Skip to content

Releases: wireapp/wire-server

2026-07-07 (Chart Release 5.34.0) 2026-07-07 (Chart Release 5.34.0)

Choose a tag to compare

@blackheaven blackheaven released this 07 Jul 06:33
e433acb

Release notes

  • Breaking change: the meetings team feature flag is now disabled and locked by default. (#5292)

API changes

  • cellsInternal in API version v17 now exposes storage quotas as totalLimitBytes and perUserQuotaBytes. totalLimitBytes is optional for backward compatibility with existing records, any negative value for either field is accepted as unlimited, and unlimited values are returned as -1. (#5271)

    • In API version v17 POST /register may now return a new 403 managed-by-scim error when a SCIM-managed pending user changes the display name during registration
    • The GET /teams/invitations/info?code=... response may now include the optional managed_by field (#5268)
  • In API version v17, preventAdminlessGroups feature config updates should use
    duration string fields deletionTimeoutDuration and reminderTimeoutDurations.
    Feature config responses include both the new duration fields and the legacy
    day-based deletionTimeout and reminderTimeouts fields for backwards
    compatibility. API versions before v17 continue to accept the legacy
    day-based fields. (#5308)

  • Added PUT /meetings/:domain/:id/invitations to replace the full list of invited emails of a meeting. (#5285)

  • Added MeetingConversation as a new GroupConvType. Conversations can now be
    created with group_conv_type: "meeting". (#5296)

  • Previously, POST /sso/get-by-email and GET /sso/initiate-login endpoints
    treated an IdP as globally configured for all domains when there was only one
    for a team. This led to information leakage and confusion. Now, these endpoints
    always treat IdPs as bound to a domain when multi-ingress is configured. I.e.
    IdP domain and request domain must match, otherwise an error is returned.

    To align with the others, this check is also added to the HEAD /sso/initiate-login
    pre-check endpoint. (#5291)

Features

  • Prevent adminless groups (#5254, #5256, #5260)

  • Changed the backgroundEffects team feature flag to be disabled by default (still unlocked). (#5269)

  • Add idpCertFingerprintAllowlist configuration to restrict IdP certificates by
    fingerprint. This setting only changes the behaviour of wire-server if
    configured. So, no e.g. migration or action is required as long as this feature
    is not intended to be used. (#5272)

Bug fixes and other updates

  • Do not allow changing the profile name during registration for SCIM users (#5268)

  • Fix recurring meetings disappearing from GET /meetings/list (and
    GET/PUT/DELETE /meetings/{id}, the invitation endpoints, and the background
    cleanup worker) once the original time slot passed. Expiry and cleanup now
    account for recurrence.until; open-ended recurring meetings (no until) never
    auto-expire. (#5309)

  • Bugfix: backgroundEffects feature flag was not configurable at the helm chart level. Now it is. (#5300)

  • Fix MLS participant adds on meeting conversations by granting InviteAccess
    alongside PrivateAccess when creating the underlying conversation. Without
    InviteAccess, Galley rejects member joins after MLS commits with 403
    access-denied. (#5305)

  • Fix CSP headers for SAML endpoints. These were falsely emitted for versioned SAML endpoints. (#5288)

Internal changes

  • Fixed flaky cross-domain integration tests by pre-warming the static federation path (domain1 <-> domain2) once in test setup (#5312)

  • Added logging on stale MLS commits in subconversations (#5251)

  • Extend the conversation Code store to support meeting access codes in addition to conversation codes. Adds a backwards-compatible target column to the conversation_codes Postgres table (defaults to 'conv'); the Cassandra store continues to serve conversation codes only. Foundational work for meeting access codes. (#5281)

  • Background worker now builds conversation subsystem config from the loaded Galley config and no longer fetches it over internal Galley RPC. (#5313)

2026-06-12 (Chart Release 5.33.0)

Choose a tag to compare

@blackheaven blackheaven released this 12 Jun 12:57
276b8e2

Release notes

  • The background-worker migration timeout configuration was renamed from migrateConversationsOptions to migrationOptions. The old key is no longer read, so update any custom Helm overrides to the new name to avoid unexpected defaults. (#5244)

  • Add public /meetings endpoints to galley nginz routing. (#5258)

  • Support for the kyber based hybrid post quantum ciphersuite was removed, because it is not supported by wire branch of openmls. (#5224)

API changes

  • In API version V16 DELETE /conversations/:domain/:cid/members/:domain/:uid may return a new error 403 adminless-conversation (#5254)

  • Remove redundant "get-app" end-point (use POST /list-users instead).

