Update ghcr.io/gohugoio/hugo Docker tag to v0.163.2

renovatebotrequested to merge
renovate/ghcr.io-gohugoio-hugo-0.x into main

This MR contains the following updates:

Package Type Update Change
ghcr.io/gohugoio/hugo image-name minor v0.147.9v0.163.2

⚠️ Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

gohugoio/hugo (ghcr.io/gohugoio/hugo)

v0.163.2

Compare Source

What's Changed

v0.163.1

Compare Source

The majority of the fixes in this release are security related (including the upstream fix in 93c8c7d (golang.org/x/image)). Thanks to @​vnth4nhnt for finding the issues fixed in a00b5c7 and cf9c8f9 (I will do the CVE work on this later). There has been a uptick in security reports lately, which doesn't mean that Hugo has gotten less secure, this is mostly the work of the new and powerful AI tools using Hugo's restrictive security model as their baseline. Just take a look at Go's recent security issue list to see a demonstration of this.

What's Changed

v0.163.0

Compare Source

The main topic in this release is improvements to the AVIF image handling that we introduced in v0.162.0. See the docs for details, but:

  • We have turned down the default quality for AVIF to 60. Turns out, JPEG/WebP with quality 75 is comparable to AVIF with quality 60. You can now also set quality per image format in your project config (and also per image processed if needed).
  • We have added a hint to the AVIF with the same values as for WEBP. For lossy compression, the photo/picture hints (and the default) encodes with YUV420 chroma subsampling instead of YUV444, keeping 444 for text/icon/drawing. This greatly reduces the memory needed to encode these images.
Improvements
Dependency Updates

v0.162.1

Compare Source

What's Changed

v0.162.0

Compare Source

The notable new feature in this release is support for AVIF images (both encoder and decoder). There's a demo site set up that demonstrates the difference between HDR AVIF and SDR JPEG images. Note that that demo is only really interesting if viewed on an HDR capable screen (e.g. Apple Retina).

Security fixes

There are some notable security fixes in this release.

Security fixes in Go

This release upgrades from Go 1.26.1 to 126.3, which brings a set of security fixes. Some relevant for Hugo are:

  • XSS in html/template (CVE-2026-39826 & CVE-2026-39823): Two separate vulnerabilities where escaper bypasses in html/template could lead to Cross-Site Scripting (XSS).
  • html/template: Fixes an issue where JS template literal contexts were incorrectly tracked across template branches, which could lead to improper content escaping.
Security fixes and hardening in Hugo

The following changes either fix a concrete issue or reduce the default attack surface of hugo builds.

  • Disallow text/html content files by default (e41a064). A new security.allowContent policy gates which content media types may be used for pages under /content. text/html is denied by default; sites that rely on hand-authored or adapter-emitted HTML content can opt back in with security.allowContent = ['.*'].
  • Re-check security.http.urls on every redirect hop in resources.GetRemote (86fbb0f).
  • Reject symlinked entries in resources.Get (f8b5fa0).

We will update this section later with links to CVEs where applicable.

All changes

v0.161.1

Compare Source

What's Changed

v0.161.0

Compare Source

This release contains two security hardening fixes:

  • We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported
  • We have made the defaults in security.http.urls more restrictive.

But there are some notable new features, as well:

Nested vars support in css.Build and css.Sass

A practical example in css.Build would be to have something like this in hugo.toml:

[params.style]
    primary    = "#​000000"
    background = "#ffffff"
    [params.style.dark]
        primary    = "#ffffff"
        background = "#​000000"

And in the stylesheet:

@​import "hugo:vars";
@​import "hugo:vars/dark" (prefers-color-scheme: dark);

:root {
  color-scheme: light dark;
}
Slice-based permalinks config

The permalinks configuration is now much more flexible (the old setup still works). It uses the same target matchers as in the cascade config, meaning you can now do:

permalinks:
  - target:
      kind: page
      path: "/books/**"
    pattern: /books/:year/:slug/
  - target:
      kind: section
      path: "/{books,books/**}"
    pattern: /libros/:sections[1:]
  - target:
      kind: page
    pattern: /other/:slug/

The above example isn't great, but it at least shows the gist of it.

A more flexible scheme for identifiers in filenames

What we had before was e.g. content/mypost.en.md which told Hugo that the content files was in English. With the new setup you could also name the file content/mypost._language_en_.md. This alone doesn't sound very useful, but this allows you to use more prefixes:

Prefix Description Relevant for
language_ Language Content and layout files.
role_ Role Content and layout files.
version_ Version Content and layout files.
outputformat_ Output format Layout files.
mediatype_ Media type Layout files.
kind_ Page kind Layout files.
layout_ Layout Layout files.
All Changes

v0.160.1

Compare Source

What's Changed

v0.160.0

Compare Source

Now you can inject CSS vars, e.g. from the configuration, into your stylesheets when building with css.Build. Also, now all the render hooks has a .Position method, now also more accurate and effective.

Bug fixes
Improvements
Dependency Updates
Documentation

v0.159.2

Compare Source

Note that the security fix below is not a potential threat if you either:

EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

What's Changed

v0.159.1

Compare Source

The regression fixed in this release isn't new, but it's so subtle that we thought we'd release this sooner rather than later. For some time now, the minifier we use have stripped namespaced attributes in SVGs, which broke dynamic constructs using e.g. AlpineJS' x-bind: namespace (library used by Hugo's documentation site).

To fix this, the upstream library has hadded a keepNamespaces slice option. It was not possible to find a default that would make all happy, so we opted for an option that at least would make AlpineJS sites work out of the box:

 [minify.tdewolff.svg]
      keepNamespaces = ['', 'x-bind']
What's Changed

v0.159.0

Compare Source

This release greatly improves and simplifies management of Node.js/npm dependencies in a multi-module setup. See this page for more information.

Note
  • Replace deprecated site.Data with hugo.Data in tests a8fca59 @​bep
  • Replace deprecated excludeFiles and includeFiles with files in tests 182b104 @​bep
  • Replace deprecated :filename with :contentbasename in the permalinks test eb11c3d @​bep
Bug fixes
Improvements
Dependency Updates
Documentation

v0.158.0

Compare Source

This release adds css.Build, native and very fast bundling/transformation/minifying of CSS resources. Also see the new strings.ReplacePairs, a very fast option if you need to do many string replacements.

Notes
Deprecations

The methods and config options are deprecated and will be removed in a future Hugo release.

Also see this article

Language configuration
  • languageCode → Use locale instead.
  • languages.<lang>.languageCode → Use languages.<lang>.locale instead.
  • languages.<lang>.languageName → Use languages.<lang>.label instead.
  • languages.<lang>.languageDirection → Use languages.<lang>.direction instead.
Language methods
  • .Site.LanguageCode → Use .Site.Language.Locale instead.
  • .Language.LanguageCode → Use .Language.Locale instead.
  • .Language.LanguageName → Use .Language.Label instead.
  • .Language.LanguageDirection → Use .Language.Direction instead.
Bug fixes
Improvements
Dependency Updates

v0.157.0

Compare Source

The notable new feature is GitInfo support for Hugo Modules. See this repo for a runnable demo where multiple versions of the same content is mounted into different versions.

Bug fixes
Improvements
Dependency Updates

v0.156.0

Compare Source

This release brings significant speedups of collections.Where and collections.Sort – but this is mostly a "spring cleaning" release, to make the API cleaner and simpler to understand/document.

Deprecated
  • Site.AllPages is Deprecated
  • Site.BuildDrafts is Deprecated
  • Site.Languages is Deprecated
  • Site.Data is deprecated, use hugo.Data
  • Page.Sites and Site.Sites is Deprecated, use hugo.Sites

See this topic for more info.

Removed

These have all been deprecated at least since v0.136.0 and any usage have been logged as an error for a long time:

Template functions

  • data.GetCSV / getCSV (use resources.GetRemote)
  • data.GetJSON / getJSON (use resources.GetRemote)
  • crypto.FNV32a (use hash.FNV32a)
  • resources.Babel (use js.Babel)
  • resources.PostCSS (use css.PostCSS)
  • resources.ToCSS (use css.Sass)

Page methods:

  • .Page.NextPage (use .Page.Next)
  • .Page.PrevPage (use .Page.Prev)

Paginator:

  • .Paginator.PageSize (use .Paginator.PagerSize)

Site methods:

  • .Site.LastChange (use .Site.Lastmod)
  • .Site.Author (use .Site.Params.Author)
  • .Site.Authors (use .Site.Params.Authors)
  • .Site.Social (use .Site.Params.Social)
  • .Site.IsMultiLingual (use hugo.IsMultilingual)
  • .Sites.First (use .Sites.Default)

