All Versions
90
Latest Version
Avg Release Cycle
7 days
Latest Release
7 days ago

Changelog History
Page 1

  • v0.163.0 Changes

    June 08, 2026

    πŸš€ The main topic in this release is improvements to the AVIF image handling that we introduced in v0.162.0. See the docs for details, but:

    • 0️⃣ We have turned down the default quality for AVIF to 60. Turns out, JPEG/WebP with quality 75 is comparable to AVIF with quality 60. You can now also set quality per image format in your project config (and also per image processed if needed).
    • 0️⃣ We have added a hint to the AVIF with the same values as for WEBP. For lossy compression, the photo/picture hints (and the default) encodes with YUV420 chroma subsampling instead of YUV444, keeping 444 for text/icon/drawing. This greatly reduces the memory needed to encode these images.

    πŸ‘Œ Improvements

    ⚑️ Dependency Updates

    • πŸ— build(deps): bump github.com/bits-and-blooms/bitset 0d29fc8 @dependabot[bot]
    • πŸ— build(deps): bump github.com/tetratelabs/wazero bb57404 @dependabot[bot]
    • πŸ— build(deps): bump github.com/rogpeppe/go-internal from 1.14.1 to 1.15.0 7d1b1fb @dependabot[bot]
    • πŸ— build(deps): bump github.com/getkin/kin-openapi from 0.138.0 to 0.139.0 77a1147 @dependabot[bot]

  • v0.162.1 Changes

    May 28, 2026

    What's Changed

  • v0.162.0 Changes

    May 26, 2026

    πŸš€ The notable new feature in this release is support for AVIF images (both encoder and decoder). There's a demo site set up that demonstrates the difference between HDR AVIF and SDR JPEG images. Note that that demo is only really interesting if viewed on an HDR capable screen (e.g. Apple Retina).

    πŸ”’ Security fixes

    πŸš€ There are some notable security fixes in this release.

    πŸ”’ Security fixes in Go

    πŸš€ This release upgrades from Go 1.26.1 to 126.3, which brings a set of security fixes. Some relevant for Hugo are:

    • XSS in html/template (CVE-2026-39826 & CVE-2026-39823): Two separate vulnerabilities where escaper bypasses in html/template could lead to Cross-Site Scripting (XSS).
    • πŸ›  html/template: Fixes an issue where JS template literal contexts were incorrectly tracked across template branches, which could lead to improper content escaping.

    πŸ”’ Security fixes and hardening in Hugo

    πŸ— The following changes either fix a concrete issue or reduce the default attack surface of hugo builds.

    • 0️⃣ Disallow text/html content files by default (e41a064). A new security.allowContent policy gates which content media types may be used for pages under /content. text/html is denied by default; sites that rely on hand-authored or adapter-emitted HTML content can opt back in with security.allowContent = ['.*'].
    • πŸ”’ Re-check security.http.urls on every redirect hop in resources.GetRemote (86fbb0f).
    • Reject symlinked entries in resources.Get (f8b5fa0).

    ⚑️ We will update this section later with links to CVEs where applicable.

    All changes

  • v0.161.1 Changes

    April 29, 2026

    What's Changed

  • v0.161.0 Changes

    April 28, 2026

    πŸš€ This release contains two security hardening fixes:

    • πŸš€ We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported
    • πŸ”’ We have made the defaults in security.http.urls more restrictive.

    But there are some notable new features, as well:

    πŸ— Nested vars support in css.Build and css.Sass

    πŸ— A practical example in css.Build would be to have something like this in hugo.toml:

    [params.style]primary="#000000"background="#ffffff"[params.style.dark]primary="#ffffff"background="#000000"

    πŸ’… And in the stylesheet:

    @import"hugo:vars";@import"hugo:vars/dark"(prefers-color-scheme:dark);:root{color-scheme:light dark;
}

    Slice-based permalinks config

    πŸ”§ The permalinks configuration is now much more flexible (the old setup still works). It uses the same target matchers as in the cascade config, meaning you can now do:

    permalinks:
  -target:kind:pagepath:"/books/\*\*"pattern:/books/:year/:slug/-target:kind:sectionpath:"/{books,books/\*\*}"pattern:/libros/:sections[1:]-target:kind:pagepattern:/other/:slug/

    The above example isn't great, but it at least shows the gist of it.

