This release is mostly motivated by some upstream security fixes:
- Upgrade from Go 1.25.1 to Go 1.25.3 which comes with 10 security fixes.
- Go's
net/htmlpackage also has one security patch
I, @bep, have inspected the above issues, and none of them seem to be relevant for Hugo, but we understand that many want to have a clean security report.
Bug fixes
- tpl: Fix strings/truncate CJK handling 88aea56 @oishikazuo #14039
- parser/pagerparser: Fix closing shortcode error handling when repeated a133393 @bep
Improvements
- Upgrade Go to 1.25.3 e2fb0b0 @bep
- create/skeletons: Wrap section and home lists with section tags 29cf874 @imomaliev
- markup/goldmark: Align blockquote default output with Goldmark 1b4dd43 @jmooring #14046
- parser/pageparser: Store shortcode names as unique.Handle[string] to save memory allocations 4414ef7 @bep
- testscripts: Make test assertion less specific 9197deb @bep
Dependency Updates
- build(deps): bump github.com/gohugoio/hashstructure from 0.5.0 to 0.6.0 f4c1157 @dependabot[bot]
- build(deps): bump golang.org/x/image from 0.30.0 to 0.32.0 54075ac @dependabot[bot]
- build(deps): bump github.com/evanw/esbuild from 0.25.10 to 0.25.11 8b52303 @dependabot[bot]
- build(deps): bump golang.org/x/tools from 0.37.0 to 0.38.0 3d45d30 @dependabot[bot]
- build(deps): bump golang.org/x/mod from 0.28.0 to 0.29.0 095157c @dependabot[bot]