Hugo v0.163.3 is a patch release focused on fixing a security-related bug in syntax highlighting, a regression in page/section naming, and improving tooling support. The update ensures safer default rendering and smoother builds for developers using Babel or PostCSS.
- markup/highlight: Escape language identifier in default code block rendering to prevent XSS or rendering issues (
ce1a7e0by @bep, reported by @k0ngj1). Previously, unescapedlangvalues could break HTML output; now they are properly sanitized. - parser/pageparser: Preserve non-ASCII whitespace characters (e.g., non-breaking spaces) after the summary divider (
70a9068@bep). This fixes cases where special whitespace was stripped, altering content meaning. - resources: Support Babel and PostCSS config variants (
9d66d51@jmooring, issues #15039 #15040 #15043). Developers can now use config variants (e.g.,babel.config.variant.js) to adjust build parameters per environment or theme. - hugolib: Fix page/section name collision regression (
f013346@jmooring, #15046). Resolves an issue where two content files with similar names (e.g.,foo.mdandfoo-section.md) could cause unexpected routing or build failures.
These fixes tighten security, preserve content integrity, and expand build customization. The highlighting escape is particularly important for sites accepting user-generated lang values. Babel/PostCSS variant support simplifies multi-environment setups. Upgrade is recommended for all Hugo sites.
Source: https://github.com/gohugoio/hugo/releases/tag/v0.163.3