chore(deps): bump flask-security-too from 5.6.2 to 5.7.0

[dependabot]

Bumps flask-security-too from 5.6.2 to 5.7.0.

Changelog

Sourced from flask-security-too's changelog.

Version 5.7.0

Released November 14, 2025

This release contains a set of small backward incompatible changes. Please read these notes carefully.

Features & Improvements +++++++++++++++++++++++

• (:pr:1132) Add Arabic translations (samialfattani)
• (:issue:1123) Enable forgot-password workflow for authenticated users.

Fixes +++++

• (:pr:1115) Fix broken link in docs and improve docstrings/typing for util classes.
• (:issue:1127) Add nonce to script tags if configured to support nonce-based Content-Security-Policy (ahanak).
• (:issue:1133) Remove unnecessary (optional) dependency on sqlalchemy_utils.
• (:pr:1140) Fix localization of tf_select choices.
• (:pr:1143) Support bcrypt 5.0 - See below for important compatibility concerns. This also replaces passlib with libpass for all versions.

Docs and Chores +++++++++++++++

• (:pr:1144) Update ES and IT translations (gissimo)
• (:pr:1106) Drop support for Python 3.9. This removes the dependency on importlib_resources, updates pypy to 3.10, and uses 3.12 as base python for tests/tox.
• (:pr:1112) Flip :py:data:SECURITY_USE_REGISTER_V2 default to True.
• (:pr:1117) Flip default mail package back to Flask-Mail (from Flask-Mailman).
• (:issue:1139) Change external facing terminology from 'WebAuthn Credential' to 'passkey'.
• (:pr:1142) Setting of xx_util_cls from kwargs which was deprecated in 5.6.1 has been removed. The BACKWARDS_COMPAT_UNAUTHN option (code) which has been deprecated since 5.4 has been removed.

Backwards Compatibility Concerns +++++++++++++++++++++++++++++++++

• Flask-Security now depends on libpass (https://pypi.org/project/libpass/) for all versions. Be sure to UNINSTALL passlib, ensure the passlib directory is empty and then install libpass - we have seen reports when both are installed - it doesn't work!

  In bcrypt 5.0 they started throwing a ValueError for passwords/secrets longer than 72 bytes. It is important to know that by default Flask-Security performs a double hash - taking the secret, using HMAC(SHA512) then b64encodng the result. This means that ANY password will be longer than 72 bytes (86 to be exact). In the past bcrypt would silently truncate the input - now we have to do that explicitly. OWASP says truncation concerns are negligible: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#input-limits-of-bcrypt

• The default RegisterForm is now the new RegisterFormV2 - Please read :ref:register_form_migration. Flask-Security will emit a DeprecationWarning if the :py:data:SECURITY_USE_REGISTER_V2 is set to False.

• In 5.0 we changed the default mailer package to Flask-Mailman since Flask-Mail was no longer supported. Flask-Mail is again supported and is part of Pallets-Eco. Both packages are still supported based on which one an application initializes. The only backwards compatibility concern is that if you use the setup extras 'common', it will install Flask-Mail rather than Flask-Mailman.

... (truncated)

Commits

• a68e915 Set for 5.7.0
• 11f28a8 IT+ES translations for 5.6.2 (#1144)
• 2994677 Move to libpass and support bcrypt 5.0 (#1143)
• ddcc383 Remove some deprecated options. (#1142)
• 35968b4 Update localization files (#1141)
• 5190c13 Fix localization of the tf_select SelectField. (#1140)
• ab40ee2 Change external facing messages/templates to use 'passkey' rather than 'WebAu...
• d26bd4d Support forgot password (/reset) for authenticated users also. (#1137)
• 0432291 Remove (optional) dependency on sqlalchemy_utils (#1135)
• f80ee3a Add Arabic translation (#1132)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)