deps: Update dependency matrix-js-sdk to v34 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
matrix-js-sdk	^19.5.0 -> ^34.0.0

GitHub Vulnerability Alerts

CVE-2022-39236

Impact

Improperly formed beacon events (from MSC3488) can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer.

Patches

This is patched in matrix-js-sdk v19.7.0

Workarounds

Redacting applicable events, waiting for the sync processor to store data, and restarting the client can often fix it. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues.

Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.

References

N/A - This was a logic error in the SDK.

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

CVE-2022-39249

Impact

An attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others.

This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end.

Key forwarding is a mechanism allowing clients to recover from “unable to decrypt” messages when they missed the initial key distribution, at the time the message was originally sent. Examples include accessing message history before they joined the room but also when some network/federation errors have occurred.

Patches

The default policy for accepting key forwards has been made more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices.

A unique exception to this rule is with the experimental MSC3061, that is forwarding room keys for past messages when invited in a room configured with the proper history visibility setting. Such key forwards are parked upon receipt and are only accepted if the SDK receives an invitation for that room from the inviter in a limited time window.

The SDK now sets a trusted flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with trusted = false are decorated appropriately (for example, by showing a warning for such messages).

Workarounds

As this attack requires coordination between a malicious homeserver and an attacker, if you trust your homeserver, no particular workaround is needed.

References

Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients

For more information

If you have any questions or comments about this advisory, e-mail us at security@matrix.org.

CVE-2022-39251

Impact

An attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield.

Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver.

These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm.

Patches

matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages.

Out of caution, several other checks have been audited or added:

• Cleartext m.room_key, m.forwarded_room_key and m.secret.send to_device messages are discarded.
• Secrets received from untrusted devices are discarded.
• Key backups are only usable if they have a valid signature from a trusted device (no more local trust, or trust-on-decrypt).
• The origin of a to-device message should only be determined by observing the Olm session which managed to decrypt the message, and not by using claimed sender_key, user_id, or any other fields controllable by the homeserver.

Workarounds

As this attack requires coordination between a malicious home server and an attacker, if you trust your home server no particular workaround is needed. Notice that the backup spoofing attack is a particularly sophisticated targeted attack.

We are not aware of this attack being used in the wild, though specifying a false positive-free way of noticing malicious key backups key is challenging.

As an abundance of caution, to avoid malicious backup attacks, you should not verify your new logins using emoji/QR verifications methods until patched. Prefer verifying with your security passphrase instead.

References

Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients

For more information

If you have any questions or comments about this advisory, e-mail us at security@matrix.org.

CVE-2022-39250

Impact

An attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities, leading to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one.

The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps.

Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable.

Patches

The matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key.

Workarounds

As this attack requires coordination between a malicious homeserver and an attacker -- if you trust your homeserver no particular workaround is needed.

As a potential way of detecting compromise, it’s possible to review your device list or the device list of other users for devices with IDs in the form of a base64 cross-signing key (5XaczGNlfz0bl8R1IX5qn+tBoue2tWJqLMh+SDUuvCk) instead of classical device ID (SEHACYDHMG).

References

Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients

For more information

If you have any questions or comments about this advisory, e-mail us at security@matrix.org

CVE-2023-28427

Impact

In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the Object.prototype, disrupting matrix-js-sdk functionality, causing denial of service and potentially affecting program logic.

(This is part 2, where CVE-2022-36059 / GHSA-rfv9-x7hh-xc32 is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)

Patches

The issue has been patched in matrix-js-sdk 24.0.0.

Workarounds

None.

References

• Release blog post
• The advisory GHSA-rfv9-x7hh-xc32 (CVE-2022-36059) refers to an initial set of vulnerable locations discovered and patched in matrix-js-sdk 19.4.0. We opted not to disclose that advisory while we performed an audit of the codebase and are now disclosing it jointly with this one.

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

CVE-2023-29529

Impact

An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call.

This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case.

Legacy 1:1 calls are unaffected.

Workarounds

Users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.

CVE-2024-42369

Impact

A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug.