  • Finalize API version v16 and create new dev version v17. (#5257)

Features

  • Enforced history client invariants for conversation history sharing: enabled requires exactly one history client, disabled requires none. (#5217)

  • Prevent adminless groups (#5254, #5256)

  • Added a team feature to configure adminless group prevention. (#5233)

  • Added a team feature flag for background effects. (#5246)

  • nginx-ingress-services: allow a federator-only cert-manager issuer (e.g. AWS Private CA via AWSPCAClusterIssuer) by setting federator.tls.issuer.{name,kind,group} without having to enable the global tls.useCertManager flag. The wildcard-backed federator-certificate-secret is suppressed in that case so cert-manager can own the secret. (#5249)

  • Allow storing user data in PostgreSQL.

    This is currently not the default and is experimental. The migration path from Cassandra is yet to be implemented.

    However, new installations can use this by configuring the wire-server Helm chart like this:

    galley:
      config:
        postgresqlMigration:
          user: postgresql

    (#4951)

Bug fixes and other updates

  • Reset the MLS group info on conversation reset (#5229)

  • Refresh ES index after app update, emit event. (#5231)

  • Allow team members with role Member to browse collaborators.

  • Make migration locks release safely on failure (#5238)

  • Reduce connection usage and number of SQL queries for checking for pending PostgreSQL migration cleanup. (#5234)

  • Reconnect and retry queries when the PostgreSQL server restarts (#5216)

Internal changes

  • Add meeting cleaner job in background-worker. (#5207)

  • Integration test comparing different team-search end-points. (#5230)

  • Add timeout and duration metrics to Cassandra-to-PostgreSQL migration options (#5244)

  • Internal /i/domain-registration API made available for testing (#5245)

  • Bump wire-server-enterprise submodule (introduces gitignoreSource Nix fix) (#5253)

  • Fix SBOM generation scripts: stop merging stderr into stdout, which polluted the devShell and image name lists with nix warnings (#5264)

  • wire-ingress chart: Add a ALPN ClienTrafficPolicy (#5228)

2026-05-12 (Chart Release 5.32.0)

Choose a tag to compare

@fisx fisx released this 13 May 08:11
520b73d

This release should be deployed straight after 5.30. Please also consult the release notes for 5.31 for more changes.

Release notes

    • postgresMigration now has a single source of truth in the Galley chart values. Galley, Brig, and background-worker all read their PostgreSQL migration settings from there.
    • To migrate domain registration data to PostgreSQL, set postgresMigration.domainRegistration to migration-to-postgresql, run the background-worker migration with migrateDomainRegistration: true, and switch the setting to postgresql after completion.
    • The domain registration migration covers these Cassandra tables:
      domain_registration, domain_registration_by_team, and domain_registration_challenge. (#5195)

API changes

  • Discontinue redundant end-point for fetching user clients. (#5222)

Documentation

  • Improve swagger API docs. (#5220)

Internal changes

  • New wire-ingress Helm chart โ€” Gateway API / Envoy Gateway replacement for nginx-ingress-services. Not yet production-ready. (#5150)

2026-05-08 (Chart Release 5.31.0)

Choose a tag to compare

@fisx fisx released this 12 May 06:53
1d92347

This release is untested, upgrade from 5.30 straight to 5.32!

API changes

  • GET /teams/:tid/size response body lists teamSizeRegulars, teamSizeApps. (#5213)

Features

  • DELETE /meetings/:domain/:meetingId for deleting meetings. (#5066)

Bug fixes and other updates

  • Fix: Inconsistent removal messages across local and federated conversation members (#5210)

  • Do not count apps as paying users. (#5213)

  • brig-index: Continue indexing even when an invalid user is found in the DB (#4839)

  • Postgres: Index the parent_conv column in the conversation table (#5205, #5209, #5205)

Internal changes

  • Consolidate brig/galley api access effects from spar into wire-subsystems.

