Update all dependencies

[missingcharacter]

This PR contains the following updates:

Package	Update	Change
docker.io/caddy	minor	2.10.2-alpine → 2.11.2-alpine
docker.io/postgres	minor	18.2-alpine3.23 → 18.3-alpine3.23
ghcr.io/element-hq/synapse	minor	v1.147.1 → v1.149.1
postgres	minor	18.2-alpine3.23 → 18.3-alpine3.23
traefik	patch	v3.6.8 → v3.6.11
vaultwarden/server	patch	1.35.3-alpine → 1.35.4-alpine

---

Release Notes

element-hq/synapse (ghcr.io/element-hq/synapse)

v1.149.1

Compare Source

Synapse 1.149.1 (2026-03-11)

Internal Changes

• Bump matrix-synapse-ldap3 to 0.4.0 to support setuptools>=82.0.0. Fixes #​19541. (#​19543)

v1.149.0

Compare Source

Synapse 1.149.0 (2026-03-10)

No significant changes since 1.149.0rc1.

Synapse 1.149.0rc1 (2026-03-03)

Features

• Add experimental support for MSC4388: Secure out-of-band channel for sign in with QR. (#​19127)
• Add stable support for MSC4380 invite blocking. (#​19431)

Bugfixes

• Fix the 'Login as a user' Admin API not checking if the user exists before issuing an access token. (#​18518)
• Fix /sync missing membership event in state_after (experimental MSC4222 implementation) in some scenarios. (#​19460)

Internal Changes

• Add log to explain when and why we freeze objects in the garbage collector. (#​19440)
• Better instrument JoinRoomAliasServlet with tracing. (#​19461)
• Fix Complement CI not running against the code from our PRs. (#​19475)
• Log docker system info in CI so we have a plain record of how GitHub runners evolve over time. (#​19480)
• Rename the test_disconnect test helper so that pytest doesn't see it as a test. (#​19486)
• Add a log line when we delete devices. Contributed by @​bradtgmurray @​ Beeper. (#​19496)
• Pre-allocate the buffer based on the expected Content-Length with the Rust HTTP client. (#​19498)
• Cancel long-running sync requests if the client has gone away. (#​19499)
• Try and reduce reactor tick times when under heavy load. (#​19507)
• Simplify Rust HTTP client response streaming and limiting. (#​19510)
• Replace deprecated collection import locations with current locations. (#​19515)
• Bump most locked Python dependencies to their latest versions. (#​19519)

v1.148.0

Compare Source

Synapse 1.148.0 (2026-02-24)

No significant changes since 1.148.0rc1.

Synapse 1.148.0rc1 (2026-02-17)

Features

• Support sending and receiving MSC4354 Sticky Event metadata. (#​19365)

Improved Documentation

• Fix reference to the experimental_features section of the configuration manual documentation. (#​19435)

Deprecations and Removals

• Remove support for MSC3244: Room version capabilities as the MSC was rejected. (#​19429)

Internal Changes

• Add in-repo Complement tests so we can test Synapse specific behavior at an end-to-end level. (#​19406)
• Push Synapse docker images to Element OCI Registry. (#​19420)
• Allow configuring the Rust HTTP client to use HTTP/2 only. (#​19457)
• Correctly refuse to start if the Rust workspace config has changed and the Rust library has not been rebuilt. (#​19470)

containous/traefik (traefik)

v3.6.11

Compare Source

CVE fixed:

• CVE-2026-32595 (Advisory GHSA-g3hg-j4jv-cwfr)
• CVE-2026-32305 (Advisory GHSA-wvvq-wgcr-9q48)
• CVE-2026-32695 (Advisory GHSA-67jx-r9pv-98rj)

Bug fixes:

• [logs, otel] Add OTel-conformant trace context attributes to access logs (#​12801 @​mmatur)
• [k8s/gatewayapi] Fix incorrect hostname matching between listener and route (#​12599 @​TheColorman)
• [k8s/ingress] Fix ingress router's rule (#​12808 @​gndz07)
• [webui] Remove AGPL license in code (#​12799 @​Desel72)
• [k8s/ingress-nginx] Fix proxy-ssl-verify annotation (#​12825 @​LBF38)
• [http] Add maxResponseBodySize configuration on HTTP provider (#​12788 @​gndz07)
• [tls] Support fragmented TLS client hello (#​12787 @​rtribotte)
• [middleware, authentication] Make basic auth check timing constant (#​12803 @​rtribotte)

