chore(deps): update dependency aqua:gohugoio/hugo to v0.161.1 by renovate[bot] · Pull Request #68 · koki-develop/techclip

renovate · 2026-04-21T08:56:35Z

This PR contains the following updates:

Package	Update	Change	Pending
aqua:gohugoio/hugo	minor	`0.159.1` → `0.161.1`	`0.162.1` (+1)

Release Notes

gohugoio/hugo (aqua:gohugoio/hugo)

`v0.161.1`

Compare Source

What's Changed

resources: Honor Retry-After header in resources.GetRemote retries c4eba92 @bep #14828
warpc: Move to parson.c in https://github.com/kgabis/parson 8b40a96 @bep #14823
config/security: Add AllowChildProcess to security.node.permissions d65af84 @bep #14824
config/security: Restrict default http.urls "@" deny to userinfo 454450a @bep #14825

`v0.161.0`

Compare Source

This release contains two security hardening fixes:

We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported
We have made the defaults in security.http.urls more restrictive.

But there are some notable new features, as well:

Nested vars support in css.Build and css.Sass

A practical example in css.Build would be to have something like this in hugo.toml:

[params.style]
    primary    = "#&#8203;000000"
    background = "#ffffff"
    [params.style.dark]
        primary    = "#ffffff"
        background = "#&#8203;000000"

And in the stylesheet:

@&#8203;import "hugo:vars";
@&#8203;import "hugo:vars/dark" (prefers-color-scheme: dark);

:root {
  color-scheme: light dark;
}

Slice-based permalinks config

The permalinks configuration is now much more flexible (the old setup still works). It uses the same target matchers as in the cascade config, meaning you can now do:

permalinks:
  - target:
      kind: page
      path: "/books/**"
    pattern: /books/:year/:slug/
  - target:
      kind: section
      path: "/{books,books/**}"
    pattern: /libros/:sections[1:]
  - target:
      kind: page
    pattern: /other/:slug/

The above example isn't great, but it at least shows the gist of it.

A more flexible scheme for identifiers in filenames

What we had before was e.g. content/mypost.en.md which told Hugo that the content files was in English. With the new setup you could also name the file content/mypost._language_en_.md. This alone doesn't sound very useful, but this allows you to use more prefixes:

Prefix	Description	Relevant for
language_	Language	Content and layout files.
role_	Role	Content and layout files.
version_	Version	Content and layout files.
outputformat_	Output format	Layout files.
mediatype_	Media type	Layout files.
kind_	Page kind	Layout files.
layout_	Layout	Layout files.

All Changes

langs/i18n: Fix translation lookup when using language variants 72b85d5 @jmooring #7982
create: Fix non-deterministic conflict detection in hugo new content 6436deb @jmooring #12602 #12786 #14112 #14769
commands: Fix environment isolation for configuration settings 1eea9fb @jmooring #14763
Fix filename dimension identifiers (role_X, version_X) to replace mount config 8d6145f @bep #14756
Fix it so we never auto-fallback to page resources in other roles/versions 9747724 @bep #14749 #14752
css: Support nested hugo:vars/ imports 7622dd8 @bep #14705
github: Update GitHub actions versions 0814059 @bep #14810
hugolib: Do not render aliases if the page is not rendered 8920d56 @jmooring #14807
langs/i18n: Improve default content language fallback 633cc77 @jmooring #14243
helpers: Remove unused code 4c40c6d @bep
common/constants: Remove unused consts d2594db @bep
common/paths: Remove unused code ab2de51 @bep
tests: Update Ruby setup action to v1.305.0 75f6183 @jmooring
langs: Use Language.Locale as primary localization key 1b7495b @jmooring #9109
config/security: Add "! " negation to Whitelist, harden default http.urls 79f030b @bep #14792
Harden Node tool execution with --permission flag a54c398 @bep #7287
tpl/collections: Honor the Eqer interface in where comparisons f5fce93 @bep #14777
modules: Ignore non-require blocks in go.mod rewrite 4169c1f @bep #14783
Replace the concurrent map with an identical upstream version 7574e35 @bep
Add slice-based permalinks config with PageMatcher target 017a7cd @bep #14744
commands: Add missing import e3413d9 @bep
Revert "common/hugo: Deprecate extended and extended_withdeploy editions" b01cc14 @bep #14771
Adjust the SECURITY.md slightly 8ee19ff @bep
resources/page: Add passing test for Issue #14325 0d58e42 @jmooring
Add a more flexible filename identifier scheme that also allows setting roles and versions (#14754) ce2a156 @bep #14750
common/hugo: Deprecate extended and extended_withdeploy editions a17bdbc @jmooring #14696
parser/pageparser: Add a parser fuzz test 8f94d65 @bep
Replace deprecated .Site.Sites/.Page.Sites with hugo.Sites intests 90d8bf3 @bep
agents: Add a note about having the issue ID in test names bbb42b5 @bep
build(deps): bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0 d4ae662 @dependabot[bot]
build(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22 9ede5fb @dependabot[bot]
build(deps): bump github.com/tdewolff/minify/v2 from 2.24.12 to 2.24.13 833a878 @dependabot[bot]
build(deps): bump github.com/magefile/mage from 1.17.1 to 1.17.2 4c03129 @dependabot[bot]
deps: Upgrade github.com/bep/imagemeta v0.17.1 => v0.17.2 080970b @bep
build(deps): bump github.com/aws/aws-sdk-go-v2/service/cloudfront (#14789) 896bc89 @dependabot[bot]
build(deps): bump github.com/mattn/go-isatty from 0.0.20 to 0.0.21 (#14788) 100dde5 @dependabot[bot]
build(deps): bump github.com/bep/mclib (#14787) bdebb79 @dependabot[bot]
build(deps): bump google.golang.org/api from 0.267.0 to 0.276.0 52123ae @dependabot[bot]
build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.5 to 1.41.6 38b8afd @dependabot[bot]
build(deps): bump github.com/getkin/kin-openapi from 0.134.0 to 0.135.0 (#14781) 9276660 @dependabot[bot]
build(deps): bump github.com/bep/goportabletext from 0.1.0 to 0.2.0 (#14779) 790f408 @dependabot[bot]
build(deps): bump golang.org/x/image from 0.38.0 to 0.39.0 (#14780) de6955b @dependabot[bot]
deps: Upgrade github.com/bep/imagemeta v0.17.0 => v0.17.1 (#14775) a77bd52 @bep #14758
build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 547ab29 @dependabot[bot]
build(deps): bump github.com/evanw/esbuild from 0.27.4 to 0.28.0 9a5c7e0 @dependabot[bot]
build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.1 to 1.41.5 6613b08 @dependabot[bot]
build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0 582c26e @dependabot[bot]
build(deps): bump github.com/tdewolff/minify/v2 from 2.24.11 to 2.24.12 a4f2a8a @dependabot[bot]

`v0.160.1`

Compare Source

What's Changed

Fix panic when passthrough elements are used in headings 8b00030 @bep #14677
Fix panic on edit of legacy mapped template names that's also a valid path in the new setup c485516 @bep #14740
Fix RenderShortcodes leaking context markers when indented 161d0d4 @bep #12457
Strip nested page context markers from standalone RenderShortcodes 45e4596 @bep #14732
Rename deprecated cascade._target to cascade.target in tests 58927aa @bep
Fix auto-creation of root sections in multilingual sites ce009e3 @bep #14681
readme: Fix links 0755872 @chicks-net

`v0.160.0`

Compare Source

Now you can inject CSS vars, e.g. from the configuration, into your stylesheets when building with css.Build. Also, now all the render hooks has a .Position method, now also more accurate and effective.

Bug fixes

Fix some recently introduced Position issues 4e91e14 @bep #14710
markup/goldmark: Fix double-escaping of ampersands in link URLs dc9b51d @bep #14715
tpl: Fix stray quotes from partial decorator in script context 43aad71 @bep #14711

Improvements

all: Replace NewIntegrationTestBuilder with Test/TestE/TestRunning 481baa0 @bep
tpl/css: Support @import "hugo:vars" for CSS custom properties in css.Build 5d09b5e @bep #14699
Improve and extend .Position handling in Goldmark render hooks 303e443 @bep #14663
markup/goldmark: Clean up test 638262c @bep

Dependency Updates

build(deps): bump github.com/magefile/mage from 1.16.1 to 1.17.1 bf6e35a @dependabot[bot]
build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 0eda24e @dependabot[bot]
build(deps): bump golang.org/x/image from 0.37.0 to 0.38.0 beb57a6 @dependabot[bot]

Documentation

readme: Revise edition descriptions and installation instructions 9f1f1be @jmooring

`v0.159.2`

Compare Source

Note that the security fix below is not a potential threat if you either:

Trust your Markdown content files.
Have custom render hook template for links and images.

EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

What's Changed

Fix potential content XSS by escaping dangerous URLs in Markdown links and images 479fe6c @bep
resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser df520e3 @jmooring #14684

Configuration

📅 Schedule: (UTC)

Branch creation
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
- Only on Sunday and Saturday (* * * * 0,6)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2026-04-21T08:59:25Z

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Jump: v0.159.1 → v0.161.1 (includes v0.160.0, v0.160.1, v0.161.0, v0.161.1)

Security-Related Changes

v0.161.0 - Security Hardening:

Node.js Permissions System: Hugo now runs Node tools (PostCSS, Babel, TailwindCSS) with the --permission flag by default, requiring Node.js >= 22. The Tailwind CSS standalone executable is no longer supported - only the npm package version works.
HTTP URL Security: More restrictive defaults in security.http.urls. Now denies URLs with userinfo (credentials in URLs like http://user:pass@example.com) by default, while still allowing OAuth token formats.
CVE-2026-27820 Protection: Added URL escaping for dangerous content in Markdown links and images to prevent XSS attacks.

v0.159.2 - XSS Fix:

Escapes dangerous URLs in Markdown links and images to prevent potential XSS exploits (only a threat if content files are untrusted).

v0.161.1 - Minor Improvements:

Honors Retry-After header in resources.GetRemote retries
Moved to a newer parser library (parson.c)
Added AllowChildProcess to security.node.permissions
Restricted default http.urls "@" deny to userinfo only

New Features

v0.161.0:

Nested CSS vars support: css.Build and css.Sass now support nested Hugo variables (e.g., @import "hugo:vars/dark" for dark mode variables)
Slice-based permalinks config: New flexible permalinks configuration using target matchers (similar to cascade config)
Flexible filename identifiers: New prefix system for filenames (language_en_, role_X_, version_X_, outputformat_, mediatype_, kind_, layout_) replacing the old .en.md format

v0.160.0:

CSS vars injection support via css.Build's vars parameter

Bug Fixes

v0.161.0:

Fixed translation lookup for language variants (hugo:7982)
Fixed non-deterministic conflict detection in hugo new content (hugo:14769)
Fixed environment isolation for configuration settings (hugo:14763)
Fixed filename dimension identifiers to replace mount config (hugo:14756)
Do not render aliases if the page is not rendered (hugo:14807)

v0.160.1:

Fixed panic when passthrough elements are used in headings (hugo:14677)
Fixed panic on edit of legacy mapped template names (hugo:14740)
Fixed RenderShortcodes leaking context markers when indented (hugo:12457)
Fixed auto-creation of root sections in multilingual sites (hugo:14681)

v0.160.0:

Fixed double-escaping of ampersands in link URLs (hugo:14715)
Fixed stray quotes from partial decorator in script context (hugo:14711)

🎯 Impact Scope Investigation

Usage Location Analysis

No impact areas identified:

✅ No Node.js tooling: Codebase doesn't use TailwindCSS, PostCSS, or Babel. Only plain CSS files in assets/css/extended/.
✅ No resources.GetRemote: No remote resource fetching in templates.
✅ No custom render hooks: No link/image render hooks that would override default XSS protection.
✅ No permalinks customization: Default permalink structure used (hugo.yaml has no permalink configuration).
✅ No security config override: No custom security settings in hugo.yaml.
✅ Simple Hugo configuration: Uses only basic Hugo features (baseURL, locale, menu, params, theme).

