Skip to content

build(deps): bump github.com/gohugoio/hugo from 0.149.1 to 0.159.2#1535

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/gohugoio/hugo-0.159.2
Closed

build(deps): bump github.com/gohugoio/hugo from 0.149.1 to 0.159.2#1535
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/gohugoio/hugo-0.159.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 3, 2026
edited
Loading

Bumps github.com/gohugoio/hugo from 0.149.1 to 0.159.2.

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.159.2

Note that the security fix below is not a potential threat if you either:

EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

What's Changed

  • Fix potential content XSS by escaping dangerous URLs in Markdown links and images 479fe6c6 @​bep
  • resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser df520e31 @​jmooring #14684

v0.159.1

The regression fixed in this release isn't new, but it's so subtle that we thought we'd release this sooner rather than later. For some time now, the minifier we use have stripped namespaced attributes in SVGs, which broke dynamic constructs using e.g. AlpineJS' x-bind: namespace (library used by Hugo's documentation site).

To fix this, the upstream library has hadded a keepNamespaces slice option. It was not possible to find a default that would make all happy, so we opted for an option that at least would make AlpineJS sites work out of the box:

 [minify.tdewolff.svg]
      keepNamespaces = ['', 'x-bind']

What's Changed

  • minifiers: Keep x-bind and blank namespace in SVG minification 42289d76 @​bep #14669

v0.159.0

This release greatly improves and simplifies management of Node.js/npm dependencies in a multi-module setup. See this page for more information.

Note

  • Replace deprecated site.Data with hugo.Data in tests a8fca598 @​bep
  • Replace deprecated excludeFiles and includeFiles with files in tests 182b1045 @​bep
  • Replace deprecated :filename with :contentbasename in the permalinks test eb11c3d0 @​bep

Bug fixes

Improvements

  • create: Return error instead of panic when page not found 807cae1d @​mango766 #14112
  • commands: Preserve non-content files in convert output c4fb61d9 @​xndvaz #4621
  • npm: Use workspaces to simplify hugo mod npm pack d88a29e0 @​bep

... (truncated)

Commits
  • 5f4646a releaser: Bump versions for release of 0.159.2
  • 479fe6c Fix potential content XSS by escaping dangerous URLs in links and images
  • 81a5cdc releaser: Add standard withdeploy release assets
  • df520e3 resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser
  • b55d452 testing: Simplify line ending handling in tests
  • ea7eac6 readme: Update Go version to 1.25.0
  • 458ebdd releaser: Prepare repository for 0.160.0-DEV
  • 86c7d3a releaser: Bump versions for release of 0.159.1
  • 42289d7 minifiers: Keep x-bind and blank namespace in SVG minification
  • 0c013c2 Adjust depreceated syntax in tests
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 3, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 3, 2026 23:40
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 3, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/gohugoio/hugo-0.159.2 branch from afbcca5 to 43367bf Compare April 8, 2026 12:15
@dependabot
build(deps): bump github.com/gohugoio/hugo from 0.149.1 to 0.159.2
a1bf8d1 
Bumps [github.com/gohugoio/hugo](https://github.com/gohugoio/hugo) from 0.149.1 to 0.159.2.
- [Release notes](https://github.com/gohugoio/hugo/releases)
- [Commits](gohugoio/hugo@v0.149.1...v0.159.2)

---
updated-dependencies:
- dependency-name: github.com/gohugoio/hugo
  dependency-version: 0.159.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/gohugoio/hugo-0.159.2 branch from 43367bf to a1bf8d1 Compare April 8, 2026 13:52
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 8, 2026

Superseded by #1581.

@dependabot dependabot Bot closed this May 8, 2026
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/gohugoio/hugo-0.159.2 branch May 8, 2026 05:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants