gohugoio/hugo v0.161.0

on GitHub

This release contains two security hardening fixes:

• We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported
• We have made the defaults in security.http.urls more restrictive.

Bug fixes

• langs/i18n: Fix translation lookup when using language variants 72b85d5 @jmooring #7982
• create: Fix non-deterministic conflict detection in hugo new content 6436deb @jmooring #12602 #12786 #14112 #14769
• commands: Fix environment isolation for configuration settings 1eea9fb @jmooring #14763
• Fix filename dimension identifiers (role_X, version_X) to replace mount config 8d6145f @bep #14756
• Fix it so we never auto-fallback to page resources in other roles/versions 9747724 @bep #14749 #14752

Improvements

• css: Support nested hugo:vars/ imports 7622dd8 @bep #14705
• github: Update GitHub actions versions 0814059 @bep #14810
• hugolib: Do not render aliases if the page is not rendered 8920d56 @jmooring #14807
• langs/i18n: Improve default content language fallback 633cc77 @jmooring #14243
• helpers: Remove unused code 4c40c6d @bep
• common/constants: Remove unused consts d2594db @bep
• common/paths: Remove unused code ab2de51 @bep
• tests: Update Ruby setup action to v1.305.0 75f6183 @jmooring
• langs: Use Language.Locale as primary localization key 1b7495b @jmooring #9109
• config/security: Add "! " negation to Whitelist, harden default http.urls 79f030b @bep #14792
• Harden Node tool execution with --permission flag a54c398 @bep #7287
• tpl/collections: Honor the Eqer interface in where comparisons f5fce93 @bep #14777
• modules: Ignore non-require blocks in go.mod rewrite 4169c1f @bep #14783
• Replace the concurrent map with an identical upstream version 7574e35 @bep
• Add slice-based permalinks config with PageMatcher target 017a7cd @bep #14744
• commands: Add missing import e3413d9 @bep
• Revert "common/hugo: Deprecate extended and extended_withdeploy editions" b01cc14 @bep #14771
• Adjust the SECURITY.md slightly 8ee19ff @bep
• resources/page: Add passing test for Issue #14325 0d58e42 @jmooring
• Add a more flexible filename identifier scheme that also allows setting roles and versions (#14754) ce2a156 @bep #14750
• common/hugo: Deprecate extended and extended_withdeploy editions a17bdbc @jmooring #14696
• parser/pageparser: Add a parser fuzz test 8f94d65 @bep
• Replace deprecated .Site.Sites/.Page.Sites with hugo.Sites intests 90d8bf3 @bep
• agents: Add a note about having the issue ID in test names bbb42b5 @bep

Dependency Updates

• build(deps): bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0 d4ae662 @dependabot[bot]
• build(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22 9ede5fb @dependabot[bot]
• build(deps): bump github.com/tdewolff/minify/v2 from 2.24.12 to 2.24.13 833a878 @dependabot[bot]
• build(deps): bump github.com/magefile/mage from 1.17.1 to 1.17.2 4c03129 @dependabot[bot]
• deps: Upgrade github.com/bep/imagemeta v0.17.1 => v0.17.2 080970b @bep
• build(deps): bump github.com/aws/aws-sdk-go-v2/service/cloudfront (#14789) 896bc89 @dependabot[bot]
• build(deps): bump github.com/mattn/go-isatty from 0.0.20 to 0.0.21 (#14788) 100dde5 @dependabot[bot]
• build(deps): bump github.com/bep/mclib (#14787) bdebb79 @dependabot[bot]
• build(deps): bump google.golang.org/api from 0.267.0 to 0.276.0 52123ae @dependabot[bot]
• build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.5 to 1.41.6 38b8afd @dependabot[bot]
• build(deps): bump github.com/getkin/kin-openapi from 0.134.0 to 0.135.0 (#14781) 9276660 @dependabot[bot]
• build(deps): bump github.com/bep/goportabletext from 0.1.0 to 0.2.0 (#14779) 790f408 @dependabot[bot]
• build(deps): bump golang.org/x/image from 0.38.0 to 0.39.0 (#14780) de6955b @dependabot[bot]
• deps: Upgrade github.com/bep/imagemeta v0.17.0 => v0.17.1 (#14775) a77bd52 @bep #14758
• build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 547ab29 @dependabot[bot]
• build(deps): bump github.com/evanw/esbuild from 0.27.4 to 0.28.0 9a5c7e0 @dependabot[bot]
• build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.1 to 1.41.5 6613b08 @dependabot[bot]
• build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0 582c26e @dependabot[bot]
• build(deps): bump github.com/tdewolff/minify/v2 from 2.24.11 to 2.24.12 a4f2a8a @dependabot[bot]