Codebase Characteristics

Content files: All content is in Markdown format with standard frontmatter (date, title, description, tags, references)
Theme: Uses PaperMod theme (git submodule) with minimal custom overrides (2 layout files: single.html, list.html)
CSS: Only plain CSS files, no preprocessors
Templates: Uses Hugo's template functions like urls.Parse, .GetTerms, standard partials
Hugo features used: Basic features (content management, taxonomies, custom layouts, simple CSS)

Dependency Analysis

Hugo: Managed via aqua (mise.toml)
Build process: Uses hugo build --gc --minify in GitHub Actions
No Node.js dependencies: No package.json, no npm scripts
Theme dependency: PaperMod (external, pinned via git submodule)

💡 Recommended Actions

This upgrade is safe to merge immediately. No manual intervention required.

Why It's Safe

Security improvements are non-breaking: The XSS fix and HTTP URL hardening only affect edge cases not present in this codebase.
Node.js security changes don't apply: The project doesn't use any Node.js-based CSS processors, so the permission system changes are irrelevant.
New features are opt-in: All new features (nested CSS vars, slice-based permalinks, filename identifiers) are optional enhancements that don't affect existing functionality.
Bug fixes improve stability: All bug fixes address edge cases and improve reliability without changing core behavior.
Backward compatibility maintained: Hugo maintains excellent backward compatibility - this is a minor version bump with no breaking changes for typical use cases.

Post-Merge Verification

After merging, verify the deployment succeeds by checking:

GitHub Actions build workflow completes successfully
Site deploys to GitHub Pages without errors
Content renders correctly on the live site

No code changes or configuration updates are required for this upgrade.

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

renovate Bot force-pushed the renovate/aqua-gohugoio-hugo-0.x branch 2 times, most recently from 9290f24 to 5530fc6 Compare April 24, 2026 01:29

renovate Bot force-pushed the renovate/aqua-gohugoio-hugo-0.x branch 2 times, most recently from dfa819a to 72cfd14 Compare May 5, 2026 13:57

renovate Bot changed the title ~~chore(deps): update dependency aqua:gohugoio/hugo to v0.160.1~~ chore(deps): update dependency aqua:gohugoio/hugo to v0.161.0 May 5, 2026

renovate Bot force-pushed the renovate/aqua-gohugoio-hugo-0.x branch from 72cfd14 to 9bb93fc Compare May 6, 2026 17:56

renovate Bot changed the title ~~chore(deps): update dependency aqua:gohugoio/hugo to v0.161.0~~ chore(deps): update dependency aqua:gohugoio/hugo to v0.161.1 May 6, 2026

renovate Bot force-pushed the renovate/aqua-gohugoio-hugo-0.x branch from 9bb93fc to 6fc7ba5 Compare May 14, 2026 16:54

renovate Bot force-pushed the renovate/aqua-gohugoio-hugo-0.x branch 2 times, most recently from 9fed292 to cb97d7b Compare May 28, 2026 18:21

chore(deps): update dependency aqua:gohugoio/hugo to v0.161.1

b4f0784

renovate Bot force-pushed the renovate/aqua-gohugoio-hugo-0.x branch from cb97d7b to b4f0784 Compare May 29, 2026 11:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency aqua:gohugoio/hugo to v0.161.1#68

chore(deps): update dependency aqua:gohugoio/hugo to v0.161.1#68
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/aqua-gohugoio-hugo-0.x

renovate Bot commented Apr 21, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 21, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Apr 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v0.161.1

What's Changed

v0.161.0

Nested vars support in css.Build and css.Sass

Slice-based permalinks config

A more flexible scheme for identifiers in filenames

All Changes

v0.160.1

What's Changed

v0.160.0

Bug fixes

Improvements

Dependency Updates

Documentation

v0.159.2

What's Changed

Configuration

Uh oh!

github-actions Bot commented Apr 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Security-Related Changes

New Features

Bug Fixes

🎯 Impact Scope Investigation

Usage Location Analysis

Codebase Characteristics

Dependency Analysis

💡 Recommended Actions

Why It's Safe

Post-Merge Verification

🔗 Reference Links

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Apr 21, 2026 •

edited

Loading

`v0.161.1`

`v0.161.0`

`v0.160.1`

`v0.160.0`

`v0.159.2`

github-actions Bot commented Apr 21, 2026 •

edited

Loading