    NB: calls to internal galley end-points were sometimes propagating unexpected errors (eg. 400) to the client, sometimes they were turned into a fixed 5xx error. we now consistently do the latter, which is more accurate (we don't want this to ever happen). (#5189)

  • Using a random-generated index name to stabilize testSearchNoExtraResults (brig-integration). (#5198)

  • Move conversation-related operations into a unified Polysemy ConversationSubsystem effect across the wire-server codebase. (#5126)

  • Move meetings feature check from galley service layer into the MeetingsSubsystem interpreter, ensuring the check is enforced consistently within the subsystem. (#5214)

  • Add tools/mlsstats to the Docker images to be built in CI runs.
    mlsstats Helm chart now supports pod identity: ServiceAccount with configurable annotations is created and referenced by the CronJob pod, enabling OIDC-based AWS credential injection instead of static keys. AWS_EC2_METADATA_DISABLED is set so the AWS SDK uses web identity tokens on non-EC2 nodes. Secret creation is skipped when no static credentials are provided. (#5200)

  • Add zone-level topologySpreadConstraints to nginz deployment so pods are spread evenly across availability zones, ensuring traffic reaches all AZs when zone-aware routing is in use.
    topologySpreadConstraints are now configurable via values.yaml (defaulting to zone + hostname spreading), allowing chart users to customise pod scheduling without patching the chart. (#5208)

2026-04-20 (Chart release 5.30.0)

Choose a tag to compare

@fisx fisx released this 21 Apr 13:18
1fa1212

Release notes

  • Since 5.29 was broken and you should have skipped it, you are about to upgrade from 5.28 to 5.30 in one step. This has been tested and should work. Please consult the release notes from both 5.29 and 5.30 for changes w.r.t. 5.28.

  • background-worker now reuses galley's configmap and secrets for cassandra, postgres and federation domain settings. This removes redundant settings and keeps the two services aligned. No operator action is strictly required; however, we advise removing the background-worker value overrides for galley's cassandra, postgres, and federation domain settings, as they are duplicated and no longer needed:

    • background-worker.config.cassandraGalley
    • background-worker.config.postgresql
    • background-worker.secrets.pgPassword
    • background-worker.config.federationDomain (#5180)
  • Operators upgrading from the previous wire-server chart release, where the service charts were consolidated into the umbrella chart, must now set tags.proxy explicitly again.

    If your currently installed values no longer contain a proxy tag because of that consolidation, add one before upgrading to this release and set it to the intended state:

    • tags.proxy: true to deploy the proxy chart
    • tags.proxy: false to keep the proxy chart disabled (#5161)
  • The Restund helm chart and code stops being supported and shipped. If you have not already, please migrate to coturn which continues to be supported. (#5162)

Features

  • Send team.member-join to all apps in team. (#5187)

Bug fixes and other updates

  • Remove the Server response header value for entire API. (#5179)

  • Integration tests for user events when user type is app. Replace redundant app-created event with team.member-join. (#5139)

  • (Un-)suspend apps if en-/disabled in the team. (#5177)

  • Apps from outside own team do not appear in contact search. (#5173)

  • Fix: apps cannot form connections accross teams. Integration test for cross-team conversations working with apps as expected. (#5171)

  • Prevent password reset for SAML users (#5191)

  • Remove apps from conversations when apps are disabled in conversation. (#5176)

  • Fix: allow removal of bots from conversation after switching it to MLS. (#5186)

  • Hotfix: handle NULL in brig-cassandra:user.user_type. (#5193)

  • Fix bug where the mls-users tool would crash for users with null supported_protocols (#5190)

Documentation

  • Make schema-profunctor schema names derived and avoid name clashes between scopes. (#5151)

Internal changes

  • Propagate error from brig on stern API call GET i/domain-registration/:domain (#5179)

  • The status code for rate limit responses from nginz and cannon is now configurable and set to 420 per default (#5154)

  • Moved code from galley to ClientSubsystem (#5154, #5147, #5157, #5156, #5165, #5168)

