Update social-auth-core requirement from >=3.3.0 to >=5.0.1

[dependabot]

Updates the requirements on social-auth-core to permit the latest version.

Release notes

Sourced from social-auth-core's releases.

5.0.1

Security

• Externally resumable partial request links now require confirmation even in the browser session that created the partial, preventing validation links from being consumed by a plain GET.

Changelog

Sourced from social-auth-core's changelog.

5.0.1 - 2026-06-24

Security

• Externally resumable partial request links now require confirmation even in the browser session that created the partial, preventing validation links from being consumed by a plain GET.

5.0.0 - 2026-06-23

Security

• LoginRadius backend now validates callback state to prevent login CSRF.
• Odnoklassniki app backend now ignores untrusted callback API hosts and validates returned user details.
• Partial pipeline resume now requires session ownership or explicit external resume confirmation to prevent login CSRF.
• SAML responses are now validated against the original AuthnRequest when possible.
• Twilio backend now preserves HTTPS callback URLs and validates callback state to prevent login CSRF.

Fixed

• Auth0 OpenID Connect configuration now uses the correct base URLs.
• Authentication now handles invalid email addresses without crashing.
• Vend OAuth user IDs are now scoped by shop.
• VK app authentication now requires an auth key.

Removed

• Discontinued OAuth backends: AppsFuel, Beats Music, ChangeTip, Clef, Edmodo, 500px (five_hundred_px), legacy Google App Engine bundled Users (gae), Jawbone, Moves, Mozilla Persona, Readability Parser API, and Wunderlist.
• Discontinued Google+ Sign-In backend (google-plus / GooglePlusAuth).

4.9.1 - 2026-04-30

Changed

• GitHub backend now handles scoped email fetching deterministically.

Fixed

• OpenID Connect missing token handling.
• Microsoft refresh token and expiry handling.
• Partial pipeline handling for Django QueryDict values.

4.9.0 - 2026-04-29

... (truncated)

Commits

• da9ad0d fix: confirm same-session external partial resumes
• e05a572 chore(deps): update dependency astral-sh/uv to v0.11.24 (#1822)
• cd518b5 chore(deps): update actions/cache action to v6 (#1821)
• 7e85dea chore: improve docstrings
• 29dffe6 chore: release 5.0.0
• 2fdbca2 fix(twilio): validate connect callback state
• 0418782 fix!: bind partial pipeline resumes to sessions
• 6fcde2c chore: remove discontinued Google+ Sign-In backend
• f318835 fix(deps): update dependency ty to v0.0.52 (#1814)
• 1bb49c6 fix(deps): update dependency coverage to v7.14.3 (#1813)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)