Since there's also an official announcement, I guess it's OK to share the email here:

Hi,

I'm Denis, a security researcher at Element. I'm emailing you because I determined you are a package maintainer for either Element Web/Desktop or matrix-js-sdk based on information from repology.org.

I'm writing to inform you that there will be a coordinated security release for a critical flaw happening on Monday, Sep 13th for several Matrix clients/libraries, including Element Web/Desktop and matrix-js-sdk.
+See https://matrix.org/blog/2021/09/10/pre-disclosure-upcoming-critical-fix-for-several-popular-matrix-clients.

We apologize for the rather short notice -- various factors prevented us from reaching out earlier.

Kind regards,
Denis

if nheko uses the matrix-js-sdk, they may be affected as well from my understanding

In reply to @ma27:nicht-so.sexy
ah you were faster, just got an email from element for that :)

In reply to @andi:kack.it
Does synapse (and perhaps element?) report to matrix.org / new vector in terms of telemetry or such? Would be interesting to know if they have distribution/packaging statistics.

our packaged riot/element that we ship in nixpkgs have telemetry disabled by default (https://github.com/NixOS/nixpkgs/pull/80364).

For Synapse, I could not see any option regarding telemetry, so I don't think it's reporting anything itself.

They still monitor the version number of homeservers that are publicly reachable from the federation and are visible from matrix.org's perspective, and probably clients which directly connect to their homeserver. They also have some bots hopping from one public room to another to discover new rooms and servers

In reply to @jamie:memes.nz
i'm reverse engineering the patch

In reply to @florian:wolkenplanet.de
synapse has telemetry, usually called "phone home stats" in synapse which goes beyond just version number, afaik opt-in, the option is named "report_stats": "https://github.com/matrix-org/synapse/blob/master/docs/sample_config.yaml#L1372"