  • The defaults in k8ssandra-test-cluster should now work for both a fresh cassandra 4.1 pod as well as an upgrade of an existing previous k8ssandra-test-cluster deployment. We assume k8ssandra-operator helm chart version 1.20.2. (#5091)

  • Use sbomnix to generate SBOMs for Nix-built Docker images and devShells. Adjust Helm chart values for inlined wire-server chart. (#5167)

  • Remove tom-bombadil SBOM creation targets from Makefile. There's a better approach to create SBOMs in place (in Makefile and CI). (#5181)

2026-03-24 - (Chart Release 5.29.0)

Choose a tag to compare

@stefanwire stefanwire released this 25 Mar 16:11
e3691a9

This release is broken. Please upgrade from 5.28 directly to 5.30!

Release notes

  • Helm chart refactoring: several core services were migrated from wire-server subcharts into the umbrella chart templates (charts/wire-server/templates).

    Moved as core services:

    • background-worker
    • brig
    • cannon
    • cargohold
    • galley
    • gundeck
    • proxy
    • spar

    As a result, dependency tags for moved services are obsolete for the current wire-server chart, because these services are no longer resolved through requirements.yaml dependencies. In particular, tags.brig, tags.galley, tags.cannon, tags.cargohold, tags.gundeck, tags.proxy, and tags.spar are no longer needed for wire-server deployments.

    Operator note: during upgrade, rendered manifests will show metadata/source changes (for example chart labels and template source paths). This is expected from the inlining refactor and may trigger a one-time rollout due to checksum annotation changes.

    Compatibility note: for standard wire-server deployments this is not expected to be breaking, because the moved core services were not toggled off via tags in default/in-repo environments. However, this is a breaking change for custom deployments that previously disabled any of these services via wire-server dependency tags (tags.<service>: false), because those tags are now obsolete after inlining. (#5085)

  • Rate-limit status codes in nginz and cannon's embedded nginz are now configurable via Helm values.

    Compatibility note: the default remains 420, so this does not change behavior for existing deployments and requires no direct operator action. (#5124)

  • Remove the old metallb wrapper chart. This hasn't been published or updated
    for quite some time. Even the Docker images weren't available anymore. (#5111)

API changes

  • Require admin password for refreshing app cookies (POST /teams/:tid/apps/:uid/cookies). (#5129)

  • Add "app" attribute to GET /list-users, GET /users/:dom/:uid; make GET /teams/:tid/apps, GET /teams/:tid/apps/:uid return same schema as GET /list-users. (#5070)

  • GET /teams/:tid/search response contains user types now (app or regular). (#5074)

    • remove pict attribute from GetApp
    • remove metadata attribute from GetApp
    • inline GetApp fields into NewApp
    • make CreatedApp.user contain UserProfile (which includes app info)
    • rename GetApp to AppInfo
    • remove AppInfo.{name,assets,accentId} (redundant user data) (#5115)
  • Create new API version V16 and finalize API version V15. (#5121)

Features

  • Add meetings listings endpoint /meetings/list. (#5109)

  • Add Wire Meetings add invitation endpoint POST /meetings/:domain/:id/invitations (#5132)

  • Add Wire Meetings delete invitation endpoint POST /meetings/:domain/:id/invitations/delete (#5136)

Bug fixes and other updates

  • Claiming key packages for a deleted user now returns a client error instead of a server error (#5113)

  • backoffice/stern: fix Swagger UI for comma-separated list query parameters (#5108)

  • Streamlined and fixed team feature config validateSAMLemails (#5114)

  • When the admin creates a new app cookie, all previous ones must be revoked. (#5149)

  • charts/elasticsearch-index: Allow configuring postgresql (#5092)

  • charts/wire-server: Fix nil pointer errors in merged subchart templates when optional values (brig.turn, rabbitmq TLS, cassandraBrig/cassandraGalley) are not provided (#5112)

  • Improve error message when failing to parse group ID (#5089)

Documentation

  • Updated docs for the team feature validateSAMLemails (#5118)

Internal changes

  • The status code for rate limit responses from nginz and cannon is now configurable and set to 420 per default (#5124)

  • Add curl to integration test failure reports. (#5048)

  • Add UserType fields in various data types. (#5074)

