chore(deps): update dependency gohugoio/hugo to v0.164.0#280
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency gohugoio/hugo to v0.164.0#280renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
February 25, 2026 20:01
b3d7df2 to
920fc5f
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
3 times, most recently
from
March 3, 2026 05:43
7ce3896 to
ccc589d
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
March 16, 2026 21:46
ccc589d to
49ccbee
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
March 23, 2026 20:54
49ccbee to
f10180e
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
2 times, most recently
from
March 26, 2026 13:19
b94c4b8 to
57efc61
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
April 1, 2026 21:05
57efc61 to
37b207f
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
April 4, 2026 16:29
37b207f to
936f73a
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
April 8, 2026 05:55
936f73a to
8b5419c
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
2 times, most recently
from
April 14, 2026 05:40
7c89607 to
77f35e8
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
April 16, 2026 15:59
77f35e8 to
8e9c4e1
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
2 times, most recently
from
April 28, 2026 19:28
7768257 to
6777003
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
April 29, 2026 17:58
6777003 to
38e9da4
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
2 times, most recently
from
May 4, 2026 20:33
f3592b8 to
566b15d
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
2 times, most recently
from
May 10, 2026 21:46
d383f24 to
06c8ef7
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
May 19, 2026 17:50
06c8ef7 to
95ebdb9
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
May 26, 2026 22:07
95ebdb9 to
0ae4e4d
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
May 28, 2026 18:32
0ae4e4d to
b717e42
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
June 8, 2026 18:14
b717e42 to
f1d485d
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
June 11, 2026 22:52
f1d485d to
6aa56f8
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
2 times, most recently
from
June 15, 2026 20:14
4aa7be3 to
71ebafe
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
June 21, 2026 04:01
71ebafe to
8ebb54d
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
4 times, most recently
from
June 30, 2026 06:56
3751e69 to
65b04e0
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
July 6, 2026 23:01
65b04e0 to
ecb6365
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
4 times, most recently
from
July 14, 2026 21:03
3b9baf9 to
e2c2d97
Compare
renovate
Bot
force-pushed
the
renovate/gohugoio-hugo-0.x
branch
from
July 17, 2026 09:26
e2c2d97 to
652ea4c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.155.3→0.164.0Release Notes
gohugoio/hugo (gohugoio/hugo)
v0.164.0Compare Source
Notable new features in this release are:
Notes
29ed932@bep #15086Changes
5a5f4a5@bepd83ce27@bep #15056c6acc24@bep #534929ed932@bep #15086671897a@bejaratommy #11794499794d@sjh9714 #1507865c8217@bepdfb35dc@bep #15072a5ec542@bep #15068 #15060e46d37a@jmooring #15057fe06735@jmooring #15052Dependency Updates
921db7b@dependabot[bot]786ce71@dependabot[bot]5ad2846@dependabot[bot]36ad9f5@dependabot[bot]7c0a0bc@dependabot[bot]a879ebf@dependabot[bot]332d5ec@dependabot[bot]212cc11@dependabot[bot]884439b@bep #15033790a8aa@bep #15017Documentation
128fb17@jmooring #15062v0.163.3Compare Source
What's Changed
ce1a7e0@bep thanks to @k0ngj1 for reporting this issue.70a9068@bep9d66d51@jmooring #15039 #15040 #15043f013346@jmooring #15046v0.163.2Compare Source
What's Changed
134674f@bep #15041147f605@jmooring #14222v0.163.1Compare Source
The majority of the fixes in this release are security related (including the upstream fix in
93c8c7d(golang.org/x/image)). Thanks to @vnth4nhnt for finding the issues fixed ina00b5c7andcf9c8f9(I will do the CVE work on this later). There has been a uptick in security reports lately, which doesn't mean that Hugo has gotten less secure, this is mostly the work of the new and powerful AI tools using Hugo's restrictive security model as their baseline. Just take a look at Go's recent security issue list to see a demonstration of this.What's Changed