Even if the CVSS score would be 4.1 (AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L) we classify this as High severity issue.

Patches

This was patched in matrix-js-sdk 34.3.1.

Workarounds

Sanity check rooms before passing them to the matrix-js-sdk or avoid calling either getRoomUpgradeHistory or leaveRoomChain.

References

N/A.

---

Release Notes

matrix-org/matrix-js-sdk (matrix-js-sdk)

v34.3.1

Compare Source

==================================================================================================

v34.3.0

Compare Source

==================================================================================================

✨ Features

• Bump matrix-widget-api (#​4336). Contributed by @​AndrewFerr.
• Also check for MSC3757 for session state keys (#​4334). Contributed by @​AndrewFerr.
• Support Futures via widgets (#​4311). Contributed by @​AndrewFerr.
• Support MSC4140: Delayed events (Futures) (#​4294). Contributed by @​AndrewFerr.
• Handle late-arriving m.room_key.withheld messages (#​4310). Contributed by @​richvdh.
• Be specific about what is considered a MSC4143 call member event. (#​4328). Contributed by @​toger5.
• Add index.ts for matrixrtc module (#​4314). Contributed by @​toger5.

🐛 Bug Fixes

• Fix hashed ID server lookups with no Olm (#​4333). Contributed by @​dbkr.

v34.2.0

Compare Source

==================================================================================================

🐛 Bug Fixes

• Element-R: detect "withheld key" UTD errors, and mark them as such (#​4302). Contributed by @​richvdh.

v34.1.0

Compare Source

==================================================================================================

✨ Features

• Add ability to choose how many timeline events to sync when peeking (#​4300). Contributed by @​jgarplind.
• Remove redundant hack for using the old pickle key in rust crypto (#​4282). Contributed by @​richvdh.
• Add fetching the well known in embedded mode. (#​4259). Contributed by @​toger5.

🐛 Bug Fixes

• Fix room state being updated with old (now overwritten) state and emitting for those updates. (#​4242). Contributed by @​toger5.
• Fix incorrect "Olm is not available" errors (#​4301). Contributed by @​richvdh.
• Fix build for example script (#​4286). Contributed by @​richvdh.
• Declare matrix-js-sdk as an ES module (#​4285). Contributed by @​richvdh.

v34.0.0

Compare Source

==================================================================================================

🚨 BREAKING CHANGES

• Fetch capabilities in the background (#​4246). Contributed by @​dbkr.

✨ Features

• Prefix the user+device state key if needed (#​4262). Contributed by @​AndrewFerr.
• Use legacy call membership if anyone else is (#​4260). Contributed by @​AndrewFerr.
• Fetch capabilities in the background (#​4246). Contributed by @​dbkr.
• Use server name instead of homeserver url to allow well-known lookups during QR OIDC reciprocation (#​4233). Contributed by @​t3chguy.
• Add via parameter for MSC4156 (#​4247). Contributed by @​Johennes.
• Make the js-sdk compatible with MSC preferred foci and active focus. (#​4195). Contributed by @​toger5.
• Replace usages of setImmediate with setTimeout for wider compatibility (#​4240). Contributed by @​t3chguy.

🐛 Bug Fixes

• [Backport staging] Fix "Unable to restore session" error (#​4299). Contributed by @​RiotRobot.
• [Backport staging] Fix error when sending encrypted messages in large rooms (#​4297). Contributed by @​RiotRobot.
• Element-R: Fix resource leaks in verification logic (#​4263). Contributed by @​richvdh.
• Upgrade Rust Crypto SDK to 6.1.0 (#​4261). Contributed by @​richvdh.
• Correctly transform base64 with multiple instances of + or / (#​4252). Contributed by @​robintown.
• Work around spec bug for m.room.avatar state event content type (#​4245). Contributed by @​t3chguy.

v33.1.0

Compare Source

==================================================================================================

✨ Features

• MSC4108 support OIDC QR code login (#​4134). Contributed by @​t3chguy.
• Add crypto methods for export and import of secrets bundle (#​4227). Contributed by @​t3chguy.