  • Progressively move away from singletons to type class to allow progressive migration to wire-subsystems of Galley's actions.
    Drop Galley.Intra.Util,Galley.Effects, Galley.API.MLS.Commit, and Galley.API.Push.
    Break dependencies to Opts/Env.
    Split ConversationSubsystem.Interpreter Galley.API.Federation (#5075, #5081, #5086, #5087, #5098, #5101, #5102, #5103, #5104, #5110, #5145, #5148)

  • Logging Wire-Client, Wire-Client-Version and Wire-Config-Hash headers in nginz (#5123)

  • Refactor scripts to alleviate SonarQube warnings (#5097)

  • Consumable notifications are now disabled (#5116)

  • The fields code, label, and message where added to the inconsistent group state error response of POST /mls/commit-bundels (#PR_NOT_FOUND)

  • Refactor Category: from ADT to Text. (#5120)

  • Moved TeamVisibilityStore operations into TeamStore (#5137)

  • Moved TeamNotificationStore to wire-subsystems (#5138)

  • Moved CustomBackendStore to wire-subsystems (#5135)

  • Moved TeamMemberStore, interpreter, and ListItems interpreters for Team to wire-subsystems (#5140)

  • sbomqs has been unused for years now. Thus, dropping it from our Nix env. (#5144)

  • Adjust the default Nix flake devShell such that nix develop is usable. (#5127)

  • Create and upload SBOMs for Helmfile, docker-compose and Helm charts. (#5122)

2026-03-03 - (Chart Release 5.28.0)

Choose a tag to compare

@stefanwire stefanwire released this 06 Mar 16:37
b13014d

Release notes

  • The following Helm charts changed in this branch:

    • charts/demo-smtp
    • charts/fake-aws-ses
    • charts/fake-aws-sns
    • charts/legalhold

    Image field overrides are supported via split values (repository + tag) in the changed charts.
    There are backward incompatibilities if old string-style image overrides are still used. (#5015)

  • Cassandra (brig.user) now keeps track of user types, only for newly created users. Read this paragraph if you have already created apps before their official support: For existing users and bots, the user type is inferred, but existing apps will show as regular users. Please remove those users from your team and create them again. (#5022)

  • Starting in this version, wire-server is tested against cassandra (4.1.x). The codebase is compatible with cassandra 3.11, 4.0, and 4.1. But going forward, only 4.1 or newer will get tested. We recommend you eventually upgrade cassandra to 4.1.x. (#5062)

API changes

  • PUT /teams/:tid/apps/:uid for app metadata update. (#5053)

  • GET /teams/:tid/apps now includes app ids in response. (#5057)

Features

  • Add Meetings API for creating and managing scheduled meetings.

    New endpoints:

    • POST /meetings - Create a meeting with title, start/end times, recurrence patterns (daily, weekly, etc.), and invited emails. Each meeting creates an associated MLS conversation.
    • GET /meetings/:domain/:meetingId - Retrieve a meeting by ID. Accessible to the meeting creator or any conversation member.

    Features:

    • Recurring meeting support with configurable patterns and end dates
    • Trial status: personal users receive trial meetings, paying team members receive non-trial meetings
    • Meeting expiration: old meetings are automatically filtered based on a configurable validity period (#4918)
  • PUT /meetings/:domain/:meetingId for updating meetings.

    Supported fields:

    • startTime, endTime - update meeting time (must be valid: start < end)
    • title - update meeting title
    • recurrence - update recurrence pattern

    Authorization: only the meeting creator can update the meeting. (#5065)

  • Ephemeral users are now allowed to upload and download files (#5016)

  • Pass optional cookie label on initiating the SSO login flow (#5049)

  • Revoke cookie with same label on login (#5055)

  • Emit new event user.session-refresh-suggested on cookie revocation (#5060)

  • New public system setting for nomad profiles support (#5077)

  • Print better error logs even when errors are overwritten to be hidden from the users (#5000)

  • Add history metadata support to channels. Channels now have a new field history which can be set on creation and updated by admins. (#4991)

  • Send an email to team admins and owners when an IdP is changed via API (create,
    update, delete). This behaviour is for now only enabled for multi-ingress
    setups. (#4987)

  • Add /sso/get-by-email endpoint to retrieve SSO codes by user email address.
    This will enable clients to fetch SSO codes and not have to ask the user for
    them.

