fix: hugo v0.161 insufficient tailwind security perms

Author: gcushen

.devcontainer/base.Dockerfile

@@ -5,7 +5,7 @@ FROM mcr.microsoft.com/devcontainers/go:1.22-bookworm
 
 ARG NODE_VERSION=22
 ARG PNPM_VERSION=10.14.0
-ARG HUGO_VERSION=0.161.0
+ARG HUGO_VERSION=0.161.1
 
 ENV DEBIAN_FRONTEND=noninteractive
 ENV PNPM_HOME=/home/vscode/.local/share/pnpm

.github/workflows/devcontainer-image.yml

@@ -14,8 +14,10 @@ on:
 
 env:
   IMAGE_NAME: ghcr.io/hugoblox/hugo-blox-dev
-  # Hugo >= 0.161.0 requires Node >= 22 for css.TailwindCSS Node permissions.
-  DEFAULT_HUGO_VERSION: 0.161.0
+  # Hugo >= 0.161.1 required: 0.161.0 introduced the Node permission
+  # sandbox without an allowChildProcess field, blocking spawns under
+  # tailwindcss (e.g. @parcel/watcher → detect-libc → getconf on Linux).
+  DEFAULT_HUGO_VERSION: 0.161.1
   NODE_VERSION: 22
   PNPM_VERSION: 10.14.0
 

modules/blox/hugo.yaml

@@ -72,15 +72,13 @@ security:
       - ^HUGO_
       # Allow continuous integration vars
       - ^CI$
-  node:
-    permissions:
-      # Hugo's default allowChildProcess regex permits tailwindcss/npx but not
-      # `getconf`. @tailwindcss/cli pulls in @parcel/watcher, whose bundled
-      # detect-libc@1 synchronously spawns `getconf GNU_LIBC_VERSION` at
-      # require time on Linux to pick glibc vs musl prebuilds. Without this
-      # entry, Ubuntu CI fails with ERR_ACCESS_DENIED while macOS works
-      # (detect-libc short-circuits on Darwin).
-      allowChildProcess: ^(tailwindcss|npx|getconf)$
+  # Note: security.node.permissions is intentionally NOT set here. Hugo
+  # >= 0.161.1's built-in defaults permit `tailwindcss` for allowAddons,
+  # allowChildProcess, and allowWorker — sufficient for @tailwindcss/cli's
+  # transitive spawns (e.g. @parcel/watcher → detect-libc → getconf on
+  # Linux). The hugoVersion.min below pins to 0.161.1 because 0.161.0
+  # introduced the Node permission sandbox without an allowChildProcess
+  # field, so all spawns under tailwindcss were blocked on Linux.
 outputFormats:
   backlinks:
     mediaType: application/json
@@ -115,7 +113,11 @@ module:
     # 0.161.0 introduced css.TailwindCSS Node.js permission sandbox
     # (Node >= 22 required) and dropped support for the standalone
     # tailwindcss binary. The npm @tailwindcss/cli package is required.
-    min: "0.161.0"
+    # 0.161.1 added security.node.permissions.allowChildProcess (default
+    # ['tailwindcss']); 0.161.0 has no way to permit any child process,
+    # so spawns under tailwindcss (e.g. @parcel/watcher's detect-libc →
+    # getconf on Linux) are blocked with ERR_ACCESS_DENIED.
+    min: "0.161.1"
     extended: true
   imports:
     - path: github.com/HugoBlox/kit/modules/analytics

templates/academic-cv/.github/workflows/build.yml

@@ -65,7 +65,7 @@ jobs:
         VERSION=$(yq '.build.hugo_version // ""' hugoblox.yaml 2>/dev/null | grep -v '^null$' || true)
         
         # Fallback to a known stable version if not specified
-        DEFAULT_VERSION="0.161.0"
+        DEFAULT_VERSION="0.161.1"
         VERSION=${VERSION:-$DEFAULT_VERSION}
         
         # Validate version format (basic check)

templates/data-science-blog/.github/workflows/build.yml

@@ -65,7 +65,7 @@ jobs:
         VERSION=$(yq '.build.hugo_version // ""' hugoblox.yaml 2>/dev/null | grep -v '^null$' || true)
         
         # Fallback to a known stable version if not specified
-        DEFAULT_VERSION="0.161.0"
+        DEFAULT_VERSION="0.161.1"
         VERSION=${VERSION:-$DEFAULT_VERSION}
         
         # Validate version format (basic check)

templates/dev-portfolio/.github/workflows/build.yml

@@ -65,7 +65,7 @@ jobs:
         VERSION=$(yq '.build.hugo_version // ""' hugoblox.yaml 2>/dev/null | grep -v '^null$' || true)
         
         # Fallback to a known stable version if not specified
-        DEFAULT_VERSION="0.161.0"
+        DEFAULT_VERSION="0.161.1"
         VERSION=${VERSION:-$DEFAULT_VERSION}
         
         # Validate version format (basic check)

templates/documentation/.github/workflows/build.yml

@@ -65,7 +65,7 @@ jobs:
         VERSION=$(yq '.build.hugo_version // ""' hugoblox.yaml 2>/dev/null | grep -v '^null$' || true)
         
         # Fallback to a known stable version if not specified
-        DEFAULT_VERSION="0.161.0"
+        DEFAULT_VERSION="0.161.1"
         VERSION=${VERSION:-$DEFAULT_VERSION}
         
         # Validate version format (basic check)

templates/link-in-bio/.github/workflows/build.yml

@@ -65,7 +65,7 @@ jobs:
         VERSION=$(yq '.build.hugo_version // ""' hugoblox.yaml 2>/dev/null | grep -v '^null$' || true)
         
         # Fallback to a known stable version if not specified
-        DEFAULT_VERSION="0.161.0"
+        DEFAULT_VERSION="0.161.1"
         VERSION=${VERSION:-$DEFAULT_VERSION}
         
         # Validate version format (basic check)

templates/markdown-slides/.github/workflows/build.yml

@@ -65,7 +65,7 @@ jobs:
         VERSION=$(yq '.build.hugo_version // ""' hugoblox.yaml 2>/dev/null | grep -v '^null$' || true)
         
         # Fallback to a known stable version if not specified
-        DEFAULT_VERSION="0.161.0"
+        DEFAULT_VERSION="0.161.1"
         VERSION=${VERSION:-$DEFAULT_VERSION}
         
         # Validate version format (basic check)

templates/resume/.github/workflows/build.yml

@@ -65,7 +65,7 @@ jobs:
         VERSION=$(yq '.build.hugo_version // ""' hugoblox.yaml 2>/dev/null | grep -v '^null$' || true)
         
         # Fallback to a known stable version if not specified
-        DEFAULT_VERSION="0.161.0"
+        DEFAULT_VERSION="0.161.1"
         VERSION=${VERSION:-$DEFAULT_VERSION}
         
         # Validate version format (basic check)