Skip to content

chore: bump github.com/gohugoio/hugo from 0.147.0 to 0.163.3#790

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/github.com/gohugoio/hugo-0.163.3
Open

chore: bump github.com/gohugoio/hugo from 0.147.0 to 0.163.3#790
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/github.com/gohugoio/hugo-0.163.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown

Bumps github.com/gohugoio/hugo from 0.147.0 to 0.163.3.

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.163.3

What's Changed

  • markup/highlight: Escape lang in default code block rendering ce1a7e0b @​bep thanks to @​k0ngj1 for reporting this issue.
  • parser/pageparser: Preserve non-ASCII whitespace after e.g. summary divider 70a9068a @​bep
  • resources: Support babel/postcss config variants 9d66d513 @​jmooring #15039 #15040 #15043
  • hugolib: Fix page/section name collision regression f0133466 @​jmooring #15046

v0.163.2

What's Changed

  • Continue resolving on ERR_ACCESS_DENIED in Node's resolver 134674f0 @​bep #15041
  • markup: Standardize behavior when external converters are missing 147f605f @​jmooring #14222

v0.163.1

The majority of the fixes in this release are security related (including the upstream fix in 93c8c7d3 (golang.org/x/image)). Thanks to @​vnth4nhnt for finding the issues fixed in a00b5c72 and cf9c8f93 (I will do the CVE work on this later). There has been a uptick in security reports lately, which doesn't mean that Hugo has gotten less secure, this is mostly the work of the new and powerful AI tools using Hugo's restrictive security model as their baseline. Just take a look at Go's recent security issue list to see a demonstration of this.

What's Changed

  • build(deps): bump golang.org/x/image from 0.41.0 to 0.42.0 93c8c7d3 @​dependabot[bot]
  • Fix multi --renderSegments merge behavior 95e5e9f4 @​bep #15024
  • security: Normalize integer IPv4 host encodings in http.urls check a00b5c72 @​bep
  • Drop symlinks in os.ReadDir, os.ReadFile, os.Stat and os.FileExists cf9c8f93 @​bep #15019
  • commands: Fix convert command 2602796c @​jmooring #15012

v0.163.0

The main topic in this release is improvements to the AVIF image handling that we introduced in v0.162.0. See the docs for details, but:

  • We have turned down the default quality for AVIF to 60. Turns out, JPEG/WebP with quality 75 is comparable to AVIF with quality 60. You can now also set quality per image format in your project config (and also per image processed if needed).
  • We have added a hint to the AVIF with the same values as for WEBP. For lossy compression, the photo/picture hints (and the default) encodes with YUV420 chroma subsampling instead of YUV444, keeping 444 for text/icon/drawing. This greatly reduces the memory needed to encode these images.

Improvements

  • resources/jsconfig: Remove deprecated baseUrl setting ff2903a9 @​bep #14991 #14996
  • all: Adjust tests for deprecated link and image render hook settings ca68936d @​jmooring
  • all: Run go fix ./... 781fabf4 @​bep
  • pagesfromdata: Use relative path for content adapter template metrics 1d018ef8 @​anupamojha-eng #14999
  • ci: Re-add macos-latest to the test matrix 121bc6ce @​bep
  • images: Deprecate Imaging.Compression and move it down to webp and avif configs cf18b827 @​bep #14998
  • Only support the latest Go version 98ad9b3c @​bep #14997
  • page: Add IsBranch and deprecate IsNode b89e7fe6 @​bep #11574
  • images: Force cache invalidation for AVIF target e8fefc83 @​bep #14990
  • images: Add a per-format AVIF hint setting a043d3ec @​bep #14992
  • images: Make AVIF chroma subsampling content-aware via the hint 341f575d @​bep #14987

... (truncated)

Commits
  • 4d22555 releaser: Bump versions for release of 0.163.3
  • ce1a7e0 markup/highlight: Escape lang in default code block rendering
  • e8988c3 Merge commit 'c86d9f4aa8a58931f52df6516f10b67c807505fb'
  • c86d9f4 Squashed 'docs/' changes from 1f8ddb8a52..e17426e2b6
  • 70a9068 parser/pageparser: Preserve non-ASCII whitespace after e.g. summary divider
  • 9d66d51 resources: Support babel/postcss config variants
  • f013346 hugolib: Fix page/section name collision regression
  • 96e06e1 releaser: Prepare repository for 0.164.0-DEV
  • 19a5cec releaser: Bump versions for release of 0.163.2
  • 134674f Continue resolving on ERR_ACCESS_DENIED in Node's resolver
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/gohugoio/hugo](https://github.com/gohugoio/hugo) from 0.147.0 to 0.163.3.
- [Release notes](https://github.com/gohugoio/hugo/releases)
- [Commits](gohugoio/hugo@v0.147.0...v0.163.3)