    This feature is turned off by default and can be enabled in spar by setting
    the enableIdPByEmailDiscovery flag. Multi-ingress domains are taken into
    account to find the right SSO code to use. Users must have been created via
    SCIM; non-SCIM users are ignored. Please refer to the documentation for further
    information. (#5024)

Bug fixes and other updates

  • Delete app when removing a user from a team. (#5046)

  • Listing users never excludes apps on grounds of not having an identity. (#5029)

  • cannon: Do not report status code 500 when websocket is closed due to client
    errors (#5045)

  • Remove ModifyConversationHistory permission (#5027)

  • The backend is now able to accept commits in the presence of duplicated remove proposals (#4999)

  • Repair user key inconsistency when inviting user (#5031)

  • Repair user key inconsistency on registration
    (#5050)

Internal changes

  • Made hard coded images in helm charts configurable (#5015)

  • Fix: create team members for apps in galley, not just brig users. (#4970)

  • Change GET /i/users on brig to never return users with status Deleted.

    This shouldn't change backend behavior, except for avoiding some race
    conditions involving user deletion and fetching. (#5052)

  • Request-Id is now correctly propagated in cannon and cargohold (#5073)

  • Integration tests: test lib now supports shouldMatchShape for json schema assertions. (#5057)

  • Move conversation creation logic to wire-subsystems

    • Moved conversation creation logic from Galley.API.Create to Wire.ConversationSubsystem.Interpreter
    • Relocated utility modules:
      • Galley.API.Error โ†’ Galley.Types.Error
      • Galley.API.One2One โ†’ Wire.ConversationSubsystem.One2One
      • Galley.API.Util โ†’ Wire.ConversationSubsystem.Util
      • Galley.Effects.UserClientIndexStore โ†’ Wire.Effects.UserClientIndexStore
    • Removed Galley.Validation module (functionality moved to interpreter)
    • Updated background-worker configmap:
      • Added galley endpoint configuration to template
      • Added galleyEndpoint field to environment
      • Updated Registry to call getConfiguredFeatureFlags and provide flags via runInputSem
    • Added roundtrip and golden tests for:
      • ConversationSubsystemConfig
      • FeatureDefaults types: LegalholdConfig, SSOConfig, SearchVisibilityAvailableConfig
  • cannon chart: allow optional extra command line args to pass to the cannon process (#5023)

  • cannon chart: add scheduling options for node selector, affinity, and tolerations (#5020)

  • Updated email templates to v1.0.148 (#5003)

  • Federator helm chart: by default remove the CPU limit (and throttling). A limit can still be specified. (#5076)

  • Move IdPConfigStore to wire-subsystems. This will enable using it in other effects. (#5011)

  • Upgrade wire-server's Nix env. Switch to nixpkgs nixos-25.11 (the release branch). (#5032)

  • Update libzauth-c's dependencies. (#5039)

Federation changes

  • Support external cert-manager issuers (e.g. AWS PCA) for federation TLS by adding optional group field to federator.tls.issuer and making certificate duration/renewBefore configurable via federator.tls.duration and federator.tls.renewBefore in nginx-ingress-services chart. (#5025)

2026-02-04 (Chart Release 5.27.0)

Choose a tag to compare

@stefanwire stefanwire released this 17 Feb 14:08
d071f01

Release notes

  • Team features can now be migrated from Cassandra to Postgres. To migrate:
    • Set galley postgresMigration.teamFeatures to migration-to-postgresql.
    • Enable the background-worker flag migrateTeamFeatures=true to run the backfill.
    • Monitor the wire_team_features_migration_finished metric to confirm completion.
    • Switch postgresMigration.teamFeatures to postgresql and restart Galley and background-worker.
    • Once fully cut over, drop the Cassandra team_features_dyn table. (#4979)

API changes

  • Filter user search by type: GET /search/contacts?q=...&type=regular,app (#4986)

Bug fixes and other updates

  • Fix Brig's emails templates fetch script. (#4878)
  • Add mls-duplicate-public-key error to swagger (#4996)
  • Set idle timeout on HTTP connections to 30s. Set ping interval to 15s in cannon,
    missing two pings will cause the connection to close. This also removes ability
    for the client to control the ping interval. (#4992, #4992)

Internal changes

  • Migration from Cassandra to Postgres of Team Features (#4982, #4983, #4979)
  • Add an AGENTS.md file to provide basic information about the project to AI
    tools. (#4993)
  • Add net_connections condition to liveness probe of brig pod (#4990)
  • cannon: Add /websocket endpoint which is the same as /await (#5001)

2026-01-26 (Chart Release 5.26.0)

Choose a tag to compare

@fisx fisx released this 28 Jan 08:49
dd959eb

Release notes

  • User search provides information about user type (regular, app, legacy bot) now. Also, Elasticsearch re-indexing requires postgres access now. If you run brig-index directly anywhere, make sure to add the relevant settings. The Elasticsearch index must be refilled from Cassandra in order for the changes to the search results to take effect. See https://docs.wire.com/latest/developer/reference/elastic-search.html?h=index#refill-es-documents-from-cassandra (#4913, #4957)

  • Conversation codes can now be migrated to PostgreSQL. For existing installations:

    • Set postgresMigration.conversationCodes: migration-to-postgresql in both galley and background-worker.
    • Run the backfill with migrateConversationCodes: true.
    • Wait for wire_conv_codes_migration_finished to reach 1.0.
    • Switch to postgresMigration.conversationCodes: postgresql and disable migrateConversationCodes. (#4961)
  • The background-worker defaults for the postgres migration now match galley and point to cassandra (previously postgres). This currenlty only affects the background job, which is not expected to run before postgres is in use. However, if you relied on the defaults after migrating to postgres, please update your config to keep using postgres. (#4965)

  • Drop support for kubernetes versions below 1.27 (#4969)

API changes

  • New end-point GET /teams/:tid/apps listing all team apps. (#4960)

  • Add type field to search results received from GET /search/contacts (#4913)

Features

  • nginx-ingress-services: Add federator.tls.issuer option to use a separate ClusterIssuer for federation mTLS certificates. (#4964)

  • Log changes to IdP configurations made via the IdP REST API to syslog. (#4935)

  • Allow commit bundles to contain one application message. The message must be for the epoch after the commit, and it gets sent after the commit has been accepted. (#4929)

Bug fixes and other updates

  • background-worker's default settings for postgresMigration have been correctly set to cassandra. (#4965)

Internal changes

  • Circumvent potential performance issue with TVar (Map ...) (#4948)

  • Migration of conversation codes from cassandra to postgres (#4959, #4961)

    • Test for team and user email templates added
    • Refactoring to make email rendering testable
    • Removed SMS and call templates (#4699)
  • Drop cryptobox, handle prekey in pure Haskell. (#4719)

  • Move Feature Flags read to wire-subsystems. (#4918, #4974)

  • Federator: Replace Linux-only hinotify with cross-platform fsnotify library
    for certificate file monitoring. This enables native file system watching
    on both Linux and macOS, removing the need for platform-specific stubs. (#4955)

  • Simplify and modernize the Nix setup of rusty-jwt-tools. This includes
    updating to version 0.14.0. (#4952)

2026-01-13 (Chart Release 5.25.0)

Choose a tag to compare

@battermann battermann released this 14 Jan 09:40
8126b16

Release notes

  • Operators: if you override galley.settings.featureFlags.cells in your Helm values, update your override to include the newly required cells config fields (channels/groups/one2one/users/collabora/publicLinks/storage/metadata); if you use the chart defaults, no action is needed. (#4903)

API changes

  • Create new API version V15 and finalize API version V14 (#4942)

  • The PUT /teams/:tid/features/cells endpoint has changed in API version V14 and requires additional config values. (#4903)

  • Add new fields to apps: category, description, creator (#4879)

  • Add "get app" endpoint to Brig (GET /teams/:tid/apps/:id) (#4879)

  • Add pagination to SCIM groups in Spar /scim/v2/Groups

Features

  • Add meetingsPremium feature flag to distinguish premium teams from trial teams. Meetings created by premium team members are marked as non-trial. Public endpoints: GET/PUT /teams/:tid/features/meetingsPremium. Internal endpoints: GET/PUT/PATCH /i/teams/:tid/features/meetingsPremium and lock status management.

