Consequent upon this django-allauth issue and the previous issue with psycopg2, how likely is it that new MM3 installations will suffer the effects? I am asking because I am doing my tests on a relatively vanilla system and just following the official documentation sin any deviations.
The allauth issue will happen until the allauth package is patched. Mark's patch was merged yesterday, so I suspect a new release will be imminent.
I've noticed the django-allauth ecosystem seems to be somewhat prone to breaking changes. I'm sure this discussion has happened before, but it may be worth pinning "known good" dependency versions for django-mailman -- either in the project, or in your documentation. It's definitely a headache for me since I rebuild my mailman container roughly weekly, and always need to allow time for functional testing or rollback to my last image.
There's not really a right answer here; either dependency versions are left open and the end user gets security updates for dependencies on their own schedule, or the Mailman maintainers have to monitor for security updates in the dependency tree and push a new mailman release. (This can also help ameliorate supply-chain attacks where an unverified update ends up in PyPI, but I'm not sure that's a realistic threat model for us.) I'm sure this is something the maintainers have considered in the past.
--Jered