📦 release: v3.8.0

Samk13 · web-flow · commit b6880a03d68b · 2025-10-17T11:59:05.000+02:00
* feat: add pluggable password validation
* i18n: pulled translations
* fix: pin bcrypt for failing tests
diff --git a/CHANGES b/CHANGES
@@ -4,6 +4,17 @@ Flask-Security-Invenio Changelog
 Here you can see the full list of changes between each Flask-Security-Invenio
 release.
 
+Version 3.8.0
+-------------
+
+Released October 17th 2025
+
+- feat: add pluggable password validation
+- i18n: pulled translations
+- fix: pin bcrypt<5.0.0 due to incompatibility with passlib. bcrypt 5.0.0+
+  enforces 72-byte password limit before hashing, breaking passlib's bcrypt
+  backend initialization which tests with 255-byte passwords.
+
 Version 3.7.0
 -------------
 
diff --git a/flask_security/__init__.py b/flask_security/__init__.py
@@ -58,7 +58,7 @@
     url_for_security,
 )
 
-__version__ = "3.7.0"
+__version__ = "3.8.0"
 __all__ = (
     "AnonymousUser",
     "auth_required",
diff --git a/setup.cfg b/setup.cfg
@@ -33,6 +33,12 @@ install_requires =
 
 [options.extras_require]
 tests =
+    # bcrypt 5.0.0+ introduced stricter validation that requires passwords to be
+    # <= 72 bytes before hashing. This breaks passlib's bcrypt backend initialization
+    # which tests compatibility by attempting to verify a 255-byte password.
+    # Error: "ValueError: password cannot be longer than 72 bytes, truncate manually"
+    # See: https://github.com/pyca/bcrypt/blob/main/CHANGELOG.rst (5.0.0 release notes)
+    # Passlib needs to be updated to handle this, or we need to migrate away from passlib.
     bcrypt>=3.1.0,<5.0.0
     check-manifest>=0.42
     coverage>=5.3,<6