    A more flexible scheme for identifiers in filenames

    What we had before was e.g. content/mypost.en.md which told Hugo that the content files was in English. With the new setup you could also name the file content/mypost._language_en_.md. This alone doesn't sound very useful, but this allows you to use more prefixes:

    Prefix Description Relevant for
    language_ Language Content and layout files.
    role_ Role Content and layout files.
    version_ Version Content and layout files.
    outputformat_ Output format Layout files.
    mediatype_ Media type Layout files.
    kind_ Page kind Layout files.
    layout_ Layout Layout files.

    All Changes

  • v0.160.1 Changes

    April 08, 2026

    What's Changed

    • πŸ›  Fix panic when passthrough elements are used in headings 8b00030 @bep #14677
    • πŸ›  Fix panic on edit of legacy mapped template names that's also a valid path in the new setup c485516 @bep #14740
    • πŸ›  Fix RenderShortcodes leaking context markers when indented 161d0d4 @bep #12457
    • Strip nested page context markers from standalone RenderShortcodes 45e4596 @bep #14732
    • βœ… Rename deprecated cascade._target to cascade.target in tests 58927aa @bep
    • πŸ›  Fix auto-creation of root sections in multilingual sites ce009e3 @bep #14681
    • readme: Fix links 0755872 @chicks-net

  • v0.160.0 Changes

    April 04, 2026

    πŸ’… Now you can inject CSS vars, e.g. from the configuration, into your stylesheets when building with css.Build. Also, now all the render hooks has a .Position method, now also more accurate and effective.

    πŸ› Bug fixes

    πŸ‘Œ Improvements

    • βœ… all: Replace NewIntegrationTestBuilder with Test/TestE/TestRunning 481baa0 @bep
    • πŸ— tpl/css: Support @import "hugo:vars" for CSS custom properties in css.Build 5d09b5e @bep #14699
    • πŸ‘Œ Improve and extend .Position handling in Goldmark render hooks 303e443 @bep #14663
    • βœ… markup/goldmark: Clean up test 638262c @bep

    ⚑️ Dependency Updates

    • πŸ— build(deps): bump github.com/magefile/mage from 1.16.1 to 1.17.1 bf6e35a @dependabot[bot]
    • πŸ— build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 0eda24e @dependabot[bot]
    • πŸ— build(deps): bump golang.org/x/image from 0.37.0 to 0.38.0 beb57a6 @dependabot[bot]

    πŸ“š Documentation

    • readme: Revise edition descriptions and installation instructions 9f1f1be @jmooring

  • v0.159.2 Changes

    April 01, 2026

    πŸ”’ Note that the security fix below is not a potential threat if you either:

    πŸš€ EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

    What's Changed

    • πŸ›  Fix potential content XSS by escaping dangerous URLs in Markdown links and images 479fe6c @bep
    • πŸ‘€ resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser df520e3 @jmooring #14684

  • v0.159.1 Changes

    March 26, 2026

    πŸ“š The regression fixed in this release isn't new, but it's so subtle that we thought we'd release this sooner rather than later. For some time now, the minifier we use have stripped namespaced attributes in SVGs, which broke dynamic constructs using e.g. AlpineJS' x-bind: namespace (library used by Hugo's documentation site).

    0️⃣ To fix this, the upstream library has hadded a keepNamespaces slice option. It was not possible to find a default that would make all happy, so we opted for an option that at least would make AlpineJS sites work out of the box:

    [minify.tdewolff.svg]keepNamespaces= ['','x-bind']

    What's Changed

  • v0.159.0 Changes

    March 23, 2026

    Note

    • βœ… Replace deprecated site.Data with hugo.Data in tests a8fca59 @bep
    • βœ… Replace deprecated excludeFiles and includeFiles with files in tests 182b104 @bep
    • βœ… Replace deprecated :filename with :contentbasename in the permalinks test eb11c3d @bep

    πŸ› Bug fixes

    πŸ‘Œ Improvements

    ⚑️ Dependency Updates

    • πŸ— build(deps): bump github.com/olekukonko/tablewriter from 1.1.3 to 1.1.4 (#14641) 3ff9b7f @dependabot[bot]
    • πŸ— build(deps): bump github.com/yuin/goldmark from 1.7.16 to 1.7.17 be93ccd @dependabot[bot]
    • πŸ— build(deps): bump github.com/magefile/mage from 1.15.0 to 1.16.1 2669bca @dependabot[bot]
    • πŸ— build(deps): bump golang.org/x/image from 0.36.0 to 0.37.0 753d447 @dependabot[bot]
    • πŸ— build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 4f39d72 @dependabot[bot]

    πŸ“š Documentation

    • πŸ“„ docs: Update docs.yaml d2043cf @bep
    • ⚑️ commands: Update docs linke to Node.js docs 4f3c398 @bep