Python-hugo

This is a bug-fix release with a couple of important fixes.

* media: Also consider extension in FromContent 6779117f [bep](https://github.com/bep)
* media: Add missing BMP and GIF to the default MediaTypes list ce040110 [bep](https://github.com/bep)
* media: Add PDF MIME type cdc73526 [bep](https://github.com/bep)
* deps: Update github.com/evanw/esbuild v0.14.5 => v0.14.7 425c7d90 [bep](https://github.com/bep)
* config/security: Add HOME to default exec env var whitelist fca266eb [bep](https://github.com/bep) #9309
* modules: Set GOCACHE env var 0016e21c [bep](https://github.com/bep) #9309

Hugo `0.91.0` is mostly on the boring and technical side. See the list of changes below, but especially note the fix that allows passing _falsy_ arguments to partials with the `return` keyword (5758c370 7528), thanks to [ptgott](https://github.com/ptgott).

Notes

This release contains some changes that may break your build:

Use resources.GetRemote to fetch remote resources

In Hugo 0.90 we added remote support to `resources.Get`. In hindsight it was not a great idea use the same method for both, as a poll from many Hugo users showed. See Issue 9285 for more details. This release introduces `resources.GetRemote` which you need to use for remote resources. The example we showed in the release notes for `0.90.0` will now look like:

htmlbars
{{ $font := resources.GetRemote "https://github.com/google/fonts/raw/main/apache/roboto/static/Roboto-Black.ttf" }}
{{ $img := resources.GetRemote "https://gohugo.io/images/gohugoio-card-1.png" }}
{{ $img = $img | images.Filter (images.Text
"Rocks!!!"
(dict
"color" "E6B405"
"size" 100
"lineSpacing" 8
"x" 400 "y" 320
"font" $font))

}}


If you want to fetch any resource not having to consider where it lives, you can use a construct similar to the below:

htmlbars
{{ resource := "" }}
{{ if (urls.Parse $url).IsAbs }}
{{ $resource = resources.GetRemote $url }}
{{ else }}
{{ $resource = resources.Get $url }}
{{ end }}


New Security Configuration

This release also adds some new security hardening measures for the Hugo build runtime in the form of a new `security` configuration. There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process. These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure this in the new `security` configuration section. The defaults are configured to create a minimal amount of site breakage, but if that do happen, you will get clear instructions in the console about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

toml
[security]
enableInlineShortcodes = false
[security.exec]
allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

[security.funcs]
getenv = ['^HUGO_']

[security.http]
methods = ['(?i)GET|POST']
urls = ['.*']


You can read more about it in [Hugo's Security Model](https://gohugo.io/about/security-model/)

Numbers

This release represents **23 contributions by 5 contributors** to the main Hugo code base.[bep](https://github.com/bep) leads the Hugo development with a significant amount of contributions, but also a big shoutout to [jmooring](https://github.com/jmooring), [ptgott](https://github.com/ptgott), and [jansorg](https://github.com/jansorg) for their ongoing contributions.
And thanks to [digitalcraftsman](https://github.com/digitalcraftsman) for his ongoing work on keeping the themes site in pristine condition.

Many have also been busy writing and fixing the documentation in [hugoDocs](https://github.com/gohugoio/hugoDocs),
which has received **18 contributions by 2 contributors**.

Hugo now has:

* 55860+ [stars](https://github.com/gohugoio/hugo/stargazers)
* 430+ [contributors](https://github.com/gohugoio/hugo/graphs/contributors)
* 415+ [themes](http://themes.gohugo.io/)

Changes

* docs: Regen docs helper 6df2f080 [bep](https://github.com/bep)
* tpl/resources: Add empty method mapping for GetRemote b84745d4 [bep](https://github.com/bep)
* Always use content to resolve content type in resources.GetRemote 44954497 [bep](https://github.com/bep) #9302 9301
* Add resources.GetRemote 22ef5da2 [bep](https://github.com/bep) #9285 9296
* Allow for return partials with falsy arguments (9298) 5758c370 [ptgott](https://github.com/ptgott) #7528
* deps: Upgrade github.com/evanw/esbuild v0.14.2 => v0.14.5 8ee6de6d [bep](https://github.com/bep)
* don't use path.Join, because it cleans the final path a4b9f1a9 [jansorg](https://github.com/jansorg)
* Add some basic security policies with sensible defaults f4389e48 [bep](https://github.com/bep)
* Simplify Babel test assertions 803f572e [bep](https://github.com/bep)
* Improve handling of remote image/jpeg resources (9278) a037be77 [jmooring](https://github.com/jmooring) #9275
* Fix Dockerfile 8a005538 [hitzhangjie](https://github.com/hitzhangjie) #9261
* Remove debug statement 657d0272 [jmooring](https://github.com/jmooring)
* Fix deprecation notice 159120cd [bep](https://github.com/bep)
* releaser: Prepare repository for 0.91.0-DEV 3f0d49e5 [bep](https://github.com/bep)
* releaser: Bump versions for release of 0.90.1 48907889 [bep](https://github.com/bep)
* releaser: Add release notes for 0.90.1 [ci skip] 3075eaa3 [bep](https://github.com/bep)
* Remove the retries on error in remote resources.Get 3bc68304 [bep](https://github.com/bep) #9271
* Allow user to handle/ignore errors in resources.Get e4d6ec94 [bep](https://github.com/bep) #9529
* Make resource.Get return nil on 404 not found 6260455b [bep](https://github.com/bep) #9267
* Update to Go 1.17.5 c397975a [bep](https://github.com/bep) #9269
* Update to Go 1.17.4 and remove timeout in resources.Get 965a6cbf [bep](https://github.com/bep) #9265

