t2bot/matrix-media-repo v1.3.0

on GitHub

Mandatory Configuration Change

Please see docs.t2bot.io for details.

Security Fixes

• Fix improper usage of Content-Disposition: inline and related Content-Type safety (CVE-2023-41318, GHSA-5crw-6j7v-xc72).

Deprecations

• The GET /_matrix/media/unstable/local_copy/:server/:mediaId (and unstable/io.t2bot.media variant) endpoint is deprecated and scheduled for removal. If you are using this endpoint, please comment on this issue to explain your use case.

Added

• Added a federation.ignoredHosts config option to block media from individual homeservers.
• Support for MSC2246 (async uploads) is added, with per-user quota limiting options.
• Support for MSC4034 (self-serve usage information) is added, alongside a new "maximum file count" quota limit.
• The GET /_synapse/admin/v1/statistics/users/media endpoint from Synapse is now supported at the same path for local server admins.
• Thumbnailing support for:
  • BMP images.
  • TIFF images.
  • HEIC images.
• New metrics:
  • HTTP response times.
  • Age of downloaded/accessed media.
• Support for PGO builds has been enabled via pgo-fleet.

Removed

• IPFS support has been removed due to maintenance burden.
• Exports initiated through the admin API no longer support ?include_data=false. Exports will always contain data.
• Server-side blurhash calculation has been removed. Clients and bridges already calculate blurhashes locally where applicable.

Changed

• Mandatory configuration change: You must add datastore IDs to your datastore configuration, as matrix-media-repo will no longer manage datastores for you.
• If compiling matrix-media-repo, note that new external dependencies are required. See the docs.
  • Docker images already contain these dependencies.
• Datastores no longer use the enabled flag set on them. Use forKinds: [] instead to disable a datastore's usage.
• Per-user upload quotas now do not allow users to exceed the maximum values, even by 1 byte. Previously, users could exceed the limits by a little bit.
• Updated to Go 1.19, then Go 1.20 in the same release cycle.
• New CGO dependencies are required. See docs.t2bot.io for details.
• Logs are now less noisy by default.
• Connected homeservers must support at least Matrix 1.1 on the Client-Server API. Servers over federation are not affected.
• The example Grafana dashboard has been updated.

Fixed

• URL previews now follow redirects properly.
• Overall memory usage is improved, particularly during media uploads and API-initiated imports.
  • Note: If you use plugins then memory usage will still be somewhat high due to temporary caching of uploads.
  • Note: This affects RSS primarily. VSZ and other memory metrics may be higher than expected due to how Go releases memory to the OS. This is fixed when there's memory pressure.
• Fixed shutdown stall if the config was reloaded more than once while running.