Update social-auth-core requirement from >=3.3.0 to >=5.0.2

[dependabot]

Updates the requirements on social-auth-core to permit the latest version.

Release notes

Sourced from social-auth-core's releases.

5.0.2

Security

• LINE backend now validates callback state before exchanging authorization codes, preventing login CSRF.
• Shopify backend now sends and validates OAuth state, preventing login CSRF.

Changed

• Updated development dependencies and CI actions.

Fixed

• Updated the Google OAuth documentation link.

Changelog

Sourced from social-auth-core's changelog.

5.0.2 - 2026-06-26

Security

• LINE backend now validates callback state before exchanging authorization codes, preventing login CSRF.
• Shopify backend now sends and validates OAuth state, preventing login CSRF.

Changed

• Updated development dependencies and CI actions.

Fixed

• Updated the Google OAuth documentation link.

5.0.1 - 2026-06-24

Security

• Externally resumable partial request links now require confirmation even in the browser session that created the partial, preventing validation links from being consumed by a plain GET.

5.0.0 - 2026-06-23

Security

• LoginRadius backend now validates callback state to prevent login CSRF.
• Odnoklassniki app backend now ignores untrusted callback API hosts and validates returned user details.
• Partial pipeline resume now requires session ownership or explicit external resume confirmation to prevent login CSRF.
• SAML responses are now validated against the original AuthnRequest when possible.
• Twilio backend now preserves HTTPS callback URLs and validates callback state to prevent login CSRF.

Fixed

• Auth0 OpenID Connect configuration now uses the correct base URLs.
• Authentication now handles invalid email addresses without crashing.
• Vend OAuth user IDs are now scoped by shop.
• VK app authentication now requires an auth key.

Removed

• Discontinued OAuth backends: AppsFuel, Beats Music, ChangeTip, Clef, Edmodo, 500px (five_hundred_px), legacy Google App Engine bundled Users (gae), Jawbone, Moves, Mozilla Persona, Readability Parser API, and Wunderlist.

... (truncated)

Commits

• 4101a75 chore: release 5.0.2
• a848692 fix(shopify): validate oauth state
• 0db0e72 fix: update Google documentation link
• 5b3b90d fix(line): validate oauth state on callback
• 841e936 fix(deps): update dependency ty to v0.0.54 (#1828)
• 7a9a8d0 chore(deps): update pre-commit hook astral-sh/ruff-pre-commit to v0.15.20 (#1...
• cb2cdb5 fix(deps): update dependency pyright to v1.1.411 (#1826)
• e92d66c fix(deps): update dependency ty to v0.0.53 (#1825)
• c1bc9df chore(deps): update actions/setup-python action to v6.3.0 (#1824)
• 8c3cd96 chore(deps): update pre-commit hook astral-sh/ruff-pre-commit to v0.15.19 (#1...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)