Hugo v0.163.1 Security Release
Hugo v0.163.1 is a security-focused release that patches several vulnerabilities discovered by contributor @vnth4nhnt. The update addresses critical security concerns while also resolving a few bugs.
Security Updates
- Upstream fix: Applied a patch in
golang.org/x/imagevia a Dependabot pull request. - Normalized IPv4 host encodings: Enhanced the
http.urlssecurity check to handle integer IPv4 host formats. - Removed symlink support: The functions
os.ReadDir,os.ReadFile,os.Stat, andos.FileExistsno longer follow symbolic links, preventing symlink-based attacks.
Bug Fixes
- Merge behavior with
--renderSegmentsflag: Fixed an issue where site rendering with the--renderSegmentsflag behaved incorrectly (issue #15024). convertcommand: Resolved a problem in theconvertcommand (issue #15012).
Team Commentary
The Hugo team notes that while the number of security reports has increased, this is largely attributed to AI tools testing Hugo's restrictive security model, not a decline in Hugo's security posture. Developers are strongly encouraged to upgrade to maintain a secure static site build environment.
Source: https://github.com/gohugoio/hugo/releases/tag/v0.163.1
Source: https://github.com/gohugoio/hugo/releases/tag/v0.163.1