This release contains some fixes and improvements related to error handling in remote lookups in `resources.Get`, as introduced in Hugo 0.90.0:

* Now we will always return `nil` (never fail the build) when a _resource is not found_, also for remote resources (HTTP status code 404). This means that you can do `{{ with $img }}{{ else }}{{/* insert a default image or something */}}{{ end }}` and similar constructs, not having to consider where the resource source lives.
* Fetching resources remotely over HTTPS has a much greater chance of failing (network down, server down) than reading a file from disk (if not already [cached](https://gohugo.io/getting-started/configuration/#configure-file-caches)). And having this lead to a failing build is not always optimal. This release allows you to handle/ignore these errors in the templates if needed, see details below.

The return value from `resources.Get` now includes an `.Err` method that will be set if the call failed. If you want to just log any error as a `WARNING` you can use a construct similar to the one below.

htmlbars
{{ with resources.Get "https://gohugo.io/images/gohugoio-card-1.png" }}
{{ with .Err }}
{{ warnf "%s" . }}
{{ else }}
<img src="{{ .RelPermalink }}" width="{{ .Width }}" height="{{ .Height }}" alt="">
{{ end }}
{{ end }}

Note that if you do not handle `.Err` yourself, Hugo will fail the build the first time you start using the failed `Resource` object.

Changes

* Remove the retries on error in remote resources.Get 3bc68304 [bep](https://github.com/bep) #9271
* Allow user to handle/ignore errors in resources.Get e4d6ec94 [bep](https://github.com/bep) #9259
* Make resource.Get return nil on 404 not found 6260455b [bep](https://github.com/bep) #9267
* Update to Go 1.17.5 c397975a [bep](https://github.com/bep) #9269
* Update to Go 1.17.4 and remove timeout in resources.Get 965a6cbf [bep](https://github.com/bep) #9265

**Hugo 0.90** finally brings remote support to `resources.Get`, XML support (in `/data` and `transform.Unmarshal`), and a new `images.Text` filter. A special shoutout and thanks to [vanbroup](https://github.com/vanbroup) for his work on these features.

The support for remote `Resources` in `resources.Get` has been a feature in great demand. This means that you can fetch remote files (images, JSON files, RSS feeds ...) and use them in [Hugo Pipes](https://gohugo.io/hugo-pipes/introduction/) functions as they were local. A contrived example may look like this:

htmlbars
{{ $font := resources.Get "https://github.com/google/fonts/raw/main/apache/roboto/static/Roboto-Black.ttf" }}
{{ $img := resources.Get "https://gohugo.io/images/gohugoio-card-1.png" }}
{{ $img = $img | images.Filter (images.Text
"Rocks!"
(dict
"color" "E6B405"
"size" 100
"lineSpacing" 8
"x" 400 "y" 320
"font" $font))

}}
<img src="{{ $img.RelPermalink }}" />


The above fetches both a font and an image remotely and then uses the new `images.Text` filter to overlay a text on top of the image.

Numbers

This release represents **58 contributions by 6 contributors** to the main Hugo code base.[bep](https://github.com/bep) leads the Hugo development with a significant amount of contributions, but also a big shoutout to [jmooring](https://github.com/jmooring), [vanbroup](https://github.com/vanbroup), and [dependabot[bot]](https://github.com/apps/dependabot) for their ongoing contributions.

And thanks to [digitalcraftsman](https://github.com/digitalcraftsman) for his ongoing work on keeping the themes site in pristine condition.

Many have also been busy writing and fixing the documentation in [hugoDocs](https://github.com/gohugoio/hugoDocs), which has received **17 contributions by 6 contributors**. A special thanks to [jmooring](https://github.com/jmooring), [bep](https://github.com/bep), [santosh](https://github.com/santosh), and [coliff](https://github.com/coliff) for their work on the documentation site.

