Safety vulnerability ID: 63316
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Hugo 0.119.0 upgrades its dependency Go to version 1.21.1, in response to the identified CVE-2023-39318 vulnerability.
https://github.com/gohugoio/hugo/commit/1e9b87f7602711fcf84069e03bbae6e0c08f73d1
Latest version: 0.125.6
Binaries for the Hugo static site generator, installable with pip
This version is built with Go 1.21.1 which contains some relevant security fixes for the `html/template` package, see [Issue 62196](https://github.com/golang/go/issues/62196) and [Issue 62197](https://github.com/golang/go/issues/62197). This is the main reason Hugo 0.119.0 is released sooner rather than later. But this release also comes with a dependency refresh and some useful image processing improvements:
* A new general-purpose [Process](https://gohugo.io/content-management/image-processing/#process) method and filter.
* A new [Opacity](https://gohugo.io/functions/images/#opacity) filter.
`Process` support all of the existing scaling operations, but it can also be used do simple format conversions (e.g. from JPG to PNG). A before/after example:
handlebars
{{ $watermark := resources.Get "logo.jpg" | images.Filter
(images.GaussianBlur 6)
(images.Opacity 0.5)
}}
{{ $watermark = $watermark.Resize (printf "%dx%d png" $watermark.Width $watermark.Height )
There are some issues with the above:
1. The source image does not support transparency, so the transparency pixels will be filled with the configured background colour.
2. The image will be decoded and encoded twice with a potential loss in quality.
3. It's clumsy.
With Hugo 0.119.0 the above can be written as:
handlebars
{{ $watermark := resources.Get "logo.jpg" | images.Filter
(images.GaussianBlur 6)
(images.Opacity 0.5)
(images.Process "png")
}}
Bug fixes
* Fix tests for Go 1.21.1 79a17d9e5 bep 11450
* Fix recently broken benchmark 18ce85462 bep
Improvements
* common: Remove unused constants 6b65b2fae alexandear
* Add images.Process filter 6a246d115 bep 8439
* Add $image.Process ef0e7149d bep 11483
* google_analytics_async.html: Add deprecation warning c32094ace carlmjohnson
* Add images.Opacity filter f9b3c0f48 bep 11471
* Upgrade to Go 1.21.1 1e9b87f76 bep 11474 11414
* create/skeletons: Improve viewport meta tag f9163155d jmooring
* commands/gen: Remove default highlight style 75c0f8828 jmooring 11445
* Adjust baseline benchmarks 69f5bad40 bep
* commands: Print language code after web server address info 525bed991 ilmari-lauhakangas
Dependency Updates
* build(deps): bump golang.org/x/tools from 0.12.0 to 0.13.0 a262fd4dd dependabot[bot]
* build(deps): bump github.com/alecthomas/chroma/v2 from 2.8.0 to 2.9.1 f0d32455d dependabot[bot]
* build(deps): bump github.com/evanw/esbuild from 0.19.2 to 0.19.3 e8bc8e6d0 dependabot[bot]
* build(deps): bump github.com/aws/aws-sdk-go from 1.44.314 to 1.45.14 11fcda971 dependabot[bot]
* build(deps): bump github.com/getkin/kin-openapi from 0.118.0 to 0.120.0 f31375d4c dependabot[bot]
* build(deps): bump golang.org/x/image from 0.11.0 to 0.12.0 6415b599b dependabot[bot]
Documentation
* docs: Even more about images.Process a9d19dbdd bep
* docs: More about images.Process 12d713176 bep
* docs: Regen docshelper 1768684d8 bep
* commands: Update CLI docs with the important -u flag in hugo mod get 275c0acbf bep
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application