Skip to content

chore(deps): bump social-auth-core from 4.8.7 to 4.9.1#14824

Open
dependabot[bot] wants to merge 1 commit intodevfrom
dependabot/pip/dev/social-auth-core-4.9.1
Open

chore(deps): bump social-auth-core from 4.8.7 to 4.9.1#14824
dependabot[bot] wants to merge 1 commit intodevfrom
dependabot/pip/dev/social-auth-core-4.9.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 6, 2026
edited
Loading

Bumps social-auth-core from 4.8.7 to 4.9.1.

Release notes

Sourced from social-auth-core's releases.

4.9.1

Changed

  • GitHub backend now handles scoped email fetching deterministically.

Fixed

  • OpenID Connect missing token handling.
  • Microsoft refresh token and expiry handling.
  • Partial pipeline handling for Django QueryDict values.

4.9.0

This release might contain breaking changes. Review the removed backends and stricter OAuth, OpenID Connect, and Azure AD validation before upgrading.

Added

  • OpenID Connect claim names for email, first name, last name, and full name can now be configured.
  • GitHub backend now stores fetched emails in pipeline data.

Changed

  • Azure AD backends now use OpenID configuration and JWKS for token validation.
  • Built-in provider URLs now consistently use HTTPS.
  • AUTH_EXTRA_ARGUMENTS values are no longer overridden by request data unless the key is listed in AUTH_EXTRA_ARGUMENTS_OVERRIDE_ALLOWLIST.
  • Requests now fall back to a default timeout when no timeout is configured.
  • Improved the publishing workflow.

Removed

  • Removed obsolete Rdio, Shimmering, and ThisIsMyJam backends.
  • Removed legacy OAuth1 backends for Douban and Mendeley.

Security

  • Apple ID backend now validates the ID token issuer.
  • Azure AD backends now validate ID token signatures, issuer, audience, tenant, and policy claims. Tokens accepted by earlier versions might now be rejected.
  • OpenID Connect backends now reject UserInfo responses whose sub does not match the validated ID token subject.
Changelog

Sourced from social-auth-core's changelog.

4.9.1 - 2026-04-30

Changed

  • GitHub backend now handles scoped email fetching deterministically.

Fixed

  • OpenID Connect missing token handling.
  • Microsoft refresh token and expiry handling.
  • Partial pipeline handling for Django QueryDict values.

4.9.0 - 2026-04-29

This release might contain breaking changes. Review the removed backends and stricter OAuth, OpenID Connect, and Azure AD validation before upgrading.

Added

  • OpenID Connect claim names for email, first name, last name, and full name can now be configured.
  • GitHub backend now stores fetched emails in pipeline data.

Changed

  • Azure AD backends now use OpenID configuration and JWKS for token validation.
  • Built-in provider URLs now consistently use HTTPS.
  • AUTH_EXTRA_ARGUMENTS values are no longer overridden by request data unless the key is listed in AUTH_EXTRA_ARGUMENTS_OVERRIDE_ALLOWLIST.
  • Requests now fall back to a default timeout when no timeout is configured.
  • Improved the publishing workflow.

Removed

  • Removed obsolete Rdio, Shimmering, and ThisIsMyJam backends.
  • Removed legacy OAuth1 backends for Douban and Mendeley.

Security

  • Apple ID backend now validates the ID token issuer.
  • Azure AD backends now validate ID token signatures, issuer, audience, tenant, and policy claims. Tokens accepted by earlier versions might now be rejected.
  • OpenID Connect backends now reject UserInfo responses whose sub does not match the validated ID token subject.
Commits
  • 94457d9 chore: release 4.9.1
  • 134a325 fix(oidc): validate that tokens are present before using
  • 82ca62b fix(microsoft): properly use refresh tokens and expiry
  • 905e21f feat(github): improve GitHub mails handling (#1711)
  • a492858 fix(utils): better handle mutli value dict
  • ec9da89 feat(github): fetch user emails always with email scope
  • a42a7a9 chore: release 4.9.0
  • 704c977 chore(deps): update actions/download-artifact action to v8 (#1708)
  • c0821c7 feat(ci): improve publishing workflow
  • 653fab9 chore: fix typo (#1706)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 6, 2026
@dependabot dependabot Bot requested review from Maffooch and mtesauro as code owners May 6, 2026 08:03
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 6, 2026
@mtesauro
Copy link
Copy Markdown
Contributor

mtesauro commented May 6, 2026

Looks like this won't be straightforward:

#11 17.42 INFO: pip is looking at multiple versions of social-auth-app-django to determine which version is compatible with other requirements. This could take a while.
#11 17.43 ERROR: Cannot install -r ./requirements.txt (line 44) and social-auth-core==4.9.1 because these package versions have conflicting dependencies.
#11 17.43 
#11 17.43 The conflict is caused by:
#11 17.43     The user requested social-auth-core==4.9.1
#11 17.43     social-auth-app-django 5.8.0 depends on social-auth-core~=4.8.3
#11 17.43 
#11 17.43 Additionally, some packages in these conflicts have no matching distributions available for your environment:
#11 17.43     social-auth-core
#11 17.43

@mtesauro mtesauro mentioned this pull request May 6, 2026
Merged
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 7, 2026

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@dependabot
chore(deps): bump social-auth-core from 4.8.7 to 4.9.1
064374a 
Bumps [social-auth-core](https://github.com/python-social-auth/social-core) from 4.8.7 to 4.9.1.
- [Release notes](https://github.com/python-social-auth/social-core/releases)
- [Changelog](https://github.com/python-social-auth/social-core/blob/master/CHANGELOG.md)
- [Commits](python-social-auth/social-core@4.8.7...4.9.1)

---
updated-dependencies:
- dependency-name: social-auth-core
  dependency-version: 4.9.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/dev/social-auth-core-4.9.1 branch from cfdab28 to 064374a Compare May 7, 2026 03:59
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 7, 2026

Conflicts have been resolved. A maintainer will review the pull request shortly.

mtesauro
mtesauro approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mtesauro