The timing of this release comes from the security fix in golang.org/x/net's html.Parse function. This is used in two places in Hugo:
- Extracting table of contents from Asciidoctor rendered output.
- Collecting HTML classes etc. when build stats is enabled
It's a little bit of a stretch to see how this could be exploited in Hugo, but we understand that many want a clean security report. See this issue for details.
What's Changed
- Print cli usage of
hugo gen chromastylesalongside css 83cec78 @diwasrimal - build(deps): bump golang.org/x/net from 0.32.0 to 0.33.0 4e52be8 @dependabot[bot]
- config/allconfig: Fix slice of language configs 7888ac5 @jmooring #13201
- config/allconfig: Throw error when output format is not defined eb1dbe0 @jmooring #13199
- Fix same resource file published more than once 77824d7 @bep #13164
- markup/highlight: Add wrapperClass option ec0caae @bep
- Update README.md 845b888 @bep