins a session (#​4472). Contributed by @​hughns.
• Avoid <sender>|<session> notation in log messages (#​4473). Contributed by @​richvdh.
• Refactor/simplify Promises in MatrixRTCSession (#​4466). Contributed by @​AndrewFerr.
• Prepare delayed call leave events more reliably (#​4447). Contributed by @​AndrewFerr.

🐛 Bug Fixes

• Fix DelayedEventInfo type (#​4446). Contributed by @​AndrewFerr.

v34.9.0

Compare Source

==================================================================================================

🦖 Deprecations

• Deprecate the crypto events which are not used by the rust-crypto (#​4442). Contributed by @​florianduros.

🐛 Bug Fixes

• Fix the rust crypto import in esm environments. (#​4445). Contributed by @​saul-jb.
• Fix MatrixRTC sender key wrapping (#​4441). Contributed by @​hughns.

v34.8.0

Compare Source

==================================================================================================
This release removes insecure functionality, resolving CVE-2024-47080 / GHSA-4jf8-g8wp-cx7c.

v34.7.0

Compare Source

==================================================================================================

🦖 Deprecations

• RTCSession cleanup: deprecate getKeysForParticipant() and getEncryption(); add emitEncryptionKeys() (#​4427). Contributed by @​hughns.

✨ Features

• Bump matrix-rust-sdk to 9.1.0 (#​4435). Contributed by @​richvdh.
• Rotate Matrix RTC media encryption key when a new member joins a call for Post Compromise Security (#​4422). Contributed by @​hughns.
• Update media event content types to include captions (#​4403). Contributed by @​tulir.
• Update OIDC registration types to match latest MSC2966 state (#​4432). Contributed by @​t3chguy.
• Add CryptoApi.pinCurrentUserIdentity and UserIdentity.needsUserApproval (#​4415). Contributed by @​richvdh.

v34.6.0

Compare Source

==================================================================================================

🦖 Deprecations

• Element-R: Mark unsupported MatrixClient methods as deprecated (#​4389). Contributed by @​richvdh.

✨ Features

• Add crypto mode setting for invisible crypto, and apply it to decrypting events (#​4407). Contributed by [@​uhoreg](https://redirect.github.com/uhor

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

APK Size: 2.1 MB