Skip to content

fix(deps): update dependency social-auth-app-django to v5.6.0 [security] #3005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency social-auth-app-django to v5.6.0 [security] #3005

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 9, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
social-auth-app-django (changelog) 5.4.3 -> 5.6.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-61783

Impact

Upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses.

Patches

Workarounds

Review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

Release Notes

python-social-auth/social-app-django (social-auth-app-django)

v5.6.0

Compare Source

Changed
  • Fixed possibly unsafe account association (CVE-2025-61783)
  • Storage now filters for active users, you might need to customize SOCIAL_AUTH_ACTIVE_USERS_FILTER if your custom model does not have the is_active field
Added
  • Django 6.0 and Python 3.14 compatibility
  • Type annotations
  • LoginRequiredMiddleware compatibility
  • RAISE_EXCEPTIONS and LOGIN_ERROR_URL can be configured per backend

v5.5.1

Compare Source

Changed
  • Fixed authentication with OpenID based services

v5.5.0

Compare Source

Changed
  • Dropped support for older Django versions.
  • Added non-empty constraind on uid.
  • Added support for session restore with stricter SameSite cookie policy.

Configuration

📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/pypi-social-auth-app-django-vulnerability branch 12 times, most recently from affbd0d to 0fb21b3 Compare October 16, 2025 20:45
@renovate renovate bot force-pushed the renovate/pypi-social-auth-app-django-vulnerability branch 16 times, most recently from 7b033d4 to 3c21b16 Compare October 23, 2025 18:53
@renovate renovate bot force-pushed the renovate/pypi-social-auth-app-django-vulnerability branch 15 times, most recently from efdfaa8 to f69d991 Compare November 23, 2025 22:17
@renovate renovate bot force-pushed the renovate/pypi-social-auth-app-django-vulnerability branch 9 times, most recently from 49393fd to a2c3da1 Compare December 1, 2025 16:16
@renovate renovate bot force-pushed the renovate/pypi-social-auth-app-django-vulnerability branch 4 times, most recently from 04698f6 to f0f89a6 Compare December 2, 2025 16:55
@renovate renovate bot force-pushed the renovate/pypi-social-auth-app-django-vulnerability branch from f0f89a6 to 5b8f42a Compare December 2, 2025 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant