Skip to content

Update dependency gohugoio/hugo to v0.163.3#277

Merged
jupblb merged 1 commit into
mainfrom
renovate/gohugoio-hugo-0.x
Jul 2, 2026
Merged

Update dependency gohugoio/hugo to v0.163.3#277
jupblb merged 1 commit into
mainfrom
renovate/gohugoio-hugo-0.x

Conversation

@renovate

@renovate renovate Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
gohugoio/hugo minor v0.143.1v0.163.3

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

gohugoio/hugo (gohugoio/hugo)

v0.163.3

Compare Source

What's Changed

v0.163.2

Compare Source

What's Changed

v0.163.1

Compare Source

The majority of the fixes in this release are security related (including the upstream fix in 93c8c7d (golang.org/x/image)). Thanks to @​vnth4nhnt for finding the issues fixed in a00b5c7 and cf9c8f9 (I will do the CVE work on this later). There has been a uptick in security reports lately, which doesn't mean that Hugo has gotten less secure, this is mostly the work of the new and powerful AI tools using Hugo's restrictive security model as their baseline. Just take a look at Go's recent security issue list to see a demonstration of this.

What's Changed

v0.163.0

Compare Source

The main topic in this release is improvements to the AVIF image handling that we introduced in v0.162.0. See the docs for details, but:

  • We have turned down the default quality for AVIF to 60. Turns out, JPEG/WebP with quality 75 is comparable to AVIF with quality 60. You can now also set quality per image format in your project config (and also per image processed if needed).
  • We have added a hint to the AVIF with the same values as for WEBP. For lossy compression, the photo/picture hints (and the default) encodes with YUV420 chroma subsampling instead of YUV444, keeping 444 for text/icon/drawing. This greatly reduces the memory needed to encode these images.

Improvements

Dependency Updates

v0.162.1

Compare Source

What's Changed

v0.162.0

Compare Source

The notable new feature in this release is support for AVIF images (both encoder and decoder). There's a demo site set up that demonstrates the difference between HDR AVIF and SDR JPEG images. Note that that demo is only really interesting if viewed on an HDR capable screen (e.g. Apple Retina).

Security fixes

There are some notable security fixes in this release.

Security fixes in Go

This release upgrades from Go 1.26.1 to 126.3, which brings a set of security fixes. Some relevant for Hugo are:

  • XSS in html/template (CVE-2026-39826 & CVE-2026-39823): Two separate vulnerabilities where escaper bypasses in html/template could lead to Cross-Site Scripting (XSS).
  • html/template: Fixes an issue where JS template literal contexts were incorrectly tracked across template branches, which could lead to improper content escaping.
Security fixes and hardening in Hugo

The following changes either fix a concrete issue or reduce the default attack surface of hugo builds.

  • Disallow text/html content files by default (e41a064). A new security.allowContent policy gates which content media types may be used for pages under /content. text/html is denied by default; sites that rely on hand-authored or adapter-emitted HTML content can opt back in with security.allowContent = ['.*'].
  • Re-check security.http.urls on every redirect hop in resources.GetRemote (86fbb0f).
  • Reject symlinked entries in resources.Get (f8b5fa0).

We will update this section later with links to CVEs where applicable.

All changes

v0.161.1

Compare Source

What's Changed

v0.161.0

Compare Source

This release contains two security hardening fixes:

  • We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported
  • We have made the defaults in security.http.urls more restrictive.

But there are some notable new features, as well:

Nested vars support in css.Build and css.Sass

A practical example in css.Build would be to have something like this in hugo.toml:

[params.style]
    primary    = "#​000000"
    background = "#ffffff"
    [params.style.dark]
        primary    = "#ffffff"
        background = "#​000000"

And in the stylesheet:

@​import "hugo:vars";
@​import "hugo:vars/dark" (prefers-color-scheme: dark);

:root {
  color-scheme: light dark;
}

Slice-based permalinks config

The permalinks configuration is now much more flexible (the old setup still works). It uses the same target matchers as in the cascade config, meaning you can now do:

permalinks:
  - target:
      kind: page
      path: "/books/**"
    pattern: /books/:year/:slug/
  - target:
      kind: section
      path: "/{books,books/**}"
    pattern: /libros/:sections[1:]
  - target:
      kind: page
    pattern: /other/:slug/

The above example isn't great, but it at least shows the gist of it.

A more flexible scheme for identifiers in filenames

What we had before was e.g. content/mypost.en.md which told Hugo that the content files was in English. With the new setup you could also name the file content/mypost._language_en_.md. This alone doesn't sound very useful, but this allows you to use more prefixes:

Prefix Description Relevant for
language_ Language Content and layout files.
role_ Role Content and layout files.
version_ Version Content and layout files.
outputformat_ Output format Layout files.
mediatype_ Media type Layout files.
kind_ Page kind Layout files.
layout_ Layout Layout files.

All Changes

v0.160.1

Compare Source

What's Changed

v0.160.0

Compare Source

Now you can inject CSS vars, e.g. from the configuration, into your stylesheets when building with css.Build. Also, now all the render hooks has a .Position method, now also more accurate and effective.

Bug fixes

Improvements

Dependency Updates

Documentation

v0.159.2

Compare Source

Note that the security fix below is not a potential threat if you either:

EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

What's Changed

v0.159.1

Compare Source

The regression fixed in this release isn't new, but it's so subtle that we thought we'd release this sooner rather than later. For some time now, the minifier we use have stripped namespaced attributes in SVGs, which broke dynamic constructs using e.g. AlpineJS' x-bind: namespace (library used by Hugo's documentation site).

To fix this, the upstream library has hadded a keepNamespaces slice option. It was not possible to find a default that would make all happy, so we opted for an option that at least would make AlpineJS sites work out of the box:

 [minify.tdewolff.svg]
      keepNamespaces = ['', 'x-bind']

What's Changed

v0.159.0

Compare Source

This release greatly improves and simplifies management of Node.js/npm dependencies in a multi-module setup. See this page for more information.

Note

  • Replace deprecated site.Data with hugo.Data in tests a8fca59 @​bep
  • Replace deprecated excludeFiles and includeFiles with files in tests 182b104 @​bep
  • Replace deprecated :filename with :contentbasename in the permalinks test eb11c3d @​bep

Bug fixes

Improvements

Dependency Updates

Documentation

v0.158.0

Compare Source

This release adds css.Build, native and very fast bundling/transformation/minifying of CSS resources. Also see the new strings.ReplacePairs, a very fast option if you need to do many string replacements.

Notes

Deprecations

The methods and config options are deprecated and will be removed in a future Hugo release.

Also see this article

Language configuration
  • languageCode → Use locale instead.
  • languages.<lang>.languageCode → Use languages.<lang>.locale instead.
  • languages.<lang>.languageName → Use languages.<lang>.label instead.
  • languages.<lang>.languageDirection → Use languages.<lang>.direction instead.
Language methods
  • .Site.LanguageCode → Use .Site.Language.Locale instead.
  • .Language.LanguageCode → Use .Language.Locale instead.
  • .Language.LanguageName → Use .Language.Label instead.
  • .Language.LanguageDirection → Use .Language.Direction instead.

Bug fixes

Improvements

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • On day 1 of the month, every 3 months (* * 1 */3 *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@jupblb jupblb merged commit 04b04ff into main Jul 2, 2026
14 checks passed
@jupblb jupblb deleted the renovate/gohugoio-hugo-0.x branch July 2, 2026 08:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant