The majority of the fixes in this release are security related (including the upstream fix in 93c8c7d (golang.org/x/image)). Thanks to @vnth4nhnt for finding the issues fixed in a00b5c7 and cf9c8f9 (I will do the CVE work on this later). There has been a uptick in security reports lately, which doesn't mean that Hugo has gotten less secure, this is mostly the work of the new and powerful AI tools using Hugo's restrictive security model as their baseline. Just take a look at Go's recent security issue list to see a demonstration of this.
What's Changed
- build(deps): bump golang.org/x/image from 0.41.0 to 0.42.0 93c8c7d @dependabot[bot]
- Fix multi --renderSegments merge behavior 95e5e9f @bep #15024
- security: Normalize integer IPv4 host encodings in http.urls check a00b5c7 @bep
- Drop symlinks in os.ReadDir, os.ReadFile, os.Stat and os.FileExists cf9c8f9 @bep #15019
- commands: Fix convert command 2602796 @jmooring #15012