chore(deps): update dependency aqua:gohugoio/hugo to v0.161.1

[renovate]

This PR contains the following updates:

Package	Update	Change
aqua:gohugoio/hugo	minor	0.159.1 → 0.161.1

---

Release Notes

gohugoio/hugo (aqua:gohugoio/hugo)

v0.161.1

Compare Source

What's Changed

• resources: Honor Retry-After header in resources.GetRemote retries c4eba92 @​bep #​14828
• warpc: Move to parson.c in https://github.com/kgabis/parson 8b40a96 @​bep #​14823
• config/security: Add AllowChildProcess to security.node.permissions d65af84 @​bep #​14824
• config/security: Restrict default http.urls "@​" deny to userinfo 454450a @​bep #​14825

v0.161.0

Compare Source

This release contains two security hardening fixes:

• We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported
• We have made the defaults in security.http.urls more restrictive.

But there are some notable new features, as well:

Nested vars support in css.Build and css.Sass

A practical example in css.Build would be to have something like this in hugo.toml:

[params.style]
    primary    = "#​000000"
    background = "#ffffff"
    [params.style.dark]
        primary    = "#ffffff"
        background = "#​000000"

And in the stylesheet:

@​import "hugo:vars";
@​import "hugo:vars/dark" (prefers-color-scheme: dark);

:root {
  color-scheme: light dark;
}

Slice-based permalinks config

The permalinks configuration is now much more flexible (the old setup still works). It uses the same target matchers as in the cascade config, meaning you can now do:

permalinks:
  - target:
      kind: page
      path: "/books/**"
    pattern: /books/:year/:slug/
  - target:
      kind: section
      path: "/{books,books/**}"
    pattern: /libros/:sections[1:]
  - target:
      kind: page
    pattern: /other/:slug/

The above example isn't great, but it at least shows the gist of it.

A more flexible scheme for identifiers in filenames

What we had before was e.g. content/mypost.en.md which told Hugo that the content files was in English. With the new setup you could also name the file content/mypost._language_en_.md. This alone doesn't sound very useful, but this allows you to use more prefixes:

Prefix	Description	Relevant for
language_	Language	Content and layout files.
role_	Role	Content and layout files.
version_	Version	Content and layout files.
outputformat_	Output format	Layout files.
mediatype_	Media type	Layout files.
kind_	Page kind	Layout files.
layout_	Layout	Layout files.

All Changes

• langs/i18n: Fix translation lookup when using language variants 72b85d5 @​jmooring #​7982
• create: Fix non-deterministic conflict detection in hugo new content 6436deb @​jmooring #​12602 #​12786 #​14112 #​14769
• commands: Fix environment isolation for configuration settings 1eea9fb @​jmooring #​14763
• Fix filename dimension identifiers (role_X, version_X) to replace mount config 8d6145f @​bep #​14756
• Fix it so we never auto-fallback to page resources in other roles/versions 9747724 @​bep #​14749 #​14752
• css: Support nested hugo:vars/ imports 7622dd8 @​bep #​14705
• github: Update GitHub actions versions 0814059 @​bep #​14810
• hugolib: Do not render aliases if the page is not rendered 8920d56 @​jmooring #​14807
• langs/i18n: Improve default content language fallback 633cc77 @​jmooring #​14243
• helpers: Remove unused code 4c40c6d @​bep
• common/constants: Remove unused consts d2594db @​bep
• common/paths: Remove unused code ab2de51 @​bep
• tests: Update Ruby setup action to v1.305.0 75f6183 @​jmooring
• langs: Use Language.Locale as primary localization key 1b7495b @​jmooring #​9109
• config/security: Add "! " negation to Whitelist, harden default http.urls 79f030b @​bep #​14792
• Harden Node tool execution with --permission flag a54c398 @​bep #​7287
• tpl/collections: Honor the Eqer interface in where comparisons f5fce93 @​bep #​14777
• modules: Ignore non-require blocks in go.mod rewrite 4169c1f @​bep #​14783
• Replace the concurrent map with an identical upstream version 7574e35 @​bep
• Add slice-based permalinks config with PageMatcher target 017a7cd @​bep #​14744
• commands: Add missing import e3413d9 @​bep
• Revert "common/hugo: Deprecate extended and extended_withdeploy editions" b01cc14 @​bep #​14771
• Adjust the SECURITY.md slightly 8ee19ff @​bep
• resources/page: Add passing test for Issue #​14325 0d58e42 @​jmooring
• Add a more flexible filename identifier scheme that also allows setting roles and versions (#​14754) ce2a156 @​bep #​14750
• common/hugo: Deprecate extended and extended_withdeploy editions a17bdbc @​jmooring #​14696
• parser/pageparser: Add a parser fuzz test 8f94d65 @​bep
• Replace deprecated .Site.Sites/.Page.Sites with hugo.Sites intests 90d8bf3 @​bep
• agents: Add a note about having the issue ID in test names bbb42b5 @​bep
• build(deps): bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0 d4ae662 @​dependabot[bot]
• build(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22 9ede5fb @​dependabot[bot]
• build(deps): bump github.com/tdewolff/minify/v2 from 2.24.12 to 2.24.13 833a878 @​dependabot[bot]
• build(deps): bump github.com/magefile/mage from 1.17.1 to 1.17.2 4c03129 @​dependabot[bot]
• deps: Upgrade github.com/bep/imagemeta v0.17.1 => v0.17.2 080970b @​bep
• build(deps): bump github.com/aws/aws-sdk-go-v2/service/cloudfront (#​14789) 896bc89 @​dependabot[bot]
• build(deps): bump github.com/mattn/go-isatty from 0.0.20 to 0.0.21 (#​14788) 100dde5 @​dependabot[bot]
• build(deps): bump github.com/bep/mclib (#​14787) bdebb79 @​dependabot[bot]
• build(deps): bump google.golang.org/api from 0.267.0 to 0.276.0 52123ae @​dependabot[bot]
• build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.5 to 1.41.6 38b8afd @​dependabot[bot]
• build(deps): bump github.com/getkin/kin-openapi from 0.134.0 to 0.135.0 (#​14781) 9276660 @​dependabot[bot]
• build(deps): bump github.com/bep/goportabletext from 0.1.0 to 0.2.0 (#​14779) 790f408 @​dependabot[bot]
• build(deps): bump golang.org/x/image from 0.38.0 to 0.39.0 (#​14780) de6955b @​dependabot[bot]
• deps: Upgrade github.com/bep/imagemeta v0.17.0 => v0.17.1 (#​14775) a77bd52 @​bep #​14758
• build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 547ab29 @​dependabot[bot]
• build(deps): bump github.com/evanw/esbuild from 0.27.4 to 0.28.0 9a5c7e0 @​dependabot[bot]
• build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.1 to 1.41.5 6613b08 @​dependabot[bot]
• build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0 582c26e @​dependabot[bot]
• build(deps): bump github.com/tdewolff/minify/v2 from 2.24.11 to 2.24.12 a4f2a8a @​dependabot[bot]

v0.160.1

Compare Source

What's Changed

• Fix panic when passthrough elements are used in headings 8b00030 @​bep #​14677
• Fix panic on edit of legacy mapped template names that's also a valid path in the new setup c485516 @​bep #​14740
• Fix RenderShortcodes leaking context markers when indented 161d0d4 @​bep #​12457
• Strip nested page context markers from standalone RenderShortcodes 45e4596 @​bep #​14732
• Rename deprecated cascade._target to cascade.target in tests 58927aa @​bep
• Fix auto-creation of root sections in multilingual sites ce009e3 @​bep #​14681
• readme: Fix links 0755872 @​chicks-net

v0.160.0

Compare Source

Now you can inject CSS vars, e.g. from the configuration, into your stylesheets when building with css.Build. Also, now all the render hooks has a .Position method, now also more accurate and effective.

Bug fixes

• Fix some recently introduced Position issues 4e91e14 @​bep #​14710
• markup/goldmark: Fix double-escaping of ampersands in link URLs dc9b51d @​bep #​14715
• tpl: Fix stray quotes from partial decorator in script context 43aad71 @​bep #​14711

Improvements

• all: Replace NewIntegrationTestBuilder with Test/TestE/TestRunning 481baa0 @​bep
• tpl/css: Support @​import "hugo:vars" for CSS custom properties in css.Build 5d09b5e @​bep #​14699
• Improve and extend .Position handling in Goldmark render hooks 303e443 @​bep #​14663
• markup/goldmark: Clean up test 638262c @​bep

Dependency Updates

• build(deps): bump github.com/magefile/mage from 1.16.1 to 1.17.1 bf6e35a @​dependabot[bot]
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 0eda24e @​dependabot[bot]
• build(deps): bump golang.org/x/image from 0.37.0 to 0.38.0 beb57a6 @​dependabot[bot]

Documentation

• readme: Revise edition descriptions and installation instructions 9f1f1be @​jmooring

v0.159.2

Compare Source

Note that the security fix below is not a potential threat if you either:

• Trust your Markdown content files.
• Have custom render hook template for links and images.

EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

What's Changed

• Fix potential content XSS by escaping dangerous URLs in Markdown links and images 479fe6c @​bep
• resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser df520e3 @​jmooring #​14684

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Jump Overview: 0.159.1 → 0.161.1 (3 minor versions, spanning v0.159.2, v0.160.0, v0.160.1, v0.161.0, v0.161.1)

Security Fixes

• v0.159.2: Fixed XSS vulnerability (CVE-2026-35166) in Markdown link/image rendering by escaping dangerous URLs. Not applicable to this codebase as it doesn't use custom render hooks for links/images
• v0.161.0: Hardened Node.js tool execution with --permission flag for PostCSS/Babel/TailwindCSS (requires Node ≥ 22). Not applicable - this codebase doesn't use these tools
• v0.161.0: Restricted security.http.urls defaults (credentials in URLs blocked by default)
• v0.161.1: Added AllowChildProcess to security.node.permissions
• v0.161.1: Further restricted HTTP URLs with userinfo (credentials) by default

Breaking Changes

• v0.161.0: TailwindCSS standalone executable no longer supported; must use Node.js package. Not applicable - this codebase doesn't use TailwindCSS
• v0.161.0: Node.js ≥ 22 required for CSS tools. Not applicable - no CSS tools in use

New Features

• v0.160.0: CSS variable injection via @import "hugo:vars" in css.Build - allows passing configuration values to stylesheets
• v0.160.0: Nested CSS vars support with @import "hugo:vars/dark" syntax
• v0.160.0: Enhanced .Position method in all render hooks (more accurate location tracking)
• v0.161.0: Flexible filename identifiers (_language_, _role_, _version_, _outputformat_, _mediatype_, _kind_, _layout_ prefixes)
• v0.161.0: Slice-based permalinks configuration with PageMatcher targets
• v0.161.1: Honor Retry-After header in resources.GetRemote retries

Bug Fixes

• v0.159.2: Fixed shared reader bug in Source.ValueAsOpenReadSeekCloser
• v0.160.0: Fixed double-escaping of ampersands in link URLs
• v0.160.0: Fixed stray quotes from partial decorators in script context
• v0.160.1: Fixed panic with passthrough elements in headings
• v0.160.1: Fixed panic on legacy mapped template names edit
• v0.160.1: Fixed RenderShortcodes leaking context markers when indented
• v0.160.1: Fixed auto-creation of root sections in multilingual sites

🎯 Impact Scope Investigation

Codebase Analysis

✅ No Breaking Changes Impact

1. Node.js Tools: Not used

   • No TailwindCSS, PostCSS, or Babel configuration found
   • No package.json, tailwind.config.*, postcss.config.*, or .babelrc files
   • The security hardening requiring Node ≥ 22 does not affect this project

2. Template Functions: Compatible

   • Uses urls.Parse in layouts/_default/single.html:61 for parsing reference URLs - no breaking changes to this function
   • No usage of deprecated functions detected

3. Configuration: Simple and compatible

   • Uses basic Hugo config in hugo.yaml with PaperMod theme
   • No permalinks configuration (slice-based config is optional enhancement)
   • No security.* configuration (defaults are acceptable)

4. Content Structure: Standard format

   • All content uses standard content/posts/<yyyy>/<mm>/<dd>/<slug>.md format
   • No files using new filename identifier formats (_language_, _role_, etc.)
   • Content contains only Japanese posts with frontmatter (date, title, description, tags, references)

5. Custom Templates: Minimal and compatible

   • Only two custom layout files: layouts/_default/single.html and layouts/_default/list.html
   • Both use standard Hugo functions with no deprecated syntax
   • No custom render hooks (uses Hugo defaults, so XSS fix applies automatically)

6. Theme: Git submodule

   • Uses PaperMod theme as git submodule at commit 10d3dcc
   • No direct modifications that would conflict with Hugo updates

7. Resource Fetching: No remote resources

   • No usage of resources.GetRemote (Retry-After improvement not applicable)

Dependencies Impact

• Hugo version managed by mise (aqua provider) - straightforward version bump
• No other Hugo-related dependencies affected

💡 Recommended Actions

Immediate Actions

1. Merge this PR - The update is safe and backward compatible for this codebase
2. No code changes required - All existing templates and content work as-is

Optional Enhancements (Future Consideration)

1. CSS Variable Injection - Could leverage new @import "hugo:vars" feature if dynamic theming is desired
2. Filename Identifiers - New _language_, _role_, _version_ prefixes available if multi-version content needed
3. Permalinks Configuration - Slice-based config with PageMatcher offers more flexibility if URL structure changes needed

Benefits of Updating

• Security: XSS vulnerability (CVE-2026-35166) patched automatically
• Stability: Multiple bug fixes for edge cases
• Performance: Improved resource fetching with Retry-After header support
• Future-proofing: Access to new features when needed

🔗 Reference Links

Release Notes:

• Hugo v0.161.1 Release
• Hugo v0.161.0 Release
• Hugo v0.160.1 Release
• Hugo v0.160.0 Release
• Hugo v0.159.2 Release

Security Information:

• CVE-2026-35166 Advisory
• Hugo v0.159.2 Security Discussion

Feature Documentation:

• Hugo css.Build Documentation
• Hugo urls.Parse Documentation
• Hugo v0.161.0 Announcement

Technical Analysis:

• Hugo's New CSS Powers Analysis

Generated by koki-develop/claude-renovate-review