93c8c7d@dependabot[bot]95e5e9f@bep #15024a00b5c7@bepcf9c8f9@bep #150192602796@jmooring #15012v0.163.0Compare Source
The main topic in this release is improvements to the AVIF image handling that we introduced in
v0.162.0. See the docs for details, but:qualityfor AVIF to 60. Turns out, JPEG/WebP with quality 75 is comparable to AVIF with quality 60. You can now also set quality per image format in your project config (and also per image processed if needed).hintto the AVIF with the same values as forWEBP. Forlossycompression, the photo/picture hints (and the default) encodes with YUV420 chroma subsampling instead of YUV444, keeping 444 for text/icon/drawing. This greatly reduces the memory needed to encode these images.Improvements
ff2903a@bep #14991 #14996ca68936@jmooring781fabf@bep1d018ef@anupamojha-eng #14999121bc6c@bepcf18b82@bep #1499898ad9b3@bep #14997b89e7fe@bep #11574e8fefc8@bep #14990a043d3e@bep #14992341f575@bep #14987248241b@bep #149814e47d95@bep #1497903b4b54@bep #1497979be053@bep #149830f44046@bep #149774e17421@bep #14985b01ecd4@bep #1495745c00b7@jmooring #14936 #14950 #1496528d882a@bepDependency Updates
0d29fc8@dependabot[bot]bb57404@dependabot[bot]7d1b1fb@dependabot[bot]77a1147@dependabot[bot]v0.162.1Compare Source
What's Changed
59f35cd@jmooring #14959c270975@bep #14958ea8b48a@jmooring #14948v0.162.0Compare Source
The notable new feature in this release is support for AVIF images (both encoder and decoder). There's a demo site set up that demonstrates the difference between HDR AVIF and SDR JPEG images. Note that that demo is only really interesting if viewed on an HDR capable screen (e.g. Apple Retina).
Security fixes
There are some notable security fixes in this release.
Security fixes in Go
This release upgrades from Go 1.26.1 to 126.3, which brings a set of security fixes. Some relevant for Hugo are:
Security fixes and hardening in Hugo
The following changes either fix a concrete issue or reduce the default attack surface of
hugobuilds.text/htmlcontent files by default (e41a064). A newsecurity.allowContentpolicy gates which content media types may be used for pages under/content.text/htmlis denied by default; sites that rely on hand-authored or adapter-emitted HTML content can opt back in withsecurity.allowContent = ['.*'].security.http.urlson every redirect hop inresources.GetRemote(86fbb0f).resources.Get(f8b5fa0).We will update this section later with links to CVEs where applicable.
All changes
df54219@bep #149424bc7cae@bep5d51b82@jmooring #1492181d7762@jmooring #14795 #14906f8b5fa0@bep88d838a@xndvaz #14831e41a064@bep90d9f81@bep #783780e6084@jmooring #14944aeb9a5c@bep #14939c4bbc28@bepd8c7021@jmooring #14932ee4f1ac@bep #14855b613365@bep #11872d2c821b@bep4ed7600@bepcbe4339@bep #149126475d30@bep #14912 #1491767aede4@bep87f194b@bep #14897d81e3c2@bep #148977c65a4d@bepd31a927@bepc36608c@jmooring #149092f361a8@xndvaz #148865559263@jmooring #13869656fc04@bep #14062a20cb5b@bep #148984d775cb@bep #13492ae7bf74@bep #13987ba5d812@bep #12899 #14882be4a0df@bepe4cf565@bep9e64953@xndvaz #13737f0cfc28@xndvaz #1368816e854a@bep86fbb0f@bep #148717d4af7a@xndvaz #712828147cb@bep #14862e51e761@bep #148497011239@bep #14848694906f@cyphercodes #14820d27b9c0@ogulcanaydogan #1406262cef36@bep #14837ff22c62@jmooring #148174f444c8@dependabot[bot]fe6c726@dependabot[bot]6a2a038@dependabot[bot]cf1de59@dependabot[bot]97f990c@dependabot[bot]b99634e@dependabot[bot]fdd977e@dependabot[bot]123018d@dependabot[bot]b88fa8c@bep #14839v0.161.1Compare Source
What's Changed
c4eba92@bep #148288b40a96@bep #14823d65af84@bep #14824454450a@bep #14825v0.161.0Compare Source
This release contains two security hardening fixes:
--permissionflag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and thatcss.TailwindCSSnow requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supportedBut there are some notable new features, as well:
Nested vars support in css.Build and css.Sass
A practical example in
css.Buildwould be to have something like this inhugo.toml:And in the stylesheet:
Slice-based permalinks config
The
permalinksconfiguration is now much more flexible (the old setup still works). It uses the same target matchers as in thecascadeconfig, meaning you can now do:The above example isn't great, but it at least shows the gist of it.
A more flexible scheme for identifiers in filenames
What we had before was e.g.
content/mypost.en.mdwhich told Hugo that the content files was in English. With the new setup you could also name the filecontent/mypost._language_en_.md. This alone doesn't sound very useful, but this allows you to use more prefixes:All Changes
72b85d5@jmooring #79826436deb@jmooring #12602 #12786 #14112 #147691eea9fb@jmooring #147638d6145f@bep #147569747724@bep #14749 #147527622dd8@bep #147050814059@bep #148108920d56@jmooring #14807633cc77@jmooring #142434c40c6d@bepd2594db@bepab2de51@bep75f6183@jmooring1b7495b@jmooring #910979f030b@bep #14792a54c398@bep #7287f5fce93@bep #147774169c1f@bep #147837574e35@bep017a7cd@bep #14744e3413d9@bepb01cc14@bep #147718ee19ff@bep0d58e42@jmooringce2a156@bep #14750a17bdbc@jmooring #146968f94d65@bep90d8bf3@bepbbb42b5@bepd4ae662@dependabot[bot]9ede5fb@dependabot[bot]833a878@dependabot[bot]4c03129@dependabot[bot]080970b@bep896bc89@dependabot[bot]100dde5@dependabot[bot]bdebb79@dependabot[bot]52123ae@dependabot[bot]38b8afd@dependabot[bot]9276660@dependabot[bot]790f408@dependabot[bot]de6955b@dependabot[bot]a77bd52@bep #14758547ab29@dependabot[bot]9a5c7e0@dependabot[bot]6613b08@dependabot[bot]582c26e@dependabot[bot]a4f2a8a@dependabot[bot]v0.160.1Compare Source
What's Changed
8b00030@bep #14677c485516@bep #14740161d0d4@bep #1245745e4596@bep #1473258927aa@bepce009e3@bep #146810755872@chicks-netv0.160.0Compare Source
Now you can inject CSS vars, e.g. from the configuration, into your stylesheets when building with css.Build. Also, now all the render hooks has a .Position method, now also more accurate and effective.
Bug fixes
4e91e14@bep #14710dc9b51d@bep #1471543aad71@bep #14711Improvements
481baa0@bep5d09b5e@bep #14699303e443@bep #14663638262c@bepDependency Updates
bf6e35a@dependabot[bot]0eda24e@dependabot[bot]beb57a6@dependabot[bot]Documentation
9f1f1be@jmooringv0.159.2Compare Source
Note that the security fix below is not a potential threat if you either:
EDIT IN: This release also adds release archives for non-extended-withdeploy builds.
What's Changed
479fe6c@bepdf520e3@jmooring #14684v0.159.1Compare Source
The regression fixed in this release isn't new, but it's so subtle that we thought we'd release this sooner rather than later. For some time now, the minifier we use have stripped namespaced attributes in SVGs, which broke dynamic constructs using e.g. AlpineJS' x-bind: namespace (library used by Hugo's documentation site).
To fix this, the upstream library has hadded a
keepNamespacesslice option. It was not possible to find a default that would make all happy, so we opted for an option that at least would make AlpineJS sites work out of the box:What's Changed
42289d7@bep #14669v0.159.0Compare Source
This release greatly improves and simplifies management of Node.js/npm dependencies in a multi-module setup. See this page for more information.
Note
a8fca59@bep182b104@bepeb11c3d@bepBug fixes
eaf4c75@jmooring #14649Improvements
807cae1@mango766 #14112c4fb61d@xndvaz #4621hugo mod npm packd88a29e@bep9dd9c76@buley3315a86](https://reConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.