chore: bump github.com/gohugoio/hugo from 0.147.0 to 0.153.1

[dependabot]

Bumps github.com/gohugoio/hugo from 0.147.0 to 0.153.1.

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.153.1

[!note] This is a bug fix release. See the main release for a list of new features.

• Handle PNG named *.webp 4085ee93 @​bep #14288
• Revert deprecation logging for contentDir per language 168bf17e @​bep #14287
• Fix panic when 404 is backed by a content file f740d7cf @​bep #14283
• internal/warpc: Increase WebP memory limit to 256 MiB 5f46da6e @​jmooring #14282

v0.153.0

[!note] There is a newer bug fix release available here.

This is a good one! Hugo v0.153.0 comes with a powerful new multidimensional content model (languages, versions and roles) and completely overhauls WebP image support, and much more:

• For the new multidimensional content model, start reading sites matrix and sites complements. The matrix is what gets written to disk, complements allows e.g. a site in Swedish to fill in missing gaps in the site in Norwegian's page and resource collections. Also see the new Rotate method, that allows you to rotate the content tree in a given dimension.
• For WebP we now build a WASM version of libwebp (v1.6.0) and run it in the Wazero runtime. We use this for both encoding and decoding. This solves an old and annoying issue with Go's stdlib's decoder, with loss of contrast and muted colors in some photos, but it also means that you don't need the extended version of Hugo to handle WebP images. And, drum roll, we now also support animated WebP, including converting to and from animated GIFs.
• For MacOS, we now build signed and notarised pkg installers.

Also:

• The Asciidoctor integration is greatly improved.
• New template funcs urls.PathUnescape and urls.PathEscape.
• openapi3.Unmarshal now support external refs (including remote refs).

Notes

• tpl/css: Deprecate libsass in favor of dartsass (note) 9937a5dc @​bep #14261
• Build Order: Hugo builds sites based on the sorted dimensions (see below). In earlier versions, we built the sites starting with the default content language. This change is also reflected in the sort order of .Site.Sites to make it consistent with .Site.Languages.
• Sort Order: The dimensions are sorted as follows, which affects build order and complement selection:
  • languages: By weight, then by name.
  • versions: By weight, then by semantic versioning (descending).
  • roles: By weight, then by name.
• Deprecations:
  • The lang option on mounts (https://gohugo.io/configuration/module/#mounts) and segments (https://gohugo.io/configuration/segments/#segment-definition) is deprecated in favor of the more powerful sites.matrix option.
  • File mount includeFiles and excludeFiles are deprecated in favour of the new files filter, which supports negation.
• Logging: We no longer log warnings about potential duplicate content paths, as this becomes impractical to reason about with a complex sites matrix.

Bug fixes

• Fix some outdated front matter b82e496c @​bep #14271
• Fix server rebuilds on editing content with Chinese terms e2e64aee @​bep #14240
• Fix slow server startup of very big content trees 7a43b928 @​bep #14211
• github: Fix "no space left on device" issue in CI b037b930 @​bep
• docs: Fix link to CGO wiki page 5af31128 @​jordelver

... (truncated)

Commits

• 8e6cac8 releaser: Bump versions for release of 0.153.1
• 4085ee9 Handle PNG named *.webp
• 168bf17 Revert deprecation logging for contentDir per language
• 80ea90c images: Add some more PNG tests
• f740d7c Fix panic when 404 is backed by a content file
• 5f46da6 internal/warpc: Increase WebP memory limit to 256 MiB
• fe64a68 releaser: Prepare repository for 0.154.0-DEV
• b4128ba releaser: Bump versions for release of 0.153.0
• 790a5b7 hugoreleaser: Updage macospkgremote to increase notarization timeout
• 70ce244 Merge commit '08e1ea5c709d3d49bdc3ce3c21e8fa05a33150d0'
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	codeserver	3b25dc9	Dec 22 2025, 12:12 PM

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​golang.org/​x/​oauth2@​v0.29.0 ⏵ v0.32.0	+1
	golang/​github.com/​aws/​aws-sdk-go-v2@​v1.36.3 ⏵ v1.41.0	+1
	golang/​github.com/​aws/​smithy-go@​v1.22.3 ⏵ v1.24.0	+1
	golang/​golang.org/​x/​crypto@​v0.39.0 ⏵ v0.46.0	+1	+3
	golang/​golang.org/​x/​net@​v0.41.0 ⏵ v0.48.0	+1
	golang/​github.com/​gohugoio/​hugo@​v0.147.0 ⏵ v0.153.1	+1
	golang/​golang.org/​x/​tools@​v0.33.0 ⏵ v0.40.0	+1
	golang/​google.golang.org/​grpc@​v1.73.0 ⏵ v1.76.0	+1
	golang/​google.golang.org/​protobuf@​v1.36.6 ⏵ v1.36.10	+1
	golang/​golang.org/​x/​text@​v0.26.0 ⏵ v0.32.0	+1
	golang/​google.golang.org/​api@​v0.231.0 ⏵ v0.255.0	+1
	golang/​golang.org/​x/​sys@​v0.33.0 ⏵ v0.39.0
	golang/​github.com/​aws/​aws-sdk-go-v2/​config@​v1.29.14 ⏵ v1.31.17
	golang/​golang.org/​x/​mod@​v0.25.0 ⏵ v0.31.0
	golang/​github.com/​spf13/​pflag@​v1.0.6 ⏵ v1.0.9
	golang/​github.com/​go-jose/​go-jose/​v4@​v4.1.0 ⏵ v4.1.2
	golang/​cloud.google.com/​go/​compute/​metadata@​v0.7.0 ⏵ v0.9.0	+1
	golang/​go.opentelemetry.io/​otel/​exporters/​otlp/​otlptrace/​otlptracegrpc@​v1.35.0 ⏵ v1.37.0	+1
	golang/​golang.org/​x/​sync@​v0.15.0 ⏵ v0.19.0
	golang/​golang.org/​x/​term@​v0.32.0 ⏵ v0.38.0	+1
	golang/​github.com/​aws/​aws-sdk-go-v2/​feature/​rds/​auth@​v1.5.1 ⏵ v1.5.13
	golang/​go.opentelemetry.io/​otel/​exporters/​otlp/​otlptrace@​v1.35.0 ⏵ v1.37.0

View full report

[dependabot]

Superseded by #562.