element-hq · devonh · Dec 8, 2025 · Dec 8, 2025 · Dec 8, 2025 · Dec 8, 2025
@@ -452,14 +452,12 @@ jobs:
           python-version: '3.10'
 
       - name: Prepare old deps
-        if: steps.cache-poetry-old-deps.outputs.cache-hit != 'true'
-        run: .ci/scripts/prepare_old_deps.sh
-
-      # Note: we install using `pip` here, not poetry. `poetry install` ignores the
-      # build-system section (https://github.com/python-poetry/poetry/issues/6154), but
-      # we explicitly want to test that you can `pip install` using the oldest version
-      # of poetry-core and setuptools-rust.
-      - run: pip install .[all,test]
+        # Note: we install using `uv` here, not poetry or pip to allow us to test with the
+        # minimum version of all dependencies, both those explicitly specified and those
+        # implicitly brought in by the explicit dependencies. 
+        run: |
+          pip install uv
+          uv pip install --system --resolution=lowest .[all,test]
 
       # We nuke the local copy, as we've installed synapse into the virtualenv
       # (rather than use an editable install, which we no longer support). If we

@@ -0,0 +1 @@
+Use `uv` to test olddeps to ensure all transitive dependencies use minimum versions.
@@ -42,7 +42,8 @@ dependencies = [
     "Twisted[tls]>=21.2.0",
     "treq>=21.5.0",
     # Twisted has required pyopenssl 16.0 since about Twisted 16.6.
-    "pyOpenSSL>=16.0.0",
+    # pyOpenSSL 16.2.0 fixes compatibility with OpenSSL 1.1.0. 
+    "pyOpenSSL>=16.2.0",
     "PyYAML>=5.3",
     "pyasn1>=0.1.9",
     "pyasn1-modules>=0.0.7",
@@ -151,7 +152,8 @@ all = [
     # redis
     "txredisapi>=1.4.7", "hiredis",
     # cache-memory
-    "pympler",
+    # 1.0 added support for python 3.10, our current minimum supported python version
+    "pympler>=1.0",
     # omitted:
     #   - test: it's useful to have this separate from dev deps in the olddeps job
     #   - systemd: this is a system-based requirement
@@ -177,6 +179,29 @@ synapse_port_db = "synapse._scripts.synapse_port_db:main"
 synapse_review_recent_signups = "synapse._scripts.review_recent_signups:main"
 update_synapse_database = "synapse._scripts.update_synapse_database:main"
 
+[tool.uv]
+# From the uv docs (https://docs.astral.sh/uv/concepts/resolution/#dependency-overrides):
+#   As with constraints, overrides do not add a dependency on the package and only take
+#   effect if the package is requested in a direct or transitive dependency.
+override-dependencies = [
+    # Transitive dependency constraints
+    # These dependencies aren't directly required by Synapse.
+    # However, in order for Synapse to build, Synapse requires a higher minimum version
+    # for these dependencies than the minimum specified by the direct dependency.
+    "cffi>=1.15", # via cryptography
+    "defusedxml>=0.7.1", # via PIL
+    "hiredis>=0.3", # via hiredis
+    "pynacl>=1.3", # via signedjson
+    "pyparsing>=2.4",  # via packaging
+    "pyrsistent>=0.18.0",  # via jsonschema
+    "pytz>=2018.3",  # via pysaml2
+    "requests>=2.16.0", # 2.16.0+ no longer vendors urllib3, avoiding Python 3.10+ incompatibility
+    "thrift>=0.10",  # via jaeger-client
+    "tornado>=6.0",  # via jaeger-client
+    "urllib3>=1.26.5", # via treq; 1.26.5 fixes Python 3.10+ collections.abc compatibility
+    "zope-interface>=6.2", # via twisted
+]
+
 
 [tool.towncrier]
     package = "synapse"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Use `uv` to test olddeps to ensure all transitive dependencies use minimum versions.