Hugo v0.161.0 ships two security hardening changes: Node tools (PostCSS, Babel, TailwindCSS) now run with the --permission flag using permissions defined in security.node.permissions, requiring Node >= 22, and the TailwindCSS standalone executable is no longer supported (must use the Node.js package). Default security.http.urls restrictions are also tightened. Bug fixes address i18n translation lookup, non-deterministic conflict detection in 'hugo new content', environment isolation for config settings, and filename dimension identifier issues. Improvements include nested hugo:vars/ CSS imports, better i18n language fallback, slice-based permalinks config with PageMatcher, and various dependency updates.
Sort: