Update dependency social-auth-app-django to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
social-auth-app-django	^4.0.0 -> ^5.0.0

GitHub Vulnerability Alerts

CVE-2024-32879

Impact

Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.

Patches

This issue has been addressed by https://github.com/python-social-auth/social-app-django/pull/566 and fix released in 5.4.1.

Workarounds

An immediate workaround would be to change collation of the affected field:

ALTER TABLE `social_auth_usersocialauth` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;

References

This issue was discovered by folks at https://opencraft.com/.

---

Release Notes

python-social-auth/social-app-django (social-auth-app-django)

v5.4.1

Compare Source

Changed

• Added reverse migration for JSON field
• Fixed improper handling of case sensitivity with MySQL/MariaDB (CVE-2024-32879)

v5.4.0

Compare Source

Changed

• Improved JSON field migration performance
• Introduce configuration to request POST only requests for social authentication
• Updated list of supported Django and Python versions

v5.3.0

Compare Source

Changed

• Uses Django native JSON field

v5.2.0

Compare Source

Changed

• Removed support for Django<3.2
• Fixed missing migration issue

v5.1.0

Compare Source

Changed

• Compatibility with recent Django and Python versions
• Coding style improvements
• Improved error handling in SocialAuthExceptionMiddleware

v5.0.0

Compare Source

Changed

• Removed compat shims for obsolete Django versions
• Switch from deprecated django.conf.urls.url to django.urls.path
• Use query .exists() instead of .count() > 0
• Added testing for Django 3.0
• Drop support for Python 2
• Django generic JSONField support, details documented here
• Django 3.2+ compatibility
• Use _default_manager instead of objects

---

Configuration

📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock

Updating dependencies
Resolving dependencies...


Because mitol-django-authentication (1.6.0) depends on djoser (2.1.0)
 and djoser (2.1.0) depends on social-auth-app-django (>=4.0.0,<5.0.0), mitol-django-authentication (1.6.0) requires social-auth-app-django (>=4.0.0,<5.0.0).
So, because mitx online depends on both mitol-django-authentication (1.6.0) and social-auth-app-django (^5.0.0), version solving failed.