🐛 Bug Fixes

• Fix screen sharing in recent Chrome (#​4243). Contributed by @​RiotRobot.
• Fix incorrect assumptions about required fields in /search response (#​4228). Contributed by @​t3chguy.
• Fix the queueToDevice tests for the new fakeindexeddb (#​4225). Contributed by @​dbkr.

v33.0.0

Compare Source

==================================================================================================

🚨 BREAKING CHANGES

• Remove more deprecated methods, fields, and exports (#​4217). Contributed by @​t3chguy.
• Remove deprecated methods and fields (#​4201). Contributed by @​t3chguy.

🦖 Deprecations

• Remove more deprecated methods, fields, and exports (#​4217). Contributed by @​t3chguy.
• Remove deprecated methods and fields (#​4201). Contributed by @​t3chguy.

✨ Features

• initRustCrypto: allow app to pass in the store key directly (#​4210). Contributed by @​richvdh.
• Preserve ESM for async imports to work correctly (#​4187). Contributed by @​ms-dosx86.

🐛 Bug Fixes

• Don't run migration for Rust crypto if the legacy store is empty (#​4218). Contributed by @​andybalaam.
• Bump matrix-sdk-crypto-wasm to 5.0.0 (#​4216). Contributed by @​richvdh.
• Wire up verification cancel & mismatch for rust crypto (#​4202). Contributed by @​t3chguy.
• Only pass id_server if we had one to begin with (#​4200). Contributed by @​t3chguy.

v32.4.0

Compare Source

==================================================================================================

• No changes

v32.3.0

Compare Source

==================================================================================================

✨ Features

• Simplify OIDC types & export decodeIdToken (#​4193). Contributed by @​t3chguy.
• Add helpers for authenticated media, and associated documentation (#​4185). Contributed by @​turt2live.

🐛 Bug Fixes

• Fix state_events.ts types (#​4196). Contributed by @​t3chguy.
• Fix sendEventHttpRequest for m.room.redaction events without redacts (#​4192). Contributed by @​t3chguy.

v32.2.0

Compare Source

==================================================================================================

✨ Features

• Use a different error code for UTDs when user was not in the room (#​4172). Contributed by @​uhoreg.
• Modernize window.crypto access constants (#​4169). Contributed by @​turt2live.
• Improve compliance with MSC3266 (#​4155). Contributed by @​AndrewFerr.
• Add comment to make clear that RoomStateEvent.Events does not update related objects in the js-sdk (#​4152). Contributed by @​toger5.
• Crypto: use a new error code for UTDs from device-relative historical events (#​4139). Contributed by @​richvdh.

🐛 Bug Fixes

• Element-R: Fix rust migration when ssss secret are stored not encryted in cache (old legacy behavior) (#​4168). Contributed by @​BillCarsonFr.

v32.1.0

Compare Source

==================================================================================================

✨ Features

• Add support for device dehydration v2 (Element R) (#​4062). Contributed by @​uhoreg.
• OIDC improvements in prep of OIDC-QR reciprocation (#​4149). Contributed by @​t3chguy.

🐛 Bug Fixes

• Validate backup private key before migrating it (#​4114). Contributed by @​BillCarsonFr.
• ElementR| Retry query backup until it works during migration to avoid spurious correption error popup (#​4113). Contributed by @​BillCarsonFr.

v32.0.0

Compare Source

==================================================================================================

🚨 BREAKING CHANGES

• Remove various deprecated methods & re-exports (#​4125). Contributed by @​t3chguy.
• Remove the logic that throws when the lazy loading options has changed. (#​4124). Contributed by @​langleyd.
• Fix highlights from threads disappearing on new messages (#​4106). Contributed by @​dbkr.

✨ Features

• Add new decryptExistingEvent test helper (#​4133). Contributed by @​richvdh.
• Improve types for sendEvent (#​4108). Contributed by @​t3chguy.
• Remove various deprecated methods & re-exports (#​4125). Contributed by @​t3chguy.
• Add new enum for verification methods. (#​4129). Contributed by @​richvdh.
• Add some test utils in a new entrypoint (#​4127). Contributed by @​richvdh.
• Improve types for sendStateEvent (#​4105). Contributed by @​t3chguy.

🐛 Bug Fixes

• Improve types for IPowerLevelsContent and hasSufficientPowerLevelFor (#​4128). Contributed by @​galash13.
• Remove the logic that throws when the lazy loading options has changed. (#​4124). Contributed by @​langleyd.
• Fix highlights from threads disappearing on new messages (#​4106). Contributed by @​dbkr.
• Extend logic for local notification processing to threads (#​4111). Contributed by @​dbkr.
• Fix public rooms post request search params and body (#​4110). Contributed by @​ajbura.
• Fix bugs with the first reply to a thread (#​4104). Contributed by @​dbkr.

v31.6.1

Compare Source

==================================================================================================

🐛 Bug Fixes

• Fix merging of default push rules (#​4136).

v31.6.0

Compare Source

==================================================================================================

✨ Features

• Introduce Membership TS type (take 2) (#​4107). Contributed by @​andybalaam.
• fix automatic DM avatar with functional members (#​4017). Contributed by @​HarHarLinks.
• Export types describing all specced media event formats (#​4092). Contributed by @​t3chguy.
• Add .m.rule.is_room_mention push rule to DEFAULT_OVERRIDE_RULES (#​4100). Contributed by @​t3chguy.
• Make sending ContentLoaded optional for a widgetClient (#​4086). Contributed by @​toger5.

🐛 Bug Fixes

• Migrate own identity local trust to rust crypto (#​4090). Contributed by @​BillCarsonFr.
• Fix race condition with sliding sync extensions (#​4089). Contributed by @​zzorba.

v31.5.0

Compare Source

==================================================================================================

✨ Features

• Update MSC2965 OIDC Discovery implementation (#​4064). Contributed by @​t3chguy.

🐛 Bug Fixes

• Add basic retry for rust crypto outgoing requests (#​4061). Contributed by @​BillCarsonFr.

v31.4.0

Compare Source

==================================================================================================

✨ Features

• Validate account_management_uri and account_management_actions_supported from OIDC Issuer well-known (#​4074). Contributed by @​t3chguy.
• Allow specifying OIDC url state parameter for passing data to callback (#​4068). Contributed by @​t3chguy.
• Add getAuthIssuer method for MSC2965 (#​4071). Contributed by @​t3chguy.
• Allow specifying more OIDC client metadata for dynamic registration (#​4070). Contributed by @​t3chguy.
• Add unread marker event type (#​4069). Contributed by @​dbkr.
• Add "AsJson" forms of the key import/export methods (#​4057). Contributed by @​andybalaam.

🐛 Bug Fixes

• Ignore memberships of users that are not in the call (#​4065). Contributed by @​toger5.
• Await encrypted messages (#​4063). Contributed by @​toger5.
• ElementR | Ensure own user and device trust are updated after migration before giving back control to the app. (#​4059). Contributed by @​BillCarsonFr.
• Bump matrix-sdk-crypto-wasm to 4.5.0 (#​4060). Contributed by @​andybalaam.

v31.3.0

Compare Source

==================================================================================================

✨ Features

• Add expire_ts compatibility to matrixRTC (#​4032). Contributed by @​toger5.
• Element-R: support for migration of the room list from legacy crypto (#​4036). Contributed by @​richvdh.
• Element-R: check persistent room list for encryption config (#​4035). Contributed by @​richvdh.
• Support optional MSC3860 redirects (#​4007). Contributed by @​turt2live.

