This release contains two security hardening fixes:

• We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported
• We have made the defaults in security.http.urls more restrictive.

But there are some notable new features, as well:

Nested vars support in css.Build and css.Sass

A practical example in css.Build would be to have something like this in hugo.toml:

[params.style]
    primary    = "#000000"
    background = "#ffffff"
    [params.style.dark]
        primary    = "#ffffff"
        background = "#000000"

And in the stylesheet:

@import "hugo:vars";
@import "hugo:vars/dark" (prefers-color-scheme: dark);

:root {
  color-scheme: light dark;
}

Slice-based permalinks config

The permalinks configuration is now much more flexible (the old setup still works). It uses the same target matchers as in the cascade config, meaning you can now do:

permalinks:
  - target:
      kind: page
      path: "/books/**"
    pattern: /books/:year/:slug/
  - target:
      kind: section
      path: "/{books,books/**}"
    pattern: /libros/:sections[1:]
  - target:
      kind: page
    pattern: /other/:slug/

The above example isn't great, but it at least shows the gist of it.

A more flexible scheme for identifiers in filenames

What we had before was e.g. content/mypost.en.md which told Hugo that the content files was in English. With the new setup you could also name the file content/mypost._language_en_.md. This alone doesn't sound very useful, but this allows you to use more prefixes:

All Changes

• langs/i18n: Fix translation lookup when using language variants 72b85d5 @jmooring #7982
• create: Fix non-deterministic conflict detection in hugo new content 6436deb @jmooring #12602 #12786 #14112 #14769
• commands: Fix environment isolation for configuration settings 1eea9fb @jmooring #14763
• Fix filename dimension identifiers (role_X, version_X) to replace mount config 8d6145f @bep #14756
• Fix it so we never auto-fallback to page resources in other roles/versions 9747724 @bep #14749 #14752
• css: Support nested hugo:vars/ imports 7622dd8 @bep #14705
• github: Update GitHub actions versions 0814059 @bep #14810
• hugolib: Do not render aliases if the page is not rendered 8920d56 @jmooring #14807
• langs/i18n: Improve default content language fallback 633cc77 @jmooring #14243
• helpers: Remove unused code 4c40c6d @bep
• common/constants: Remove unused consts d2594db @bep
• common/paths: Remove unused code ab2de51 @bep
• tests: Update Ruby setup action to v1.305.0 75f6183 @jmooring
• langs: Use Language.Locale as primary localization key 1b7495b @jmooring #9109
• config/security: Add "! " negation to Whitelist, harden default http.urls 79f030b @bep #14792
• Harden Node tool execution with --permission flag a54c398 @bep #7287
• tpl/collections: Honor the Eqer interface in where comparisons f5fce93 @bep #14777
• modules: Ignore non-require blocks in go.mod rewrite 4169c1f @bep #14783
• Replace the concurrent map with an identical upstream version 7574e35 @bep
• Add slice-based permalinks config with PageMatcher target 017a7cd @bep #14744
• commands: Add missing import e3413d9 @bep
• Revert "common/hugo: Deprecate extended and extended_withdeploy editions" b01cc14 @bep #14771
• Adjust the SECURITY.md slightly 8ee19ff @bep
• resources/page: Add passing test for Issue #14325 0d58e42 @jmooring
• Add a more flexible filename identifier scheme that also allows setting roles and versions (#14754) ce2a156 @bep #14750
• common/hugo: Deprecate extended and extended_withdeploy editions a17bdbc @jmooring #14696
• parser/pageparser: Add a parser fuzz test 8f94d65 @bep
• Replace deprecated .Site.Sites/.Page.Sites with hugo.Sites intests 90d8bf3 @bep
• agents: Add a note about having the issue ID in test names bbb42b5 @bep
• build(deps): bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0 d4ae662 @dependabot[bot]
• build(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22 9ede5fb @dependabot[bot]
• build(deps): bump github.com/tdewolff/minify/v2 from 2.24.12 to 2.24.13 833a878 @dependabot[bot]
• build(deps): bump github.com/magefile/mage from 1.17.1 to 1.17.2 4c03129 @dependabot[bot]
• deps: Upgrade github.com/bep/imagemeta v0.17.1 => v0.17.2 080970b @bep
• build(deps): bump github.com/aws/aws-sdk-go-v2/service/cloudfront (#14789) 896bc89 @dependabot[bot]
• build(deps): bump github.com/mattn/go-isatty from 0.0.20 to 0.0.21 (#14788) 100dde5 @dependabot[bot]
• build(deps): bump github.com/bep/mclib (#14787) bdebb79 @dependabot[bot]
• build(deps): bump google.golang.org/api from 0.267.0 to 0.276.0 52123ae @dependabot[bot]
• build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.5 to 1.41.6 38b8afd @dependabot[bot]
• build(deps): bump github.com/getkin/kin-openapi from 0.134.0 to 0.135.0 (#14781) 9276660 @dependabot[bot]
• build(deps): bump github.com/bep/goportabletext from 0.1.0 to 0.2.0 (#14779) 790f408 @dependabot[bot]
• build(deps): bump golang.org/x/image from 0.38.0 to 0.39.0 (#14780) de6955b @dependabot[bot]
• deps: Upgrade github.com/bep/imagemeta v0.17.0 => v0.17.1 (#14775) a77bd52 @bep #14758
• build(deps): bump golang.org/x/tools from 0.43.0 to 0.44.0 547ab29 @dependabot[bot]
• build(deps): bump github.com/evanw/esbuild from 0.27.4 to 0.28.0 9a5c7e0 @dependabot[bot]
• build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.1 to 1.41.5 6613b08 @dependabot[bot]
• build(deps): bump github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0 582c26e @dependabot[bot]
• build(deps): bump github.com/tdewolff/minify/v2 from 2.24.11 to 2.24.12 a4f2a8a @dependabot[bot]