Skip to content

v0.91.0
Compare
Choose a tag to compare
@bep bep released this 17 Dec 11:12
· 1669 commits to master since this release
v0.91.0
d1dc0e9

Hugo 0.91.0 is mostly on the boring and technical side. See the list of changes below, but especially note the fix that allows passing falsy arguments to partials with the return keyword (5758c37 #7528), thanks to @ptgott.

Notes

This release contains some changes that may break your build:

Use resources.GetRemote to fetch remote resources

In Hugo 0.90 we added remote support to resources.Get. In hindsight it was not a great idea use the same method for both, as a poll from many Hugo users showed. See Issue #9285 for more details. This release introduces resources.GetRemote which you need to use for remote resources. The example we showed in the release notes for 0.90.0 will now look like:

{{ $font := resources.GetRemote "https://github.com/google/fonts/raw/main/apache/roboto/static/Roboto-Black.ttf" }}
{{ $img := resources.GetRemote "https://gohugo.io/images/gohugoio-card-1.png" }}
{{ $img = $img | images.Filter (images.Text 
                        "Rocks!!!" 
                        (dict 
                            "color" "#E6B405" 
                            "size" 100
                            "lineSpacing" 8 
                            "x" 400 "y" 320
                            "font" $font))
                     
}}

If you want to fetch any resource not having to consider where it lives, you can use a construct similar to the below:

{{ resource := "" }}
{{ if (urls.Parse $url).IsAbs }}
 {{ $resource = resources.GetRemote $url }}
{{ else }}
 {{ $resource = resources.Get $url }}
{{ end }}

New Security Configuration

This release also adds some new security hardening measures for the Hugo build runtime in the form of a new security configuration. There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For asciidoctor and some others we use Go's os/exec package to start a new process. These are a predefined set of binary names, all loaded from PATH and with a predefined set of arguments. Still, if you don't use asciidoctor in your project, you might as well have it turned off.

You can configure this in the new security configuration section. The defaults are configured to create a minimal amount of site breakage, but if that do happen, you will get clear instructions in the console about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression whitelists (a string or a slice); the value none will block all.

[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']

You can read more about it in Hugo's Security Model

Numbers

This release represents 23 contributions by 5 contributors to the main Hugo code base.@bep leads the Hugo development with a significant amount of contributions, but also a big shoutout to @jmooring, @ptgott, and @jansorg for their ongoing contributions.
And thanks to @digitalcraftsman for his ongoing work on keeping the themes site in pristine condition.

Many have also been busy writing and fixing the documentation in hugoDocs,
which has received 18 contributions by 2 contributors.

Hugo now has:

Changes

Assets 26