Site config:

  • paginate (use pagination.pagerSize)
  • paginatePath (use pagination.path)

File caches:

  • getjson cache
  • getcsv cache
Notes
Bug fixes
Improvements
Dependency Updates
Build Setup
Documentation

v0.155.3

Compare Source

What's Changed

v0.155.2

Compare Source

Note that the bug fix below is for the two new dimensions introduced in v0.153.0 (version and role), multiple languages worked fine. Also, changes to the first version and role also worked, which had me head-scratching for a while. Oh, well, enjoy.

v0.155.1

Compare Source

What's Changed

v0.155.0

Compare Source

Some notable new things in this release are:

  • Improvements to how versions are handled: We now support version (and also for the other dimension) range queries (e.g. >= v1.0.0), and we now cache Go module version queries, which makes mounting multiple versions of the same GitHub repo with different version much more practical and enjoyable, se this site and config for an annotated example.
  • We finally have XMP and IPTC image metadata support, in addition to EXIF, see #​13146
  • Page aliases now works in multidimensional sites (e.g. multiple languages), and it is now much easier to create e.g. Netlify _redirects files that works in such setups.
  • There are several performance related WebP improvements in this release.
  • Also, image processing in general (e.g. resize operations) should be considerably more effective.
Breaking change

Prior to v0.155.0, alias paths beginning with a slash (/) were treated as server-relative. In v0.155.0 and later, they are now site-relative. This change only affects multilingual single-host projects that used alias paths beginning with a slash (/) to cross language boundaries. See details.

Note
Bug fixes
Improvements
Dependency Updates
Build Setup
Documentation

v0.154.5

Compare Source

What's Changed

v0.154.4

Compare Source

What's Changed

Also see the new Page.OutputFormats.Canonical method.

v0.154.3

Compare Source

What's Changed

v0.154.2

Compare Source

What's Changed
  • Fix alpha/fuzzy border issue with new webp decoder for images with with transparent background e9b9b36 @​bep #​14339

v0.154.1

Compare Source

What's Changed

v0.154.0

Compare Source

Hugo v0.154.0 is the 14th release this year (not counting patch releases) and introduces partial decorators, or “partials with a twist.” This is a very powerful construct that I, @​bep, have always wanted to have in Hugo, but I could never wrap my head around an implementation. Until now.

A small and not very useful example:

{{ with partial "b.html" "World" }}Hello {{ . }}{{ end }}
{{ define "_partials/b.html" }}<b>{{ inner . }}</b>{{ end }}

The above renders to:

<b>Hello World</b>
  • The new inner keyword can be used zero or more times in a partial template, typically with different data (e.g. pages in a range), and its presence signals a reversal of the execution -- the callee becomes the caller.
  • Decorators can be deeply nested, see this MR for an example.

This release also brings some new utility funcs in the reflect package to identify the core types in Hugo. For example, to identify an processable image hasn't been trivial, now it is:

{{ $obj := . }}
{{ if reflect.IsResource $obj }}
   {{ if reflect.IsImageResource $obj }}
        // It has width/height and we can process it.
   {{ else }}
       // Just link to it.
   {{ end }}
{{ end }}
Bug fixes
Improvements
Dependency Updates

v0.153.5

Compare Source

What's Changed

v0.153.4

Compare Source

What's Changed

v0.153.3

Compare Source

What's Changed

v0.153.2

Compare Source

What's Changed

v0.153.1

Compare Source

[!note] This is a bug fix release. See the main release for a list of new features.

v0.153.0

Compare Source

[!note] There is a newer bug fix release available here.

This is a good one! Hugo v0.153.0 comes with a powerful new multidimensional content model (languages, versions and roles) and completely overhauls WebP image support, and much more:

  • For the new multidimensional content model, start reading sites matrix and sites complements. The matrix is what gets written to disk, complements allows e.g. a site in Swedish to fill in missing gaps in the site in Norwegian's page and resource collections. Also see the new Rotate method, that allows you to rotate the content tree in a given dimension.
  • For WebP we now build a WASM version of libwebp (v1.6.0) and run it in the Wazero runtime. We use this for both encoding and decoding. This solves an old and annoying issue with Go's stdlib's decoder, with loss of contrast and muted colors in some photos, but it also means that you don't need the extended version of Hugo to handle WebP images. And, drum roll, we now also support animated WebP, including converting to and from animated GIFs.
  • For MacOS, we now build signed and notarised pkg installers.

