Sourced from github.com/gohugoio/hugo's releases.

v0.121.2

The main motivation behind this release is a security fix in the upstream golang.org/x/crypto library. We don't see how that CVE could be exploited via Hugo, but we do appreciate that many want to have a clean security report.

There's also some new features in this release:

• AutoOrient image filter
• math.Rand

What's Changed

• build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 1ccd3147a @​dependabot[bot]
• tpl/math: Add math.Rand template function e40b9fbbc @​jmooring #11833
• resources/images: Create AutoOrient image filter 648d00c7d @​jmooring #11717
• all: Remove unused code 8adba648c @​bep

v0.121.1

The only change in this release is that the release binaries are compiled with Go 1.21.5 which contains some security fixes that are relevant for Hugo.

• Upgrade to Go 1.21.5 eb9f1eb65 @​bep #11786

v0.121.0

There are some minor new features in this release, but it's mostly a release with bug fixes and dependency updates. One notable dependency update is libweb v1.3.2 which comes with a security fix for the Webp decoder (chromium: #1479274, CVE-2023-4863). Hugo only uses the encoder (we use Go's native Webp decoder) so we're not affected by this, but we have been contacted by some corporate Hugo users who's eager to have a clean security report.

Notes

• kin-openapi v0.122.0 has some minor breaking API changes which, from Hugo's side of it, can be adapted by using the new .Map accessors if you get an error.

Bug fixes and enhancements

• github: Fix CI build on Windows 6d4b01241 @​bep
• Fix handling of dropped error in test 26a8ec207 @​alrs
• resources/resource: Fix GroupByParamDate with raw TOML dates dd6cd6268 @​jmooring #11563
• helpers: Fix TrimShortHTML used by markdownify and RenderString 0bde6931a @​jmooring #11698
• Pull in the latest code from Go's template packages (#11771) 9f978d387 @​bep #10707 #11507
• tpl: Allow using page resources on the images page parameter for opengraph, schema and twitter_cards templates 14d85ec13 @​razonyang
• hugolib: Apply titleCaseStyle to automatic section pages 171836cdf @​jmooring #11547
• tpl/urls: Retain query and fragment with absURL and absLangURL 9ea7103db @​jmooring #11772
• markup: Add Level to Heading struct 3fc42da3d @​jmooring #10776
• tpl/fmt: Print suppression help with erroridf d24da1712 @​jmooring #11506
• tpl/transform: Display Chroma highlighting errors 4583b4130 @​jmooring #9642
• common/para: Skip flaky test on CI e2a624dd6 @​bep
• watcher: Skip flaky test for now 30a18e882 @​bep
• tpl/transform: Add transform.XMLEscape template function b4c5df42f @​jmooring #3268
• tpl/tplimpl: Remove superfluous type attr on script elements 8d32ca223 @​jmooring #6379
• common/para: Skip flaky tests on Windows 27620daa2 @​bep
• navigation: Unexport menu entry methods 80d2fdbaa @​jmooring #11670

... (truncated)

• 6d5b443 releaser: Bump versions for release of 0.121.2
• 1ccd314 build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0
• e40b9fb tpl/math: Add math.Rand template function
• 9cd8fbb Adjust site benchmark
• abcc610 Simplify baseline benchmark
• 648d00c resources/images: Create AutoOrient image filter
• 8adba64 all: Remove unused code
• 6f13430 releaser: Prepare repository for 0.122.0-DEV
• 00b46fe releaser: Bump versions for release of 0.121.1
• eb9f1eb Upgrade to Go 1.21.5
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)