    Add meetings feature flag to control access to the meetings API. When disabled, all meetings endpoints return 403 Forbidden. The feature is enabled and unlocked by default. Public endpoints: GET/PUT /teams/:tid/features/meetings. Internal endpoints: GET/PUT/PATCH /i/teams/:tid/features/meetings and lock status management. (#4915)

  • New team feature config cellsInternal (#4889, #4907, #4940)

  • The cells feature flag now contains a set of additional configuration values (#4903)

  • nginx-ingress-services chart: Add support for cert-manager Certificate
    privateKey rotation policy configuration. This allows preserving private
    keys across certificate renewals for client key pinning scenarios.

    Configuration options:

    • tls.privateKey.rotationPolicy - for ingress certificates
    • federator.tls.privateKey.rotationPolicy - for federator certificate

    Setting rotationPolicy to "Never" preserves the private key, enabling
    scenarios where clients pin the server's public key rather than the
    certificate itself. (#4945)

  • Allow configuring page size and parallelism for conversation migration to
    PostgreSQL. This can be configured like this:

    background-worker:
      config:
        migrateConversationsOptions:
          pageSize: 10000
          parallelism: 2

    (#4904)

  • Introduce new metrics for better tracking of conversation migration to postgresql:

    1. wire_local_convs_migration_failed
    2. wire_user_remote_convs_migration_failed

    If any of these become 1, it means the migration has failed. The logs would
    contain the error. In order to restart the migration, the background-worker must
    be restarted. (#4891)

  • Commits with a broken group info are now let through if the group was already broken (#4883)

  • When a SAML IdP is created on a multi-ingress domain (implying that
    multi-ingress domains are configured in Spar) the domain is added as domain
    field to that IdP's extraInfo (WireIdP type in Haskell.) To avoid confusion
    in later lookups, at most one IdP can be configured per multi-ingress domain.
    If multi-ingress is not configured or it's not configured for the specific
    domain, no domain field gets added to the IdP. This guards against creating
    multiple IdPs and then assigning them to multi-ingress domains. Thus, users who
    don't use multi-ingress don't observe any change. This feature only opens the
    door to later provide an IdP for a multi-ingress domain. (#4778)

Bug fixes and other updates

  • Fixed notification endpoint returning an empty page with hasMore=true (#4871)

  • Fix SCIM groups endpoint to only return SCIM-managed groups, not wire-managed groups (#4906)

  • Fixed: change user idp, external_id or emails via scim (scim user update / patch failed to update parts of ValidScimId). (#4887)

  • Add <?xml version="1.0" encoding="UTF-8"?> to SAML/XML output. (#4898)

  • Make Swagger schema instances for GET /search/results and GET /teams/{tid}/search distinct (#4921)

  • Fix swagger docs for GET and POST on /conversations/{cnv}/code to show
    that the response will always include the uri field. (#4911)

  • Reduce gc_grace_period for all conversation related tables to 1 day. This will
    help restart the postgresql migration after a day, if it fails mid way. Lowering
    it too much runs the risk of offline nodes resurrecting deleted data. (#4899)

  • Make underlying users for apps findable from GET /search/contacts (#4920)

  • Reject messages in MLS groups while in epoch 0. (#4811)

  • Optimize Postgresql queries for getting conversation members (#4896, #4896)

  • Since 5.23.23 (5866bab) RabbitMQ settings are
    mandatory for Brig in both, federated and non-federated setups. Unfortunately,
    this wasn't reflected in Brig's Helm chart. So, non-federated deployments were
    failing. (#4886)

Internal changes

  • Upgrade nixpkgs and dependencies (icluding GHC from 9.8 to 9.10) (#4909)

  • Upgrade ormolu to match GHC 9.10. (#4923)

  • Fix postgres migrations on CI test runs (#4931)

  • Add mls-users tool to list all active users that don't support MLS. (#4888)

  • Add a golden test for IdP (de-) serialization to ensure the format doesn't change due to future developments. (#4927)

  • Explain MultiIngressSSO test helper functions a bit better. (#4882)

  • Use nix flakes instead of niv and manually pinned git dependencies (#4933)