Hugo now has:

* 55686+ [stars](https://github.com/gohugoio/hugo/stargazers)
* 431+ [contributors](https://github.com/gohugoio/hugo/graphs/contributors)
* 415+ [themes](http://themes.gohugo.io/)

Notes

* deps: Upgrade github.com/evanw/esbuild v0.13.12 => v0.14.2 (note) b4f27ef8 [bep](https://github.com/bep) #9244

Changes

* Add custom font support to images.Text e71d715b [bep](https://github.com/bep) #9253
* images: Fix cache busting of image text filter e61cdf33 [bep](https://github.com/bep) #9238
* build(deps): bump github.com/getkin/kin-openapi from 0.80.0 to 0.85.0 6c3bc5eb [dependabot[bot]](https://github.com/apps/dependabot)
* images: Text filter that draws text with the given options (9239) 283394a4 [vanbroup](https://github.com/vanbroup) #9238
* tpl/transform: Optional options for highlight func 5538507e [jmooring](https://github.com/jmooring) #9249
* deps: Upgrade github.com/evanw/esbuild v0.13.12 => v0.14.2 (note) b4f27ef8 [bep](https://github.com/bep) #9244
* releaser: Add "note" to Note regexp 3473e31e [bep](https://github.com/bep)
* build(deps): bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 fa0da004 [dependabot[bot]](https://github.com/apps/dependabot)
* releaser: Rework and simplify to use GitHub only for release notes 24a893cf [bep](https://github.com/bep)
* build(deps): bump google.golang.org/api from 0.51.0 to 0.61.0 bf1564bd [dependabot[bot]](https://github.com/apps/dependabot)
* media: Add rss suffix for application/rss+xml cd44d409 [vanbroup](https://github.com/vanbroup) #9233
* parser: Add a test case in format resolution 9a326d56 [bep](https://github.com/bep) #9233
* lazy: Reset error in Reset b10381fb [bep](https://github.com/bep) #7043 9194
* Implement XML data support 0eaaa8fe [vanbroup](https://github.com/vanbroup) #4470
* Validate private use language tags 58adbeef [jmooring](https://github.com/jmooring) #9119
* resources: Add timeout to the HTTP request in Get 93572e53 [bep](https://github.com/bep)
* Add a remote retry for resources.Get 94f149b2 [bep](https://github.com/bep)
* Make resources.Get use a file cache for remote resources 66753416 [vanbroup](https://github.com/vanbroup) #9228
* Remove empty href element from pagination template 133e4bfb [jmooring](https://github.com/jmooring) #9149
* Check for empty deployment targets and matchers f122771f [jmooring](https://github.com/jmooring) #9220
* resources: Adjust the remote Get cache so it does not get evicted on restarts 08a863e1 [bep](https://github.com/bep)
* Add remote support to resources.Get 8aa7257f [vanbroup](https://github.com/vanbroup) #5255
* Add deprecation warning to google_news template 75a823a3 [jmooring](https://github.com/jmooring) #9172
* helpers: Make UniqueStringsReuse allocation free 5e0947c5 [bep](https://github.com/bep)
* releaser: Prepare repository for 0.90.0-DEV 0b70b46a [bep](https://github.com/bep)
* releaser: Add release notes to /docs for release of 0.89.4 ab01ba6e [bep](https://github.com/bep)
* releaser: Bump versions for release of 0.89.4 cc08c095 [bep](https://github.com/bep)
* releaser: Add release notes for 0.89.4 [ci skip] f97da9ec [bep](https://github.com/bep)
* Fix content dir resolution when main project is a Hugo Module 2e70f61f [bep](https://github.com/bep) #9177
* releaser: Prepare repository for 0.90.0-DEV 1ed8069a [bep](https://github.com/bep)
* releaser: Add release notes to /docs for release of 0.89.3 c88cdb56 [bep](https://github.com/bep)
* releaser: Bump versions for release of 0.89.3 e1064d21 [bep](https://github.com/bep)
* releaser: Add release notes for 0.89.3 [ci skip] bf489b96 [bep](https://github.com/bep)
* Improve error when we cannot determine content directory in "hugo new" b8155452 [bep](https://github.com/bep) #9166
* deps: Upgrade github.com/yuin/goldmark v1.4.3 => v1.4.4 08552a7a [jmooring](https://github.com/jmooring) #9159
* commands: Make sure pollInterval is always set fdad91fd [bep](https://github.com/bep) #9165
* create: Improve archetype directory discovery and tests 5f3f6089 [bep](https://github.com/bep) #9146
* create: Add a log statement when archetype is a directory 057d02de [bep](https://github.com/bep) #9157
* create: Always print "Content ... created" 43ac59da [bep](https://github.com/bep) #9157
* commands: Fix missing file locking in server partial render ab5c6990 [bep](https://github.com/bep) #9162
* modules: Improve error message 9369d13e [davidsneighbour](https://github.com/davidsneighbour)
* releaser: Prepare repository for 0.90.0-DEV 805c24c3 [bep](https://github.com/bep)
* releaser: Add release notes to /docs for release of 0.89.2 63e3a5eb [bep](https://github.com/bep)
* releaser: Bump versions for release of 0.89.2 eaa6c96a [bep](https://github.com/bep)
* releaser: Add release notes for 0.89.2 [ci skip] cf3eb580 [bep](https://github.com/bep)
* Fix path resolution in hugo new 2b01c85d [bep](https://github.com/bep) #9129
* deps: Upgrade github.com/yuin/goldmark v1.4.2 => v1.4.3 c09f5c5f [bep](https://github.com/bep) #9137
* releaser: Prepare repository for 0.90.0-DEV 9232e284 [bep](https://github.com/bep)
* releaser: Add release notes to /docs for release of 0.89.1 b6a4ae4a [bep](https://github.com/bep)
* releaser: Bump versions for release of 0.89.1 84de0c32 [bep](https://github.com/bep)
* releaser: Add release notes for 0.89.1 [ci skip] a0741022 [bep](https://github.com/bep)
* Revert "releaser: Fat MacOS binaries" da4406ea [bep](https://github.com/bep) #9131 9128
* create: Make sure the build lock is released before we open editor 166862a0 [bep](https://github.com/bep) #9121
* readme: Update dependency list 82c33c71 [deining](https://github.com/deining)
* releaser: Add "note" to Note regexp 3473e31e [bep](https://github.com/bep)
* releaser: Rework and simplify to use GitHub only for release notes 24a893cf [bep](https://github.com/bep)
* releaser: Simplify the release process 0fa40ce5 [bep](https://github.com/bep)
* releaser: Remove unused code bf537f1c [bep](https://github.com/bep)
* docs: Regenerate docs helper e86b3311 [bep](https://github.com/bep)

This is a bug-fix release with one important fix for people using `hugo new` to create new content:

* Fix content dir resolution when main project is a Hugo Module [2e70f61f](https://github.com/gohugoio/hugo/commit/2e70f61fb04cea08ef6598728a57637ae2cc199c) [bep](https://github.com/bep) [#9177](https://github.com/gohugoio/hugo/issues/9177)

This is a bug-fix release with a couple of important fixes.

* Improve error when we cannot determine content directory in "hugo new" [b8155452](https://github.com/gohugoio/hugo/commit/b8155452ac699473b6b2a34f53988dee01b4da34) [bep](https://github.com/bep) [#9166](https://github.com/gohugoio/hugo/issues/9166)
* deps: Upgrade github.com/yuin/goldmark v1.4.3 => v1.4.4 [08552a7a](https://github.com/gohugoio/hugo/commit/08552a7a4cd1fe64efdd2f1b95142fa4295cb298) [jmooring](https://github.com/jmooring) [#9159](https://github.com/gohugoio/hugo/issues/9159)
* commands: Make sure pollInterval is always set [fdad91fd](https://github.com/gohugoio/hugo/commit/fdad91fd96bc4636bf3a957cdddce18b66473124) [bep](https://github.com/bep) [#9165](https://github.com/gohugoio/hugo/issues/9165)
* create: Improve archetype directory discovery and tests [5f3f6089](https://github.com/gohugoio/hugo/commit/5f3f60898cfe1c087841ec1fbd5ddc2916d0a2c6) [bep](https://github.com/bep) [#9146](https://github.com/gohugoio/hugo/issues/9146)
* create: Add a log statement when archetype is a directory [057d02de](https://github.com/gohugoio/hugo/commit/057d02de256a3866b7044abaa4d03c69d9fedef0) [bep](https://github.com/bep) [#9157](https://github.com/gohugoio/hugo/issues/9157)
* create: Always print "Content ... created" [43ac59da](https://github.com/gohugoio/hugo/commit/43ac59da850901cc848b35129ca7223f9f9a9b19) [bep](https://github.com/bep) [#9157](https://github.com/gohugoio/hugo/issues/9157)
* commands: Fix missing file locking in server partial render [ab5c6990](https://github.com/gohugoio/hugo/commit/ab5c6990a55cbb11d97f857b4619b83fddda3d18) [bep](https://github.com/bep) [#9162](https://github.com/gohugoio/hugo/issues/9162)
* modules: Improve error message [9369d13e](https://github.com/gohugoio/hugo/commit/9369d13e59ffac262944477fad3dcd2742d66288) [davidsneighbour](https://github.com/davidsneighbour)