Documentation:

• [k8s] Improve the multi tenant security note (#​12822 @​nmengin)
• Fix unnecessary escaping of pipe in regexp examples (#​12784 @​diegmonti)
• Add vulnerability submission quality guidelines (#​12807 @​emilevauge)
• Fix start up message format (#​12806 @​mloiseleur)
• Remove unsupported servers[n].address from TCP label examples (#​12817 @​sheddy-traefik)
• Bump mkdocs-traefiklabs to use consent mode (#​12804 @​darkweaver87)

v3.6.11

Compare Source

CVE fixed:

• CVE-2026-32595 (Advisory GHSA-g3hg-j4jv-cwfr)
• CVE-2026-32305 (Advisory GHSA-wvvq-wgcr-9q48)
• CVE-2026-32695 (Advisory GHSA-67jx-r9pv-98rj)

Bug fixes:

• [logs, otel] Add OTel-conformant trace context attributes to access logs (#​12801 @​mmatur)
• [k8s/gatewayapi] Fix incorrect hostname matching between listener and route (#​12599 @​TheColorman)
• [k8s/ingress] Fix ingress router's rule (#​12808 @​gndz07)
• [webui] Remove AGPL license in code (#​12799 @​Desel72)
• [k8s/ingress-nginx] Fix proxy-ssl-verify annotation (#​12825 @​LBF38)
• [http] Add maxResponseBodySize configuration on HTTP provider (#​12788 @​gndz07)
• [tls] Support fragmented TLS client hello (#​12787 @​rtribotte)
• [middleware, authentication] Make basic auth check timing constant (#​12803 @​rtribotte)

Documentation:

• [k8s] Improve the multi tenant security note (#​12822 @​nmengin)
• Fix unnecessary escaping of pipe in regexp examples (#​12784 @​diegmonti)
• Add vulnerability submission quality guidelines (#​12807 @​emilevauge)
• Fix start up message format (#​12806 @​mloiseleur)
• Remove unsupported servers[n].address from TCP label examples (#​12817 @​sheddy-traefik)
• Bump mkdocs-traefiklabs to use consent mode (#​12804 @​darkweaver87)

v3.6.10

Compare Source

All Commits

Bug fixes:

• [docker] Bump Docker and OpenTelemetry dependencies (#​12761 by mmatur)
• [fastproxy] Bump github.com/valyala/fasthttp to v1.69.0 (#​12763 by kevinpollet)
• [healthcheck, grpc] Remove path parsing with grpc healthcheck (#​12760 by rtribotte)
• [k8s/gatewayapi] Fix Gateway API router's rules (#​12753 by rtribotte)
• [middleware] Fix HasSecureHeadersDefined returning false when stsSeconds is 0 (#​12684 by veeceey)
• [otel] Bump go.opentelemetry.io/otel dependencies (#​12754 by rtribotte)
• [server] Bump golang.org/x/net to v0.51.0 (#​12756 by kevinpollet)
• [webui] Fix priority display in dashboard and ACME bypass redirect (#​12740 by mmatur)
• [webui] Fix basePath validation for dashboard template (#​12729 by gndz07)

Documentation:

• [middleware] Correct documentation for Digest auth (#​12651 by Zash)
• Add missing .http to TOML table names (#​12713 by Darsstar)
• Fix incorrect TOML example in entrypoints docs (#​12711 by mfmfuyu)
• Fix API basepath option documentation (#​12744 by nmengin)

v3.6.10

Compare Source

All Commits

Bug fixes:

