Skip to content

chore(deps): update dependency social-auth-app-django to v5.6.0 [security] #5580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

chore(deps): update dependency social-auth-app-django to v5.6.0 [security] #5580

wants to merge 1 commit into from

Conversation

renovate-sh-app[bot]
Copy link

This PR contains the following updates:

Package Change Age Confidence
social-auth-app-django (changelog) ==5.4.1 -> ==5.6.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-61783

Impact

Upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses.

Patches

Workarounds

Review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

Python Social Auth - Django has unsafe account association

CVE-2025-61783 / GHSA-wv4w-6qv2-qqfg

More information

Details

Impact

Upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses.

Patches
Workarounds

Review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

python-social-auth/social-app-django (social-auth-app-django)

v5.6.0

Compare Source

Changed
  • Fixed possibly unsafe account association (CVE-2025-61783)
  • Storage now filters for active users
Added
  • Django 6.0 and Python 3.14 compatibility
  • Type annotations
  • LoginRequiredMiddleware compatibility
  • RAISE_EXCEPTIONS and LOGIN_ERROR_URL can be configured per backend

v5.5.1

Compare Source

Changed
  • Fixed authentication with OpenID based services

v5.5.0

Compare Source

Changed
  • Dropped support for older Django versions.
  • Added non-empty constraind on uid.
  • Added support for session restore with stricter SameSite cookie policy.

v5.4.3

Compare Source

Changed
  • Tested with recent Django and Python
  • Modernized build system
  • Fixed rollback of migrations

v5.4.2

Compare Source

Changed
  • Fixed UserSocialAuth creation by allowing JSONField to be blank
  • Fixed the assumption that UID can only be an integer (#​571)
  • Fixed revert of migration 0013_migrate_extra_data.py

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@renovate-sh-app
chore(deps): update dependency social-auth-app-django to v5.6.0 [secu…
7656dbb 
…rity]

| datasource | package                | from  | to    |
| ---------- | ---------------------- | ----- | ----- |
| pypi       | social-auth-app-django | 5.4.1 | 5.6.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner October 17, 2025 09:15
@renovate-sh-app renovate-sh-app bot enabled auto-merge October 17, 2025 09:15
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matiasb matiasb Awaiting requested review from matiasb matiasb is a code owner automatically assigned from grafana/grafana-irm-backend

@willgallego-grafana willgallego-grafana Awaiting requested review from willgallego-grafana willgallego-grafana is a code owner automatically assigned from grafana/grafana-irm-backend

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automerge-security-update severity:MEDIUM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CLAassistant