fix(deps): update module github.com/gohugoio/hugo to v0.159.2 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gohugoio/hugo	v0.158.0 → v0.159.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Hugo: Certain markdown links are not properly escaped

CVE-2026-35166 / GHSA-mcv8-8m8x-48pg

More information

Details

Impact

Links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected.

Patches

Patched in v0.159.2

Workarounds

Create custom render hooks for links and images in a Hugo theme/project.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg
• https://github.com/gohugoio/hugo/commit/479fe6c654937a850b65e74551dc4e857d52898f
• https://github.com/gohugoio/hugo

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

gohugoio/hugo (github.com/gohugoio/hugo)

v0.159.2

Compare Source

Note that the security fix below is not a potential threat if you either:

• Trust your Markdown content files.
• Have custom render hook template for links and images.

EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

What's Changed

• Fix potential content XSS by escaping dangerous URLs in Markdown links and images 479fe6c @​bep
• resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser df520e3 @​jmooring #​14684

v0.159.1

Compare Source

The regression fixed in this release isn't new, but it's so subtle that we thought we'd release this sooner rather than later. For some time now, the minifier we use have stripped namespaced attributes in SVGs, which broke dynamic constructs using e.g. AlpineJS' x-bind: namespace (library used by Hugo's documentation site).

To fix this, the upstream library has hadded a keepNamespaces slice option. It was not possible to find a default that would make all happy, so we opted for an option that at least would make AlpineJS sites work out of the box:

 [minify.tdewolff.svg]
      keepNamespaces = ['', 'x-bind']

What's Changed

• minifiers: Keep x-bind and blank namespace in SVG minification 42289d7 @​bep #​14669

v0.159.0

Compare Source

This release greatly improves and simplifies management of Node.js/npm dependencies in a multi-module setup. See this page for more information.

Note

• Replace deprecated site.Data with hugo.Data in tests a8fca59 @​bep
• Replace deprecated excludeFiles and includeFiles with files in tests 182b104 @​bep
• Replace deprecated :filename with :contentbasename in the permalinks test eb11c3d @​bep

Bug fixes

• tpl/tplimpl: Fix Vimeo shortcode test eaf4c75 @​jmooring #​14649

Improvements

• create: Return error instead of panic when page not found 807cae1 @​mango766 #​14112
• commands: Preserve non-content files in convert output c4fb61d @​xndvaz #​4621
• npm: Use workspaces to simplify hugo mod npm pack d88a29e @​bep
• commands: Close cpu profile file when StartCPUProfile fails 9dd9c76 @​buley
• Remove the AI Watchdog workflow for now 3315a86 @​bep
• Remove 'bep' from PR user logins skip list 3824484 @​bep
• tpl/tplimpl: Comment out the Vimeo simple shortcode tests 7813c5c @​bep #​14649

Dependency Updates

• build(deps): bump github.com/olekukonko/tablewriter from 1.1.3 to 1.1.4 (#​14641) 3ff9b7f @​dependabot[bot]
• build(deps): bump github.com/yuin/goldmark from 1.7.16 to 1.7.17 be93ccd @​dependabot[bot]
• build(deps): bump github.com/magefile/mage from 1.15.0 to 1.16.1 2669bca @​dependabot[bot]
• build(deps): bump golang.org/x/image from 0.36.0 to 0.37.0 753d447 @​dependabot[bot]
• build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 4f39d72 @​dependabot[bot]

Documentation

• docs: Update docs.yaml d2043cf @​bep
• commands: Update docs linke to Node.js docs 4f3c398 @​bep

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[renovate-sh-app]

ℹ️ Artifact update notice

File name: tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/tdewolff/parse/v2	v2.8.10 -> v2.8.11
github.com/yuin/goldmark	v1.7.16 -> v1.7.17