Log Message:
py-django-allauth: updated to 65.3.1

65.3.1 (2025-12-25)
*******************

Fixes
-----

- Headless: When using email verification by code, you could incorrectly
  encounter a 409 when attempting to add a new email address while logged in.

- Headless: In contrast to the headed version, it was possible to remove the
  last 3rd party account from a user that has no usable password. Fixed.

- Headless: The setting ``ACCOUNT_LOGIN_ON_EMAIL_CONFIRMATION`` was not respected,
  and always assumed to be ``True``.

65.3.0 (2024-11-30)
*******************

Note worthy changes
-------------------

- Added support for TOTP code tolerance (see ``MFA_TOTP_TOLERANCE``).

Security notice
---------------

- Authentication by email/password was vulnerable to account enumeration by
  means of a timing attack. Thanks to Julie Rymer for the report and the patch.

65.2.0 (2024-11-08)
*******************

Note worthy changes
-------------------

- OIDC: You can now configure whether or not PKCE is enabled per app by
  including ``"oauth_pkce_enabled": True`` in the app settings.

- The OpenStreetMap provider is deprecated. You can set it up as an OpenID \ 
Connect provider instead.

Fixes
-----

- A ``NoReverseMatch`` could occur when using ``ACCOUNT_LOGIN_BY_CODE_REQUIRED =
  True`` while ``ACCOUNT_LOGIN_BY_CODE_ENABLED = False``, fixed.

- The ``PasswordResetDoneView`` did not behave correctly when using Django's
  ``LoginRequiredMiddleware``, as it was not properly marked as
  ``@login_not_required``.

- When verifying an email address by code, the success URL was hardcoded to the
  email management view, instead of calling the
  ``get_email_verification_redirect_url()`` adapter method.

Security notice
---------------

- Headless: ``settings.ACCOUNT_EMAIL_VERIFICATION_BY_CODE_MAX_ATTEMPTS`` was not
  enforced, fixed.  Note that the related verification endpoint will return a
  409 in case the maximum limit is exceeded, as at that point the pending email
  verification stage is aborted.