v3.1.0

[3.1.0] - 2026-05-07

Minor Changes

• Draupnir can now create the management room in bot mode, and also the admin room for managing appservice deployments. This is achieved by configuring an initialManager when setting up the bot, who will be invited to a newly created management room. This work was contributed by @FSG-Cat as part of his work to further streamline deployment #1077.
• Add Avatar customisation command for Draupnir (!draupnir avatar) and the appservice admin bot, by @FSG-Cat.
• Add a command to set the display name of the appservice admin bot, by @FSG-Cat.

Patch Changes

• Cleanup Configuration file wording around protectAllJoinedRooms by @FSG-Cat.
• Fix Policy Notification Room invites only being issued to users with join membership, by @FSG-Cat.
• Fix an issue where sometimes Draupnir would log cryptic errors such as undefined: undefined by @Gnuxie. #759.
• Fix an issue where the appservice would not configure profile information for main bot and register it by @FSG-Cat.

v3.0.0

[v3.0.0] - 2026-04-02

Draupnir [v3.0.0] is focussed on changes to improve maintenance of the project, including incorporating all of the Draupnir stack into a monorepo to improve contribution workflow. There are a number of breaking changes to consider that are listed in the major changes below.

If for some reason you do encounter an issue with upgrading Draupnir, it is safe to downgrade back to v2.9.0 without changes, and receive support either in our our support room #draupnir:matrix.org or issue tracker.

Major Changes

• 🚨 All uncontainerised installations from source will need to change how they install, build, and start Draupnir. If you installed Draupnir by following our debian instructions, you will need to check that your systemd unit file ExecStart matches our documentation, and follow our upgrade steps. For custom source installations you can see the basics of the steps here, and note that the way Draupnir is started has changed. Any installation using images from docker do not need to change the way Draupnir is started.
• 🚨 The minimum supported node.js version has changed from 20 to 24. This is simply a result of node 20 approaching EOL and 24 being the active LTS.
• 🚨 Draupnir now must be started with the --draupnir-config option to provide a path to the config file. Depending on legacy config package behaviour was deprecated in https://github.com/the-draupnir-project/Draupnir/releases/tag/v2.0.0-beta.8. Most setups will have already made the change as this has been the documented way to provide a config file since the beginning of the project.
• For appservice deployments, self service provisioning (via invitations) has to be to be manually enabled in the appservice config file. Contributed by @FSG-Cat.

Minor Changes

• Draupnir will crash at startup if it does not have the ability to send state events to the mangement room. Most installs will already have this permission, but in any case the error logging for this is self explanatory. Reported by @nono-lqdn.
• 30611aa: Add appservice provision limits and add appservice force provision command. Contributed by @FSG-Cat.

Patch Changes

• 5870c02: Fixed a bug where User policies of any recommendation would result in the MemberBanSynchronisationProtection banning users. This is was a particularly important issue for compatibility with Meowlnir. Contributed by @nexy7574.
• 30611aa: Add version command to the appservice admin bot. Contributed by @FSG-Cat.
• b4d105f: Add branch information to status command output. Contributed by @FSG-Cat.

Special thanks

Special thanks to our wonderful support community in #draupnir:matrix.org.

v2.9.0

[v2.9.0] - 2025-12-18

Changed

• The ServerBanSynchronisationProtection capabilities now only render when
  server ACL fails to apply in order to reduce noise.

• The ServerBanSynchronisationProtection capability providers have been renamed
  so that they are specific to the protection.

v2.8.0

[v2.8.0] - 2025-11-23

Changed

• The watch command now includes a preview of the effects of policy room subscription. Without using the --no-confirm argument, you will be provided with a list of effects and prompted to confirm or cancel the command.

Fixed

• Protections now use a Lifetime abstraction for resource allocation and disposal. Which structurally eliminates issues such as use after free and memory leaks.

• When starting Draupnir spurious log lines would appear for each taken down room. Fixed by @esoteric_programmer in #995 and reported by @TommyTran732.

Special thanks

Special thanks to @FSG-Cat for continuing to review changes to documentation.

v2.7.1

[v2.7.1] - 2025-10-13

Fixed

• V12 policy rooms will not appear in the prompt for the ban command again.
  Reported by @ll-SKY-ll.

• Re-added the missing alias add command. Reported by @piegamesde.

• Added some logging to support
  #976. Reported by
  @TheArcaneBrony.

v2.7.0

[v2.7.0] - 2025-10-10

Project update

The Draupnir project is in the process of introducing formal governance for the
project in order to sustain development and build momentum.

Progress can be tracked
here, and the
documentation on our model can be found on our documentation website:
https://the-draupnir-project.github.io/draupnir-documentation/category/governance.

Added

• A new DraupnirNews protection has been added that will notify the management
  room of any news about the project. We intend to use this to onboard users
  into
  Draupnir's longhouse
  so that our users can vote on proposals
  https://the-draupnir-project.github.io/draupnir-documentation/governance/longhouse-presentation.

• The RoomsSetBehaviour protection has a new feature to send a prompt to the
  management room when a watched policy room is replaced by its curators. This
  is a small step in our
  project hydra mitigation route,
  and we expect to provide more full support for policy room upgrades at a later
  date. DO NOT upgrade policy rooms at this time.

Changed

• Draupnir is easier on the homeserver when redacting messages in rooms.
  Previously Draupnir could overload the homeserver in some circimstances. There
  should be a big improvement to redaction during spam waves.

Special Thanks to all our contributors and supporters

@FSG-Cat @nexy7574 @ll-SKY-ll @tulir @palchrb @bluesomewhere @jimmackenzie

v2.6.1

Fixed

• Policy room creation is now possible on servers where room version 12 is the
  default. Thanks to @Woefdram for reporting.

• Calculation of protection permissions has been fixed in V12 rooms.

v2.6.0

Advice on the hydra disclosure

do not upgrade rooms until the following conditions have been met:

1. You are using Draupnir v2.5.1 or above.
2. You have considered that not every user in your room will be able to follow
   the tombstone, because their own server has not upgraded yet. This could lead
   to them NEVER following the tombstone when the room becomes dead/lost to
   history
3. You are confident that you know what you are doing. The upgrade UX on Matrix
   is poor and you are likely to dos your own community in a worse way than an
   exploiter of any supposed vulnerability.

See https://matrix.org/docs/communities/administration/#room-upgrades for
current advice on upgrading rooms. We are adding features to Draupnir to make
room upgrades easier for users. See
the-draupnir-project/planning#44.

Added

• Replacement rooms will automatically be protected when protected rooms are
  upgraded.

Fixed

• V12 room identifiers can now be used in commands. Thanks to @cremesk for
  reporting.

Changed

• Room discovery has been made a synchronous part of the takedown command. This
  would happen in background before which could cause confusion if it failed.

v2.5.1

This is a small release that makes Draupnir compatible with V12 rooms. Please
update your Draupnir now. We do not recommend anyone upgrade their rooms to V12
unless they have to. See
https://marewolf.me/posts/draupnir/25/do-not-upgrade-to-v12.html . We are
working on features that will make room upgrades very easy for Draupnir users.
See the-draupnir-project/planning#44.

Fixed

• Draupnir can now join and interact with V12 rooms.

• If you are a Draupnir for all / appservice administrator and your homesever
  sets the default room version to 12, new Draupnir will be able to be
  provisioned.

• The error logging when the config for acceptInvitesFromSpace is incorrect
  has been improved.

v2.5.0

Added

• There is a new protection enabled by default called the
  InvalidEventProtection. This protection redacts events that contain
  malformed
  mixins
  that are likely to trip up other Matrix clients, or potentially represent an
  attempt to bypass Draupnir protections. For Matrix developers, what qualifies
  as a malformed mixin is very conservative, and we only focus on the core
  properties of a given mixin.

• The WordListProtection, and MentionLimitProtection are updated to use a
  new method of parsing Matrix events by extracting
  mixins
  that is provided by the matrix-protection-suite. This will allow these
  protections to continue to function should extensible events ever make it into
  a release of the Matrix specification. And generally this is a more robust way
  of parsing Matrix events.

Fixed

• Draupnir deployed in appservice mode were not being disposed of correctly when
  being placed into or restarting from safe mode. This could be a root cause a
  variety of issues.

Changed

• The JSON reviver used by Draupnir for handling http requests and responses has
  been modified to cover more property names found on the Object.prototype, in
  addition to the existing restrictions preventing prototype pollution. This
  adds redundancy to code handling objects parsed from untrusted sources.