chore: bump github.com/gohugoio/hugo from 0.147.0 to 0.161.1 by dependabot[bot] · Pull Request #720 · officialmofabs/codeserver

dependabot · 2026-05-04T13:35:25Z

Bumps github.com/gohugoio/hugo from 0.147.0 to 0.161.1.

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.161.1

What's Changed

resources: Honor Retry-After header in resources.GetRemote retries c4eba928 @bep #14828

warpc: Move to parson.c in https://github.com/kgabis/parson 8b40a96 @bep #14823

config/security: Add AllowChildProcess to security.node.permissions d65af84d @bep #14824

config/security: Restrict default http.urls "@" deny to userinfo 454450a6 @bep #14825

v0.161.0

This release contains two security hardening fixes:

We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported

We have made the defaults in security.http.urls more restrictive.

But there are some notable new features, as well:

Nested vars support in css.Build and css.Sass

A practical example in css.Build would be to have something like this in hugo.toml:
[params.style]
    primary    = "[#000000](https://github.com/gohugoio/hugo/issues/000000)"
    background = "#ffffff"
    [params.style.dark]
        primary    = "#ffffff"
        background = "[#000000](https://github.com/gohugoio/hugo/issues/000000)"
And in the stylesheet:
@import "hugo:vars";
@import "hugo:vars/dark" (prefers-color-scheme: dark);
:root {
color-scheme: light dark;
}
Slice-based permalinks config

The permalinks configuration is now much more flexible (the old setup still works). It uses the same target matchers as in the cascade config, meaning you can now do:
permalinks:
  - target:
      kind: page
      path: "/books/**"
</tr></table> 

... (truncated)

Commits

ea8f66a releaser: Bump versions for release of 0.161.1
c4eba92 resources: Honor Retry-After header in resources.GetRemote retries
8b40a96 warpc: Move to parson.c in https://github.com/kgabis/parson
d65af84 config/security: Add AllowChildProcess to security.node.permissions
454450a config/security: Restrict default http.urls "@" deny to userinfo
2bfcc6b releaser: Prepare repository for 0.162.0-DEV
98d396c releaser: Bump versions for release of 0.161.0
d4ae662 build(deps): bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0
9ede5fb build(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22
833a878 build(deps): bump github.com/tdewolff/minify/v2 from 2.24.12 to 2.24.13
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/gohugoio/hugo](https://github.com/gohugoio/hugo) from 0.147.0 to 0.161.1. - [Release notes](https://github.com/gohugoio/hugo/releases) - [Commits](gohugoio/hugo@v0.147.0...v0.161.1) --- updated-dependencies: - dependency-name: github.com/gohugoio/hugo dependency-version: 0.161.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

cloudflare-workers-and-pages · 2026-05-04T13:35:44Z

Deploying with Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	codeserver	`060fe77`	May 04 2026, 01:36 PM

socket-security · 2026-05-04T13:36:04Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Vulnerability
golang/golang.org/x/oauth2@v0.29.0 ⏵ v0.36.0	⁺¹
golang/github.com/aws/aws-sdk-go-v2@v1.36.3 ⏵ v1.41.6	⁺¹
golang/github.com/aws/smithy-go@v1.22.3 ⏵ v1.25.0	⁺¹
golang/golang.org/x/crypto@v0.39.0 ⏵ v0.50.0	⁺¹	⁺³
golang/golang.org/x/net@v0.41.0 ⏵ v0.53.0	⁺¹	⁺²
golang/github.com/gohugoio/hugo@v0.147.0 ⏵ v0.161.1	⁺¹	⁺²
golang/golang.org/x/tools@v0.33.0 ⏵ v0.44.0
golang/google.golang.org/grpc@v1.73.0 ⏵ v1.80.0	⁺¹	⁺⁷⁵
golang/google.golang.org/protobuf@v1.36.6 ⏵ v1.36.11	⁺¹
golang/go.opentelemetry.io/otel@v1.37.0 ⏵ v1.43.0	⁺¹	⁺¹⁶
golang/golang.org/x/text@v0.26.0 ⏵ v0.36.0
golang/google.golang.org/api@v0.231.0 ⏵ v0.276.0	⁺¹
golang/github.com/prometheus/client_model@v0.6.1 ⏵ v0.6.2
golang/golang.org/x/sys@v0.33.0 ⏵ v0.43.0
golang/github.com/aws/aws-sdk-go-v2/config@v1.29.14 ⏵ v1.32.2
golang/github.com/stretchr/testify@v1.10.0 ⏵ v1.11.1	⁺¹
golang/golang.org/x/mod@v0.25.0 ⏵ v0.35.0
golang/github.com/spf13/pflag@v1.0.6 ⏵ v1.0.10
golang/github.com/go-jose/go-jose/v4@v4.1.0 ⏵ v4.1.4		⁺¹⁶
golang/cloud.google.com/go/compute/metadata@v0.7.0 ⏵ v0.9.0	⁺¹
golang/go.opentelemetry.io/otel/sdk@v1.37.0 ⏵ v1.43.0	⁺¹	⁺²²
golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@v1.35.0 ⏵ v1.38.0	⁺¹
golang/golang.org/x/sync@v0.15.0 ⏵ v0.20.0
golang/go.opentelemetry.io/otel/trace@v1.37.0 ⏵ v1.43.0	⁺¹
golang/golang.org/x/term@v0.32.0 ⏵ v0.42.0	⁺¹
golang/github.com/aws/aws-sdk-go-v2/feature/rds/auth@v1.5.1 ⏵ v1.6.14
golang/github.com/mattn/go-isatty@v0.0.20 ⏵ v0.0.22
golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.35.0 ⏵ v1.38.0

View full report

dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels May 4, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: bump github.com/gohugoio/hugo from 0.147.0 to 0.161.1#720

chore: bump github.com/gohugoio/hugo from 0.147.0 to 0.161.1#720
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/github.com/gohugoio/hugo-0.161.1

dependabot Bot commented on behalf of github May 4, 2026

Uh oh!

cloudflare-workers-and-pages Bot commented May 4, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented May 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 4, 2026

v0.161.1

What's Changed

v0.161.0

Nested vars support in css.Build and css.Sass

Slice-based permalinks config

Uh oh!

cloudflare-workers-and-pages Bot commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Deploying with Cloudflare Workers

Uh oh!

socket-security Bot commented May 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

cloudflare-workers-and-pages Bot commented May 4, 2026 •

edited

Loading