Skip to content

Update social-auth-core requirement from >=3.3.0 to >=5.0.0#150

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/social-auth-core-gte-5.0.0
Closed

Update social-auth-core requirement from >=3.3.0 to >=5.0.0#150
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/social-auth-core-gte-5.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on social-auth-core to permit the latest version.

Release notes

Sourced from social-auth-core's releases.

5.0.0

Security

  • LoginRadius backend now validates callback state to prevent login CSRF.
  • Odnoklassniki app backend now ignores untrusted callback API hosts and validates returned user details.
  • Partial pipeline resume now requires session ownership or explicit external resume confirmation to prevent login CSRF.
  • SAML responses are now validated against the original AuthnRequest when possible.
  • Twilio backend now preserves HTTPS callback URLs and validates callback state to prevent login CSRF.

Fixed

  • Auth0 OpenID Connect configuration now uses the correct base URLs.
  • Authentication now handles invalid email addresses without crashing.
  • Vend OAuth user IDs are now scoped by shop.
  • VK app authentication now requires an auth key.

Removed

  • Discontinued OAuth backends: AppsFuel, Beats Music, ChangeTip, Clef, Edmodo, 500px (five_hundred_px), legacy Google App Engine bundled Users (gae), Jawbone, Moves, Mozilla Persona, Readability Parser API, and Wunderlist.
  • Discontinued Google+ Sign-In backend (google-plus / GooglePlusAuth).
Changelog

Sourced from social-auth-core's changelog.

5.0.0 - 2026-06-23

Security

  • LoginRadius backend now validates callback state to prevent login CSRF.
  • Odnoklassniki app backend now ignores untrusted callback API hosts and validates returned user details.
  • Partial pipeline resume now requires session ownership or explicit external resume confirmation to prevent login CSRF.
  • SAML responses are now validated against the original AuthnRequest when possible.
  • Twilio backend now preserves HTTPS callback URLs and validates callback state to prevent login CSRF.

Fixed

  • Auth0 OpenID Connect configuration now uses the correct base URLs.
  • Authentication now handles invalid email addresses without crashing.
  • Vend OAuth user IDs are now scoped by shop.
  • VK app authentication now requires an auth key.

Removed

  • Discontinued OAuth backends: AppsFuel, Beats Music, ChangeTip, Clef, Edmodo, 500px (five_hundred_px), legacy Google App Engine bundled Users (gae), Jawbone, Moves, Mozilla Persona, Readability Parser API, and Wunderlist.
  • Discontinued Google+ Sign-In backend (google-plus / GooglePlusAuth).

4.9.1 - 2026-04-30

Changed

  • GitHub backend now handles scoped email fetching deterministically.

Fixed

  • OpenID Connect missing token handling.
  • Microsoft refresh token and expiry handling.
  • Partial pipeline handling for Django QueryDict values.

4.9.0 - 2026-04-29

This release might contain breaking changes. Review the removed backends and stricter OAuth, OpenID Connect, and Azure AD validation before upgrading.

Added

  • OpenID Connect claim names for email, first name, last name, and full name can now be configured.
  • GitHub backend now stores fetched emails in pipeline data.

... (truncated)

Commits
  • 29dffe6 chore: release 5.0.0
  • 2fdbca2 fix(twilio): validate connect callback state
  • 0418782 fix!: bind partial pipeline resumes to sessions
  • 6fcde2c chore: remove discontinued Google+ Sign-In backend
  • f318835 fix(deps): update dependency ty to v0.0.52 (#1814)
  • 1bb49c6 fix(deps): update dependency coverage to v7.14.3 (#1813)
  • d81bf03 chore(tests): clarify test annotations and expectations (#1812)
  • 52471d3 chore(tests): clarify type annotations (#1810)
  • 4d33282 fix(backends): LoginRadius backend now validates callback state
  • 1bfacdd fix(backends): VKAppOAuth2 now requires auth_key
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Update social-auth-core requirement from >=3.3.0 to >=5.0.0
360336b 
Updates the requirements on [social-auth-core](https://github.com/python-social-auth/social-core) to permit the latest version.
- [Release notes](https://github.com/python-social-auth/social-core/releases)
- [Changelog](https://github.com/python-social-auth/social-core/blob/master/CHANGELOG.md)
- [Commits](python-social-auth/social-core@3.3.0...5.0.0)

---
updated-dependencies:
- dependency-name: social-auth-core
  dependency-version: 5.0.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 24, 2026
@dependabot dependabot Bot mentioned this pull request Jun 24, 2026
Closed
@dependabot @github

dependabot Bot commented on behalf of github Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #151.

@dependabot dependabot Bot closed this Jun 25, 2026
@dependabot dependabot Bot deleted the dependabot/pip/social-auth-core-gte-5.0.0 branch June 25, 2026 03:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants