chore: bump github.com/gohugoio/hugo from 0.146.3 to 0.161.1

[dependabot]

Bumps github.com/gohugoio/hugo from 0.146.3 to 0.161.1.

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.161.1

What's Changed

• resources: Honor Retry-After header in resources.GetRemote retries c4eba928 @​bep #14828
• warpc: Move to parson.c in https://github.com/kgabis/parson 8b40a96b @​bep #14823
• config/security: Add AllowChildProcess to security.node.permissions d65af84d @​bep #14824
• config/security: Restrict default http.urls "@" deny to userinfo 454450a6 @​bep #14825

v0.161.0

This release contains two security hardening fixes:

• We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported
• We have made the defaults in security.http.urls more restrictive.

But there are some notable new features, as well:

Nested vars support in css.Build and css.Sass

A practical example in css.Build would be to have something like this in hugo.toml:

[params.style]
    primary    = "[#000000](https://github.com/gohugoio/hugo/issues/000000)"
    background = "#ffffff"
    [params.style.dark]
        primary    = "#ffffff"
        background = "[#000000](https://github.com/gohugoio/hugo/issues/000000)"

And in the stylesheet:

@import "hugo:vars";
@import "hugo:vars/dark" (prefers-color-scheme: dark);
:root {
color-scheme: light dark;
}

Slice-based permalinks config

The permalinks configuration is now much more flexible (the old setup still works). It uses the same target matchers as in the cascade config, meaning you can now do:

permalinks:
  - target:
      kind: page
      path: "/books/**"
</tr></table> 

... (truncated)

Commits

• ea8f66a releaser: Bump versions for release of 0.161.1
• c4eba92 resources: Honor Retry-After header in resources.GetRemote retries
• 8b40a96 warpc: Move to parson.c in https://github.com/kgabis/parson
• d65af84 config/security: Add AllowChildProcess to security.node.permissions
• 454450a config/security: Restrict default http.urls "@" deny to userinfo
• 2bfcc6b releaser: Prepare repository for 0.162.0-DEV
• 98d396c releaser: Bump versions for release of 0.161.0
• d4ae662 build(deps): bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0
• 9ede5fb build(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22
• 833a878 build(deps): bump github.com/tdewolff/minify/v2 from 2.24.12 to 2.24.13
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #174.