🐛 Bug Fixes

• WebR: migrate the megolm session imported flag (#​4037). Contributed by @​BillCarsonFr.
• ElementR: fix emoji verification stalling when both ends hit start at the same time (#​4004). Contributed by @​uhoreg.
• Dependencies: Bump wasm bindings version to 4.3.0 (#​4042). Contributed by @​BillCarsonFr.
• Element R: emit events when devices have changed (#​4019). Contributed by @​uhoreg.
• ElementR: report invalid keys rather than failing to restore from backup (#​4006). Contributed by @​uhoreg.
• Make timeline a getter (#​4022). Contributed by @​florianduros.
• Implement getting verification cancellation info in Rust crypto (#​3947). Contributed by @​uhoreg.
• Fix crypto migration for megolm sessions with no sender key (#​4024). Contributed by @​richvdh.

v31.2.0

Compare Source

==================================================================================================

✨ Features

• Emit events during migration from libolm (#​3982). Contributed by @​richvdh.
• Support for migration from from libolm (#​3978). Contributed by @​richvdh.

🐛 Bug Fixes

• ElementR | backup: call expensive roomKeyCounts less often (#​4015). Contributed by @​BillCarsonFr.
• Decrypt and Import full backups in chunk with progress (#​4005). Contributed by @​BillCarsonFr.
• Fix new threads not appearing. (#​4009). Contributed by @​dbkr.

v31.1.0

Compare Source

==================================================================================================

✨ Features

• Broaden spec version support (#​4016). Contributed by @​RiotRobot.

v31.0.0

Compare Source

==================================================================================================

🚨 BREAKING CHANGES

• Bump minimum spec version to v1.5 (#​3970). Contributed by @​richvdh.

✨ Features

• Bump minimum spec version to v1.5 (#​3970). Contributed by @​richvdh.
• Send authenticated /versions request (#​3968). Contributed by @​dbkr.

🐛 Bug Fixes

• Revert "Bump matrix-sdk-crypto-wasm to 3.6.0" (#​3991). Contributed by @​andybalaam.
• #​22606 Fix "Remove" button to users without "m.room.redaction" (#​3981). Contributed by @​rashmitpankhania.
• ElementR: Ensure Encryption order per room (#​3973). Contributed by @​BillCarsonFr.
• Element-R: fix bootstrapSecretStorage not resetting key backup when requested (#​3976). Contributed by @​uhoreg.

v30.3.0

Compare Source

==================================================================================================

✨ Features

• Element-R: disable sending room key requests (#​3939). Contributed by @​richvdh.

🐛 Bug Fixes

• Fix notifications appearing for old events (#​3946). Contributed by @​dbkr.
• Don't back up keys that we got from backup (#​3934). Contributed by @​uhoreg.
• Fix upload with empty Content-Type (#​3918). Contributed by @​JakubOnderka.
• Prevent phantom notifications from events not in a room's timeline (#​3942). Contributed by @​dbkr.

v30.2.0

Compare Source

==================================================================================================

✨ Features

• Only await key query after lazy members resolved (#​3902). Contributed by @​BillCarsonFr.

🐛 Bug Fixes

• Rewrite receipt-handling code (#​3901). Contributed by @​andybalaam.
• Explicitly free some Rust-side objects (#​3911). Contributed by @​richvdh.
• Fix type for TimestampToEventResponse.origin_server_ts (#​3906). Contributed by @​Half-Shot.

v30.1.0

Compare Source

==================================================================================================

✨ Features

• Rotate per-participant keys when a member leaves (#​3833). Contributed by @​dbkr.
• Add E2EE for embedded mode of Element Call (#​3667). Contributed by @​SimonBrandner.

🐛 Bug Fixes

• Shorten TimelineWindow when an event is removed (#​3862). Contributed by @​andybalaam.
• Ignore receipts pointing at missing or invalid events (#​3817). Contributed by @​andybalaam.
• Fix members being loaded from server on initial sync (defeating lazy loading) (#​3830). Contributed by @​BillCarsonFr.

v30.0.1

Compare Source

==================================================================================================

🐛 Bug Fixes

• Ensure setUserCreator is called when a store is assigned (#​3867). Fixes vector-im/element-web#26520. Contributed by @​MidhunSureshR.

v30.0.0

Compare Source

==================================================================================================

🚨 BREAKING CHANGES

• Refactor & make base64 functions browser-safe (#​3818).
• IndexedDBStore.startup() must be called after using it on sdk.createClient now.

🦖 Deprecations

• Deprecate MatrixEvent.toJSON (#​3801).

