chore(deps): update dependency aqua:gohugoio/hugo to v0.161.1

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
aqua:gohugoio/hugo	minor	0.159.1 → 0.161.1	0.162.0

---

Release Notes

gohugoio/hugo (aqua:gohugoio/hugo)

v0.161.1

Compare Source

What's Changed

• resources: Honor Retry-After header in resources.GetRemote retries c4eba92 @​bep #​14828
• warpc: Move to parson.c in https://github.com/kgabis/parson 8b40a96 @​bep #​14823
• config/security: Add AllowChildProcess to security.node.permissions d65af84 @​bep #​14824
• config/security: Restrict default http.urls "@​" deny to userinfo 454450a @​bep #​14825

v0.161.0

Compare Source

This release contains two security hardening fixes:

• We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported
• We have made the defaults in security.http.urls more restrictive.

But there are some notable new features, as well:

Nested vars support in css.Build and css.Sass

A practical example in css.Build would be to have something like this in hugo.toml:

[params.style]
    primary    = "#​000000"
    background = "#ffffff"
    [params.style.dark]
        primary    = "#ffffff"
        background = "#​000000"

And in the stylesheet:

@​import "hugo:vars";
@​import "hugo:vars/dark" (prefers-color-scheme: dark);

:root {
  color-scheme: light dark;
}

Slice-based permalinks config

The permalinks configuration is now much more flexible (the old setup still works). It uses the same target matchers as in the cascade config, meaning you can now do:

permalinks:
  - target:
      kind: page
      path: "/books/**"
    pattern: /books/:year/:slug/
  - target:
      kind: section
      path: "/{books,books/**}"
    pattern: /libros/:sections[1:]
  - target:
      kind: page
    pattern: /other/:slug/

The above example isn't great, but it at least shows the gist of it.

A more flexible scheme for identifiers in filenames

What we had before was e.g. content/mypost.en.md which told Hugo that the content files was in English. With the new setup you could also name the file content/mypost._language_en_.md. This alone doesn't sound very useful, but this allows you to use more prefixes:

Prefix	Description	Relevant for
language_	Language	Content and layout files.
role_	Role	Content and layout files.
version_	Version	Content and layout files.
outputformat_	Output format	Layout files.
mediatype_	Media type	Layout files.
kind_	Page kind	Layout files.
layout_	Layout	Layout files.