Also:

Notes
  • tpl/css: Deprecate libsass in favor of dartsass (note) 9937a5d @​bep #​14261
  • Build Order: Hugo builds sites based on the sorted dimensions (see below). In earlier versions, we built the sites starting with the default content language. This change is also reflected in the sort order of .Site.Sites to make it consistent with .Site.Languages.
  • Sort Order: The dimensions are sorted as follows, which affects build order and complement selection:
    • languages: By weight, then by name.
    • versions: By weight, then by semantic versioning (descending).
    • roles: By weight, then by name.
  • Deprecations:
  • Logging: We no longer log warnings about potential duplicate content paths, as this becomes impractical to reason about with a complex sites matrix.
Bug fixes
Improvements
Dependency Updates
Build Setup
Documentation

v0.152.2

Compare Source

In v0.152.0 we tightened the source validation for file mounts. We always said that project mounts can mount with absolute file/directorynames, modules/themes are restricted to relative. In v0.152.0 we narrowed module/themes mounts to be local, which made the setup in the bug report listed below fail:

[[module.mounts]]
source = '../../node_modules/bootstrap'
target = 'assets/vendor/bootstrap'

One part of this is security. But the construct above is usually very odd (the project uses files in a theme/module, not the other way around) and not very portable. But the example above demonstrates a valid exception, that we now have added support for in a portable way. The above example now works as it did before v0.152.0, but going forward you can also write:

[[module.mounts]]
source = 'node_modules/bootstrap'
target = 'assets/vendor/bootstrap'

We now have the node_modules as a special case: For themes/modules we first check if the mounted source exists locally, if not we try relative to the project root.

What's Changed

v0.152.1

Compare Source

These fixes are are all related to the YAML library upgrade in v0.152.0.

v0.152.0

Compare Source

The big new thing and the motivation behind this release is the upgrade to a more modern YAML library in @​goccy 's github.com/goccy/go-yaml. It's been a surprisingly long and winding road to get here. Note that this upgrade comes with some minor breaking changes, most notably that the old YAML 1.1 spec listed a set of strings that, when unquoted, were treated as boolean true or false. So if you're using any of the values in the table below as booleans, you need to adjust your YAML, but I suspect that fixing this very surprising behavior will fix more issues than it introduces. A big new thing with this new YAML library is the support for YAML anchors and aliases which helps to reduce duplication in e.g. your configuration. There are some examples in Hugo's release build configuration and in the Hugo's CI release setup.

Values Old meaning New meaning
yes, Yes, YES, y, Y, on, On, ON true (bool) yes, Yes, YES, y, Y, on, On, ON (string)
no, No, NO, n, N, off, Off, OFF false (bool) no, No, NO, n, N, off, Off, OFF (string)
Note
Improvements
Dependency Updates
Build Setup

v0.151.2

Compare Source

What's Changed

v0.151.1

Compare Source

This release is mostly motivated by some upstream security fixes:

I, @​bep, have inspected the above issues, and none of them seem to be relevant for Hugo, but we understand that many want to have a clean security report.

Bug fixes
Improvements
Dependency Updates

v0.151.0

Compare Source

Some notable new features in Hugo v0.151.0 are:

Note
Improvements and bug fixes
Dependency Updates

v0.150.1

Compare Source

What's Changed

v0.150.0

Compare Source

The big new feature in this relase is the new version config option on Module imports, which allows you to set the requested module version query directly in your Hugo configuration (e.g. hugo.toml). This is a feature that have been requested by many, and I (@​bep) was reminded about it by this recent thread, which also outlines a common use case for this: Mounting multiple old versions/branches of API documentation into the project.

What's Changed

v0.149.1

Compare Source

The main motivation behind this release is the Go 1.25.1 upgrade, which comes with a security fix. Hugo does not use the feature in question, but we understand that many Hugo users like to have a clean security report.

Note

Note that CSS minification now targets CSS3, removing certain optimizations that were specific to CSS2.

What's Changed

v0.148.2

Compare Source

What's Changed

v0.148.1

Compare Source

What's Changed

v0.148.0

Compare Source

[!NOTE]
There's some minor breaking changes in this release. Please read this thread for more information.

Note
Bug fixes
Improvements
Dependency Updates

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Mend Renovate.

Edited by renovatebot

Merge request reports