Skip to content

chore(deps): update dependency social-auth-app-django to v5.6.0 [security] #3728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency social-auth-app-django to v5.6.0 [security] #3728

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 17, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
social-auth-app-django (changelog) 5.4.35.6.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-61783

Impact

Upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses.

Patches

Workarounds

Review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

Release Notes

python-social-auth/social-app-django (social-auth-app-django)

v5.6.0

Compare Source

Changed
  • Fixed possibly unsafe account association (CVE-2025-61783)
  • Storage now filters for active users, you might need to customize SOCIAL_AUTH_ACTIVE_USERS_FILTER if your custom model does not have the is_active field
Added
  • Django 6.0 and Python 3.14 compatibility
  • Type annotations
  • LoginRequiredMiddleware compatibility
  • RAISE_EXCEPTIONS and LOGIN_ERROR_URL can be configured per backend

v5.5.1

Compare Source

Changed
  • Fixed authentication with OpenID based services

v5.5.0

Compare Source

Changed
  • Dropped support for older Django versions.
  • Added non-empty constraind on uid.
  • Added support for session restore with stricter SameSite cookie policy.

Configuration

📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/pypi-social-auth-app-django-vulnerability branch from 6190bb4 to 9859031 Compare December 18, 2025 00:51
@renovate renovate bot force-pushed the renovate/pypi-social-auth-app-django-vulnerability branch from 9859031 to b48d71f Compare December 18, 2025 14:57
@asajjad2 asajjad2 self-assigned this Dec 23, 2025
@pdpinch
Copy link
Member

pdpinch commented Dec 26, 2025

Will this PR require a migration?

@asajjad2
Copy link
Contributor

asajjad2 commented Jan 14, 2026

@pdpinch yes, there are a few django migrations that are added in this change http://github.com/python-social-auth/social-app-django/compare/5.4.3...5.7.0. Should I proceed with this?

@pdpinch
Copy link
Member

pdpinch commented Jan 15, 2026

How many rows do you think this will affect in RC and in production? How long do you think it might take to run? Can the migration be reverted if we need to?

After some recent changes we made, I don't expect the migration to be blocking while it's running. What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@asajjad2 asajjad2

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pdpinch @asajjad2