---
updated-dependencies:
- dependency-name: github.com/gohugoio/hugo
  dependency-version: 0.163.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 22, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 22, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs
codeserver e94ea8e Jun 22 2026, 11:07 AM

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgolang/​github.com/​gohugoio/​hugo@​v0.147.0 ⏵ v0.163.375 +1100 +2110010070 -30
Updatedgolang/​golang.org/​x/​oauth2@​v0.29.0 ⏵ v0.36.071 +1100100100100
Updatedgolang/​github.com/​aws/​aws-sdk-go-v2@​v1.36.3 ⏵ v1.41.671 +1100100100100
Updatedgolang/​github.com/​aws/​smithy-go@​v1.22.3 ⏵ v1.25.072 +1100100100100
Updatedgolang/​golang.org/​x/​crypto@​v0.39.0 ⏵ v0.51.074 +1100 +19100100100
Updatedgolang/​golang.org/​x/​net@​v0.41.0 ⏵ v0.55.075100 +2100100100
Updatedgolang/​golang.org/​x/​tools@​v0.33.0 ⏵ v0.45.075100100100100
Updatedgolang/​google.golang.org/​grpc@​v1.73.0 ⏵ v1.80.075 +1100 +75100100100
Updatedgolang/​google.golang.org/​protobuf@​v1.36.6 ⏵ v1.36.1175 +1100100100100
Updatedgolang/​go.opentelemetry.io/​otel@​v1.37.0 ⏵ v1.43.076 +199 +15100100100
Updatedgolang/​golang.org/​x/​text@​v0.26.0 ⏵ v0.38.077100100100100
Updatedgolang/​google.golang.org/​api@​v0.231.0 ⏵ v0.276.079 +1100100100100
Updatedgolang/​github.com/​prometheus/​client_model@​v0.6.1 ⏵ v0.6.210010010010080
Updatedgolang/​golang.org/​x/​sys@​v0.33.0 ⏵ v0.45.084100100100100
Updatedgolang/​github.com/​aws/​aws-sdk-go-v2/​config@​v1.29.14 ⏵ v1.32.288100100100100
Updatedgolang/​github.com/​stretchr/​testify@​v1.10.0 ⏵ v1.11.196 +1100100100100
Updatedgolang/​golang.org/​x/​mod@​v0.25.0 ⏵ v0.36.096 +1100100100100
Updatedgolang/​github.com/​spf13/​pflag@​v1.0.6 ⏵ v1.0.1097100100100100
Updatedgolang/​github.com/​go-jose/​go-jose/​v4@​v4.1.0 ⏵ v4.1.498100 +16100100100
Updatedgolang/​cloud.google.com/​go/​compute/​metadata@​v0.7.0 ⏵ v0.9.098 +1100100100100
Updatedgolang/​go.opentelemetry.io/​otel/​sdk@​v1.37.0 ⏵ v1.43.098 +1100 +22100100100
Updatedgolang/​go.opentelemetry.io/​otel/​exporters/​otlp/​otlptrace/​otlptracegrpc@​v1.35.0 ⏵ v1.38.099 +1100100100100
Updatedgolang/​golang.org/​x/​sync@​v0.15.0 ⏵ v0.21.099100100100100
Updatedgolang/​go.opentelemetry.io/​otel/​trace@​v1.37.0 ⏵ v1.43.0100 +1100100100100
Updatedgolang/​golang.org/​x/​term@​v0.32.0 ⏵ v0.43.0100 +1100100100100
Updatedgolang/​github.com/​aws/​aws-sdk-go-v2/​feature/​rds/​auth@​v1.5.1 ⏵ v1.6.14100100100100100
Updatedgolang/​github.com/​mattn/​go-isatty@​v0.0.20 ⏵ v0.0.22100100100100100
Updatedgolang/​go.opentelemetry.io/​otel/​exporters/​otlp/​otlptrace@​v1.35.0 ⏵ v1.38.0100100100100100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: golang github.com/googleapis/enterprise-certificate-proxy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/google.golang.org/api@v0.276.0golang/github.com/golang-migrate/migrate/v4@v4.18.1golang/github.com/aquasecurity/trivy-iac@v0.8.0golang/cdr.dev/slog@v1.6.2-0.20250703074222-9df5e0a6c145golang/github.com/coder/aisdk-go@v0.0.9golang/github.com/googleapis/enterprise-certificate-proxy@v0.3.14

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/googleapis/enterprise-certificate-proxy@v0.3.14. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/pelletier/go-toml/v2 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/gohugoio/hugo@v0.163.3golang/github.com/pelletier/go-toml/v2@v2.3.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/pelletier/go-toml/v2@v2.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang golang.org/x/tools is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: go.modgolang/golang.org/x/tools@v0.45.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/golang.org/x/tools@v0.45.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-actions github-actions Bot added the stale label Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code stale

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants