Hugo v0.163.3 Patches Highlighting, Page Collisions, and Extends Config Variants

Hugo · 18 Jun 2026 · 1 min read

#hugo

Hugo v0.163.3 is a patch release focused on fixing a security-related bug in syntax highlighting, a regression in page/section naming, and improving tooling support. The update ensures safer default rendering and smoother builds for developers using Babel or PostCSS.

  • markup/highlight: Escape language identifier in default code block rendering to prevent XSS or rendering issues (ce1a7e0 by @bep, reported by @k0ngj1). Previously, unescaped lang values could break HTML output; now they are properly sanitized.
  • parser/pageparser: Preserve non-ASCII whitespace characters (e.g., non-breaking spaces) after the summary divider (70a9068 @bep). This fixes cases where special whitespace was stripped, altering content meaning.
  • resources: Support Babel and PostCSS config variants (9d66d51 @jmooring, issues #15039 #15040 #15043). Developers can now use config variants (e.g., babel.config.variant.js) to adjust build parameters per environment or theme.
  • hugolib: Fix page/section name collision regression (f013346 @jmooring, #15046). Resolves an issue where two content files with similar names (e.g., foo.md and foo-section.md) could cause unexpected routing or build failures.

These fixes tighten security, preserve content integrity, and expand build customization. The highlighting escape is particularly important for sites accepting user-generated lang values. Babel/PostCSS variant support simplifies multi-environment setups. Upgrade is recommended for all Hugo sites.

Source: https://github.com/gohugoio/hugo/releases/tag/v0.163.3

Related

auto-curated · source linked above ← all news