• [docker] Bump Docker and OpenTelemetry dependencies (#​12761 by mmatur)
• [fastproxy] Bump github.com/valyala/fasthttp to v1.69.0 (#​12763 by kevinpollet)
• [healthcheck, grpc] Remove path parsing with grpc healthcheck (#​12760 by rtribotte)
• [k8s/gatewayapi] Fix Gateway API router's rules (#​12753 by rtribotte)
• [middleware] Fix HasSecureHeadersDefined returning false when stsSeconds is 0 (#​12684 by veeceey)
• [otel] Bump go.opentelemetry.io/otel dependencies (#​12754 by rtribotte)
• [server] Bump golang.org/x/net to v0.51.0 (#​12756 by kevinpollet)
• [webui] Fix priority display in dashboard and ACME bypass redirect (#​12740 by mmatur)
• [webui] Fix basePath validation for dashboard template (#​12729 by gndz07)

Documentation:

• [middleware] Correct documentation for Digest auth (#​12651 by Zash)
• Add missing .http to TOML table names (#​12713 by Darsstar)
• Fix incorrect TOML example in entrypoints docs (#​12711 by mfmfuyu)
• Fix API basepath option documentation (#​12744 by nmengin)

v3.6.9

Compare Source

All Commits

Bug fixes:

• [docker] Bump Docker and OpenTelemetry dependencies (#​12761 by mmatur)
• [fastproxy] Bump github.com/valyala/fasthttp to v1.69.0 (#​12763 by kevinpollet)
• [healthcheck, grpc] Remove path parsing with grpc healthcheck (#​12760 by rtribotte)
• [k8s/gatewayapi] Fix Gateway API router's rules (#​12753 by rtribotte)
• [middleware] Fix HasSecureHeadersDefined returning false when stsSeconds is 0 (#​12684 by veeceey)
• [otel] Bump go.opentelemetry.io/otel dependencies (#​12754 by rtribotte)
• [server] Bump golang.org/x/net to v0.51.0 (#​12756 by kevinpollet)
• [webui] Fix priority display in dashboard and ACME bypass redirect (#​12740 by mmatur)
• [webui] Fix basePath validation for dashboard template (#​12729 by gndz07)

Documentation:

• [middleware] Correct documentation for Digest auth (#​12651 by Zash)
• Add missing .http to TOML table names (#​12713 by Darsstar)
• Fix incorrect TOML example in entrypoints docs (#​12711 by mfmfuyu)
• Fix API basepath option documentation (#​12744 by nmengin)

v3.6.9

Compare Source

All Commits

Bug fixes:

• [docker] Bump Docker and OpenTelemetry dependencies (#​12761 by mmatur)
• [fastproxy] Bump github.com/valyala/fasthttp to v1.69.0 (#​12763 by kevinpollet)
• [healthcheck, grpc] Remove path parsing with grpc healthcheck (#​12760 by rtribotte)
• [k8s/gatewayapi] Fix Gateway API router's rules (#​12753 by rtribotte)
• [middleware] Fix HasSecureHeadersDefined returning false when stsSeconds is 0 (#​12684 by veeceey)
• [otel] Bump go.opentelemetry.io/otel dependencies (#​12754 by rtribotte)
• [server] Bump golang.org/x/net to v0.51.0 (#​12756 by kevinpollet)
• [webui] Fix priority display in dashboard and ACME bypass redirect (#​12740 by mmatur)
• [webui] Fix basePath validation for dashboard template (#​12729 by gndz07)

Documentation:

• [middleware] Correct documentation for Digest auth (#​12651 by Zash)
• Add missing .http to TOML table names (#​12713 by Darsstar)
• Fix incorrect TOML example in entrypoints docs (#​12711 by mfmfuyu)
• Fix API basepath option documentation (#​12744 by nmengin)

dani-garcia/vaultwarden (vaultwarden/server)

v1.35.4

Compare Source

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

• GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.
• GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.
• GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.

These are private for now, pending CVE assignment.

What's Changed

• Update Rust and Crates and GHA by @​BlackDex in #​6843
• hide remember 2fa token by @​stefan0xC in #​6852
• fix(send_invite): invite links by @​proofofcopilot in #​6824
• Misc organization fixes by @​BlackDex in #​6867

New Contributors

• @​proofofcopilot made their first contribution in #​6824

Full Changelog: dani-garcia/vaultwarden@1.35.3...1.35.4

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.