79f030b#diff-eb691e23a4a8e810b5e9237690d327af133c5dde0a29dec2e1beed426b3d35dfR54-R63

The new defaults add a ! @ filter for urls to prevent credentials:

and deny URLs with userinfo ("http://user@...") to foil the obvious SSRF bypass.

But this also blocks any versioned urls used as import, for example:

executing "_partials/scripts/mermaid.html" at <resources.GetRemote>: error calling GetRemote: access denied: "https://cdn.jsdelivr.net/npm/mermaid@latest/dist/mermaid.esm.min.mjs" is not whitelisted in policy "security.http.urls";

What version of Hugo are you using (hugo version)?

hugo v0.161.0-98d396c16a07b51df06e7673d817a3880da6218d+extended darwin/arm64 BuildDate=2026-04-28T11:46:32Z VendorInfo=gohugoio

Does this issue reproduce with the latest release?

Yes, the defaults are introduced in 0.161.0