✨ Features

• Element-R: Add the git sha of the binding crate to CryptoApi#getVersion (#​3838). Contributed by @​florianduros.
• Element-R: Wire up globalBlacklistUnverifiedDevices field to rust crypto encryption settings (#​3790). Fixes vector-im/element-web#26315. Contributed by @​florianduros.
• Element-R: Wire up room rotation (#​3807). Fixes vector-im/element-web#26318. Contributed by @​florianduros.
• Element-R: Add current version of the rust-sdk and vodozemac (#​3825). Contributed by @​florianduros.
• Element-R: Wire up room history visibility (#​3805). Fixes vector-im/element-web#26319. Contributed by @​florianduros.
• Element-R: log when we send to-device messages (#​3810).

🐛 Bug Fixes

• Fix reemitter not being correctly wired on user objects created in storage classes (#​3796). Contributed by @​MidhunSureshR.
• Element-R: silence log errors when viewing a pending event (#​3824).
• Don't emit a closed event if the indexeddb is closed by Element (#​3832). Fixes vector-im/element-web#25941. Contributed by @​dhenneke.
• Element-R: silence log errors when viewing a decryption failure (#​3821).

v29.1.0

Compare Source

==================================================================================================

✨ Features

• OIDC: refresh tokens (#​3764). Contributed by @​kerryarchibald.
• OIDC: add prompt param to auth url creation (#​3794). Contributed by @​kerryarchibald.
• Allow applications to specify their own logger instance (#​3792). Fixes #​1899.
• Export AutoDiscoveryError and fix type of ALL_ERRORS (#​3768).

🐛 Bug Fixes

• Fix sending call member events on leave (#​3799). Fixes vector-im/element-call#1763.
• Don't use event.sender in CallMembership (#​3793).
• Element-R: Don't mark QR code verification as done until it's done (#​3791). Fixes vector-im/element-web#26293.
• Element-R: Connect device to key backup when crypto is created (#​3784). Fixes vector-im/element-web#26316. Contributed by @​florianduros.
• Element-R: Avoid errors in VerificationRequest.generateQRCode when QR code is unavailable (#​3779). Fixes vector-im/element-web#26300. Contributed by @​florianduros.
• ElementR: Check key backup when user identity changes (#​3760). Fixes vector-im/element-web#26244. Contributed by @​florianduros.
• Element-R: emit VerificationRequestReceived on incoming request (#​3762). Fixes vector-im/element-web#26245.

v29.0.0

Compare Source

==================================================================================================

🚨 BREAKING CHANGES

• Remove browserify builds (#​3759).

✨ Features

• Export AutoDiscoveryError and fix type of ALL_ERRORS (#​3768).
• Support for stable MSC3882 get_login_token (#​3416). Contributed by @​hughns.
• Remove IsUserMention and IsRoomMention from DEFAULT_OVERRIDE_RULES (#​3752). Contributed by @​kerryarchibald.

🐛 Bug Fixes

• Fix a case where joinRoom creates a duplicate Room object (#​3747).
• Add membershipID to call memberships (#​3745).
• Fix the warning for messages from unsigned devices (#​3743).
• Stop keep alive, when sync was stoped (#​3720). Contributed by @​finsterwalder.

v28.2.0

Compare Source

==================================================================================================

🦖 Deprecations

• Implement getEncryptionInfoForEvent and deprecate getEventEncryptionInfo (#​3693).
• The Browserify artifact is being deprecated, scheduled for removal in the October 10th release cycle. (#​3189)

✨ Features

• Delete knocked room when knock membership changes (#​3729). Contributed by @​maheichyk.
• Introduce MatrixRTCSession lower level group call primitive (#​3663).
• Sync knock rooms (#​3703). Contributed by @​maheichyk.

🐛 Bug Fixes

• Dont access indexed db when undefined (#​3707). Contributed by @​finsterwalder.
• Don't reset unread count when adding a synthetic receipt (#​3706). Fixes #​3684. Contributed by @​andybalaam.

v28.1.0

Compare Source

==========================================================================================================

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.