v0.142.0

This is is mostly a bug fix release. It's a minor and not a patch release because of the image file cache issue fixes (see #13273 #13272). Fixing this required us to break the hashes for many of the generated images so we used this opportunity to simplify how we generate these hashes/image filenames.

Bug fixes

• Fix render hook's PlainText with typographer extension enabled 6aa72ac @bep #13286 #13292
• Fix build with Go 1.24 4b0c194 @flyn-org
• tpl/tplimpl: Fix context in shortcode error messages 8de4ffb @jmooring #13279
• resources: Fix 2 image file cache key issues 1f5a15a @bep #13273 #13272

Improvements

• Also handle inline HTML comments 637995b @bep
• Do not warn on potentially unsafe HTML comments when unsafe=false f1de5d2 @bep #13278
• tpl: Add loading attribute to qr shortcode 8897113 @nfriedli

v0.141.0

This release adds try, a new general mechanism for handling errors within templates, a new images.Mask image filter, a new images.QR function, a new alignx option to control horizontal alignment in images.Text, and more.

Note

• Adjust error handling in ToMath vs try (note) dde9d9d @bep #13239
• resources: Replace error handling in GetRemote with try (note) 0918e08 @bep #13216
• For render hooks, only fallback to HTML (or the defaultOutputFormat) template 7699336 @bep #13242

Bug fixes

• common/paths: Fix docstring 8b52626 @jdbaldry
• commands: Fix spelling in comment 60c24fc @bep
• Fix branch resource overlapping bundle path c5a63a3 @bep #13228
• templates: Fix handling of multiple defers in the same template 61d3d20 @bep #13236
• Fix NPX issue with TailwindCSS v4 cfa0801 @bep #13221
• Fix server refresh on 404 template changes d913f46 @bep #13209

Improvements

• tpl/tplimpl: Simplify some test assertions 1fad383 @bep
• tpl/tplimpl: Deprecate twitter shortcode in favor of x shortcode 1191467 @jmooring #13214
• commands: Set up the glboal logger early 4113707 @bep #13265
• commands: Add --printZero to the config command 5bb1564 @bep
• tpl/collections: Use MapRange/SetIterKey/SetIterValue for Where, Sort and Merge de7137c @bep
• tpl/collections: Add BenchmarkWhereMap 956f915 @bep
• tpl/collections: Add BenchmarkSortMap a2a4166 @bep
• tpl/collections: Add Merge benchmark 39f582f @bep
• resources/images: Refactor golden image tests to locate them closer to the implementation 2501de7 @bep
• resources/images: Add some mask tests 06cc867 @bep #13244
• resources/images: Add images.Mask 71fae99 @trickkiste #13244
• tpl/tplimpl: Use plain text for image render hook alt attribute 8af0474 @jmooring
• resources/images: Add some golden tests for images.QR 892b491 @bep
• tpl/images: Change signature of images.QR to images.QR TEXT OPTIONS b13d0a6 @jmooring #13230
• resources/images: Add some golden tests for images.Text d9594a9 @bep
• images.Text: Add "alignx" option for horizontal alignment 4a5cc2d @jlskuz #10849
• images: Rework the golden tests 9cad8d3 @bep
• create: Respect --noBuildLock in hugo new 2a7bb1c @bep
• tpl/images: Format the QR hashes as hex 5f2adad @bep
• tpl/images: Add images.QR function 4ea94c4 @jmooring #13205
• Add try 5d2cbee @bep #9737
• resources: Add FromOpts for more effective resource creation 723e3f4 @bep
• markup/highlight: Remove noHl option 2db43f8 @jmooring #9885

Dependency Updates

• deps: Upgrade github.com/gohugoio/hashstructure from 0.1.0 to 0.3.0 a2edf04 @bep
• build(deps): bump golang.org/x/tools from 0.28.0 to 0.29.0 f024a50 @dependabot[bot]
• build(deps): bump golang.org/x/net from 0.33.0 to 0.34.0 80704bc @dependabot[bot]
• build(deps): bump github.com/evanw/esbuild from 0.24.0 to 0.24.2 b7b49fb @dependabot[bot]
• build(deps): bump github.com/alecthomas/chroma/v2 from 2.14.0 to 2.15.0 a837976 @dependabot[bot]

Documentation

• docs: Regen CLI docs 88ecc3b @bep
• docs: Regen CLI docs 4462861 @bep

Build Setup

• snap: Always package latest stable version of Go 3682027 @jmooring

v0.140.2

The timing of this release comes from the security fix in golang.org/x/net's html.Parse function. This is used in two places in Hugo:

1. Extracting table of contents from Asciidoctor rendered output.
2. Collecting HTML classes etc. when build stats is enabled

It's a little bit of a stretch to see how this could be exploited in Hugo, but we understand that many want a clean security report. See this issue for details.

What's Changed

• Print cli usage of hugo gen chromastyles alongside css 83cec78 @diwasrimal
• build(deps): bump golang.org/x/net from 0.32.0 to 0.33.0 4e52be8 @dependabot[bot]
• config/allconfig: Fix slice of language configs 7888ac5 @jmooring #13201
• config/allconfig: Throw error when output format is not defined eb1dbe0 @jmooring #13199
• Fix same resource file published more than once 77824d7 @bep #13164
• markup/highlight: Add wrapperClass option ec0caae @bep
• Update README.md 845b888 @bep

v0.140.1

Some bug fixes in the (most likely) last Hugo release of the year. Of some technical interest to some, I can mention that I, @bep, have reworked hugoreleaser to use YAML (with anchors/aliases) instead of TOML for the release configuration. Have a look at the end result.

What's Changed

• Update gocloud and docs for S3-Compatible Endpoints e229f4b @tebriel
• js/esbuild: Don't try to resolve packages in /assets marked as external 0202539 @bep #13183
• Fix union, complement, symdiff, and intersect for transient resources 4a5e940 @bep #13181
• release: Add withdeploy deb extended archives 48a7aee @bep #13166
• common/loggers: Write PrintTimerIfDelayed output to stdErr 6c583e3 @jmooring #13171
• build(deps): bump github.com/spf13/cast from 1.7.0 to 1.7.1 5d64b49 @dependabot[bot]
• hugolib: Fix fallbacks for menu entry Name and Title b3f3294 @jmooring #13161

v0.140.0

The big new feature in this release is js.Batch – this enables JavaScript bundle groups (e.g. scripts per section) with global code splitting and flexible hooks/runners setup.

Bug fixes

• Fix panic on server rebuilds when using both base templates and template.Defer a5e5be2 @bep #12963
• js: Fix js.Batch for multihost setups 565c30e @bep #13151
• parser/pageparser: Fix Org Mode summary delimiter assignment 48dd6a9 @jmooring #13152
• Fix a rebuild on resource rename case 744b856 @bep
• tpl/tplimpl: Fix title attribute in details shortcode a32c889 @jmooring
• Fix Sass imports on the form index.{scss,sass} 5ab38de @bep #13123
• markup/goldmark: Fix blockquote render hook text parsing 3437340 @jmooring #12913 #13119

Improvements

• js/esbuild: Add missing es2024 target 5c80cb0 @bep
• js/esbuild: Add runners after scripts 7de5317 @bep
• js/esbuild: Batch: Avoid nil Instances slice 4cbd4ef @bep
• tpl/tplimpl: Update youtube shortcode 852d868 @jmooring
• tpl/tplimpl: Update details shortcode 1e34e5b @jmooring
• tpl/collections: Allow querify to accept a map argument 641d261 @jmooring #13131
• js/esbuild: Build groups in order of their ID a834bb9 @bep
• tpl/tplimpl: Add details shortcode 4f130f6 @racehd
• Write all logging (INFO, WARN, ERROR) to stderr 9dfa112 @bep #13074
• js/esbuild: Add platform option ec1933f @bep #13136
• Add config option disableDefaultLanguageRedirect 75ad9cd @bep #13133
• Add js.Batch e293e7c @bep #12626 #7499 #9978 #12879 #13113 #13116
• Upgrade to Go 1.23.4 6be2530 @bep #13130
• Remove some old and unused shell scripts 989b299 @bep

Dependency Updates

• build(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 157d864 @dependabot[bot]
• build(deps): bump golang.org/x/tools from 0.27.0 to 0.28.0 947e4e6 @dependabot[bot]
• build(deps): bump github.com/hairyhenderson/go-codeowners 5f89786 @dependabot[bot]
• build(deps): bump golang.org/x/net from 0.31.0 to 0.32.0 7b69218 @dependabot[bot]

v0.139.5

This is a release created for technical reasons, see #13147

It's the same as https://github.com/gohugoio/hugo/releases/tag/v0.139.4 -- go there for release archives.

v0.139.4

This release contains a security fix. See this Security Advisory for details. Note that this is only relevant if you don't trust your content (e.g. Markdown) files.

What's Changed

• tpl/tplimpl: Escape Markdown attributes in render hooks and shortcodes 54398f8 @jmooring
• deps: Upgrade github.com/bep/godartsass/v2 v2.3.1 => v2.3.2 b8c15f2 @bep
• common/maps: Simplify TestScratchSetInMap/DeleteInMap d0dc518 @alexandear
• markup/tableofcontents: Cast Fragments.ToHTML args to int b529859 @jmooring #13107

v0.139.3

What's Changed

• Fix server edits of resources included in shortcode/hooks c1dc35d @bep #13093
• commands: Fix flaw in the livereload logic dea158c @bep
• build(deps): bump github.com/bep/godartsass/v2 from 2.3.0 to 2.3.1 7e130e3 @dependabot[bot]
• build(deps): bump github.com/tetratelabs/wazero from 1.8.1 to 1.8.2 88b7868 @dependabot[bot]
• Fix some typos fc3d1cb @thirdkeyword

v0.139.2

Note that this is the second patch release today. See v0.139.1. We had to do this release to get the Hugo Docs build running.

What's Changed

• modules: Skip empty lines in modules.txt 0ab8189 @bep #13084

v0.139.1

What's Changed

• Revert "build(deps): bump github.com/tdewolff/minify/v2 from 2.20.37 to 2.21.1" aa3dd19 @bep #13082
• minifiers: Add failing test for upstream bug 5a50eee @bep #13082
• dartsass: Fix nilpointer on Close when Dart Sass isn't installed 8d017a6 @bep #13076