All Changes

• langs/i18n: Fix translation lookup when using language variants 72b85d5 @​jmooring #​7982
• create: Fix non-deterministic conflict detection in hugo new content 6436deb @​jmooring #​12602 #​12786 #​14112 #​14769
• commands: Fix environment isolation for configuration settings 1eea9fb @​jmooring #​14763
• Fix filename dimension identifiers (role_X, version_X) to replace mount config 8d6145f @​bep #​14756
• Fix it so we never auto-fallback to page resources in other roles/versions 9747724 @​bep #​14749 #​14752
• css: Support nested hugo:vars/ imports 7622dd8 @​bep #​14705
• github: Update GitHub actions versions 0814059 @​bep #​14810
• hugolib: Do not render aliases if the page is not rendered 8920d56 @​jmooring #​14807
• langs/i18n: Improve default content language fallback 633cc77 @​jmooring #​14243
• helpers: Remove unused code 4c40c6d @​bep
• common/constants: Remove unused consts d2594db @​bep
• common/paths: Remove unused code ab2de51 @​bep
• tests: Update Ruby setup action to v1.305.0 75f6183 @​jmooring
• langs: Use Language.Locale as primary localization key 1b7495b @​jmooring #​9109
• config/security: Add "! " negation to Whitelist, harden default http.urls 79f030b @​bep #​14792
• Harden Node tool execution with --permission flag a54c398 @​bep #​7287
• tpl/collections: Honor the Eqer interface in where comparisons f5fce93 @​bep #​14777
• modules: Ignore non-require blocks in go.mod rewrite 4169c1f @​bep #​14783
• Replace the concurrent map with an identical upstream version 7574e35 @​bep
• Add slice-based permalinks config with PageMatcher target 017a7cd @​bep #​14744
• commands: Add missing import e3413d9 @​bep
• Revert "common/hugo: Deprecate extended and extended_withdeploy editions" b01cc14 @​bep #​14771
• Adjust the SECURITY.md slightly 8ee19ff @​bep
• resources/page: Add passing test for Issue #​14325 0d58e42 @​jmooring
• Add a more flexible filename identifier scheme that also allows setting roles and versions (#​14754) ce2a156 @​bep #​14750
• common/hugo: Deprecate extended and extended_withdeploy editions a17bdbc @​jmooring #​14696
• parser/pageparser: Add a parser fuzz test 8f94d65 @​bep
• Replace deprecated .Site.Sites/.Page.Sites with hugo.Sites intests 90d8bf3 @​bep
• agents: Add a note about having the issue ID in test names bbb42b5 @​bep
• build(deps): bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0 d4ae662 @​dependabot[bot]
• build(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22 9ede5fb @​dependabot[bot]
• build(deps): bump github.com/tdewolff/minify/v2 from 2.24.12 to 2.24.13 833a878 @​dependabot[bot]
• build(deps): bump github.com/magefile/mage from 1.17.1 to 1.17.2 4c03129 @​dependabot[bot]
• deps: Upgrade github.com/bep/imagemeta v0.17.1 => v0.17.2 080970b @​bep
• build(deps): bump github.com/aws/aws-sdk-go-v2/service/cloudfront (#​14789) 896bc89 @​dependabot[bot]
• build(deps): bump github.com/mattn/go-isatty from 0.0.20 to 0.0.21 (#​14788) 100dde5 @​dependabot[bot]
• build(deps): bump github.com/bep/mclib (#​14787) bdebb79 @​dependabot[bot]
• build(deps): bump google.golang.org/api from 0.267.0 to 0.276.0 52123ae @​dependabot[bot]
• build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.5 to 1.41.6 38b8afd @​dependabot[bot]
• build(deps): bump github.com/getkin/kin-openapi from 0.134.0 to 0.135.0 (#​14781) 9276660 @​dependabot[bot]
• build(deps): bump github.com/bep/goportabletext from 0.1.0 to 0.2.0 (#​14779) 790f408 @​dependabot[bot]
• build(deps): bump golang.org/x/image from 0.38.0 to 0.39.0 (#​14780) de6955b @​dependabot[bot]
• deps: Upgrade github.com/bep/imagemeta v0.17.0 => v0.17.1 (#​14775) a77bd52 @​bep #​14758
• build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 547ab29 @​dependabot[bot]
• build(deps): bump github.com/evanw/esbuild from 0.27.4 to 0.28.0 9a5c7e0 @​dependabot[bot]
• build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.1 to 1.41.5 6613b08 @​dependabot[bot]
• build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0 582c26e @​dependabot[bot]
• build(deps): bump github.com/tdewolff/minify/v2 from 2.24.11 to 2.24.12 a4f2a8a @​dependabot[bot]

v0.160.1

Compare Source

What's Changed

• Fix panic when passthrough elements are used in headings 8b00030 @​bep #​14677
• Fix panic on edit of legacy mapped template names that's also a valid path in the new setup c485516 @​bep #​14740
• Fix RenderShortcodes leaking context markers when indented 161d0d4 @​bep #​12457
• Strip nested page context markers from standalone RenderShortcodes 45e4596 @​bep #​14732
• Rename deprecated cascade._target to cascade.target in tests 58927aa @​bep
• Fix auto-creation of root sections in multilingual sites ce009e3 @​bep #​14681
• readme: Fix links 0755872 @​chicks-net

v0.160.0

Compare Source

Now you can inject CSS vars, e.g. from the configuration, into your stylesheets when building with css.Build. Also, now all the render hooks has a .Position method, now also more accurate and effective.

Bug fixes

• Fix some recently introduced Position issues 4e91e14 @​bep #​14710
• markup/goldmark: Fix double-escaping of ampersands in link URLs dc9b51d @​bep #​14715
• tpl: Fix stray quotes from partial decorator in script context 43aad71 @​bep #​14711

Improvements

• all: Replace NewIntegrationTestBuilder with Test/TestE/TestRunning 481baa0 @​bep
• tpl/css: Support @​import "hugo:vars" for CSS custom properties in css.Build 5d09b5e @​bep #​14699
• Improve and extend .Position handling in Goldmark render hooks 303e443 @​bep #​14663
• markup/goldmark: Clean up test 638262c @​bep

Dependency Updates

• build(deps): bump github.com/magefile/mage from 1.16.1 to 1.17.1 bf6e35a @​dependabot[bot]
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 0eda24e @​dependabot[bot]
• build(deps): bump golang.org/x/image from 0.37.0 to 0.38.0 beb57a6 @​dependabot[bot]

Documentation

• readme: Revise edition descriptions and installation instructions 9f1f1be @​jmooring

v0.159.2

Compare Source

Note that the security fix below is not a potential threat if you either:

• Trust your Markdown content files.
• Have custom render hook template for links and images.

EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

What's Changed

• Fix potential content XSS by escaping dangerous URLs in Markdown links and images 479fe6c @​bep
• resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser df520e3 @​jmooring #​14684

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Hugo 0.161.0 Security Hardening (Major Changes)

• Node.js Permission Model: PostCSS, Babel, and TailwindCSS now run with --permission flag by default, enforcing strict filesystem access controls through security.node.permissions configuration
• Node.js Version Requirement: Requires Node.js >= 22 for Node-based asset pipelines
• TailwindCSS Breaking Change: Standalone executable no longer supported; must install TailwindCSS CLI as Node.js package
• HTTP Security Restrictions: More restrictive defaults in security.http.urls (denies IP-based URLs, localhost, and URLs with authentication credentials)
• Security Vulnerability Fix (CVE-2026-44301): Addressed path traversal vulnerability in versions ≥0.43.0 and <0.161.0 where Node-based asset pipelines could read/write arbitrary files outside project directory

New Features (0.161.0)

• Nested vars support in css.Build and css.Sass (inject CSS vars from configuration via @import "hugo:vars")
• Slice-based permalinks configuration with target matchers
• Flexible filename identifier scheme supporting language_, role_, version_, outputformat_, mediatype_, kind_, and layout_ prefixes

Bug Fixes Across 0.160.x - 0.161.1

• Fixed translation lookup when using language variants (#7982)
• Fixed non-deterministic conflict detection in hugo new content (#12602)
• Fixed panic when passthrough elements used in headings (#14677)
• Fixed double-escaping of ampersands in link URLs (#14715)
• Fixed RenderShortcodes leaking context markers when indented (#12457)
• Fixed auto-creation of root sections in multilingual sites (#14681)
• Resources now honor Retry-After header in resources.GetRemote retries (#14828)

🎯 Impact Scope Investigation

✅ No Impact on This Project

1. No Node.js Asset Pipeline Usage

   • PaperMod theme uses vanilla CSS with zero Node.js build dependencies
   • No package.json, postcss.config.js, or tailwind.config.js found in project
   • Project uses Hugo's built-in asset bundling for CSS (assets/css/extended/references.css)
   • No usage of css.Build, css.Sass, css.PostCSS, PostCSS, Babel, or TailwindCSS detected

2. No Remote Resource Fetching

   • No resources.GetRemote calls found in layouts or content
   • HTTP security restrictions won't affect this project

3. Simple Configuration

   • Using basic Hugo configuration (hugo.yaml) with no permalinks, cascade, or advanced features
   • No deprecated .Site.Sites or .Page.Sites usage found
   • Custom layouts only override single.html and list.html for references section rendering

4. CI Environment Compatibility

   • GitHub Actions workflow uses mise to manage Hugo version (automatically updates from mise.toml)
   • Current Node.js v18 in CI environment is below the Node >= 22 requirement, but this doesn't matter since the project doesn't use Node-based asset pipelines

Benefits for This Project

• Security improvements are transparent (no action required)
• Bug fixes improve reliability for multilingual support and content creation
• New features available if needed in the future (nested CSS vars, flexible permalinks)

💡 Recommended Actions

✅ Safe to Merge Immediately

No migration steps required. The update from 0.159.1 to 0.161.1 is completely backward compatible for this project's use case.

Optional Future Considerations

• If you plan to add PostCSS/TailwindCSS in the future, ensure Node.js >= 22 is installed in CI environment
• If you need to use resources.GetRemote, be aware of the stricter HTTP URL restrictions (denies IP addresses, localhost, and URLs with credentials by default)
• Consider leveraging the new nested hugo:vars feature if you want to inject theme variables from hugo.yaml into CSS

🔗 Reference Links

Official Release Notes

• Hugo v0.161.1 Release
• Hugo v0.161.0 Release
• Hugo v0.160.0 Release
• Hugo Security Configuration Documentation

Security Information

• Hugo v0.161.0 Security Announcement
• CVE-2026-44301 (Path Traversal Vulnerability)

Theme Reference

• Hugo PaperMod Theme
• PaperMod Custom CSS Guide

Generated by koki-develop/claude-renovate-review