chore: bump github.com/gohugoio/hugo from 0.146.3 to 0.162.0

[dependabot]

Bumps github.com/gohugoio/hugo from 0.146.3 to 0.162.0.

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.162.0

The notable new feature in this release is support for AVIF images (both encoder and decoder). There's a demo site set up that demonstrates the difference between HDR AVIF and SDR JPEG images. Note that that demo is only really interesting if viewed on an HDR capable screen (e.g. Apple Retina).

Security fixes

There are some notable security fixes in this release.

Security fixes in Go

This release upgrades from Go 1.26.1 to 126.3, which brings a set of security fixes. Some relevant for Hugo are:

• XSS in html/template (CVE-2026-39826 & CVE-2026-39823): Two separate vulnerabilities where escaper bypasses in html/template could lead to Cross-Site Scripting (XSS).
• html/template: Fixes an issue where JS template literal contexts were incorrectly tracked across template branches, which could lead to improper content escaping.

Security fixes and hardening in Hugo

The following changes either fix a concrete issue or reduce the default attack surface of hugo builds.

• Disallow text/html content files by default (e41a064). A new security.allowContent policy gates which content media types may be used for pages under /content. text/html is denied by default; sites that rely on hand-authored or adapter-emitted HTML content can opt back in with security.allowContent = ['.*'].
• Re-check security.http.urls on every redirect hop in resources.GetRemote (86fbb0f).
• Reject symlinked entries in resources.Get (f8b5fa0).

We will update this section later with links to CVEs where applicable.

All changes

• hugolib: Fix Page.GitInfo for modules with go.mod in a repo subdirectory df542191 @​bep #14942
• Fix typo in CONTRIBUTING.md 4bc7caea @​bep
• resources: Fix the :counter placeholder 5d51b82a @​jmooring #14921
• commands: Fix import from Jekyll 81d77620 @​jmooring #14795 #14906
• Fix prevention of direct symlink reads in resources.Get f8b5fa09 @​bep
• commands: Fix github-dark chromastyles 88d838a9 @​xndvaz #14831
• Disallow HTML content by default e41a0644 @​bep
• Add image processing support for AVIF 90d9f812 @​bep #7837
• config: Preserve intentionally empty maps 80e60847 @​jmooring #14944
• hugolib: Merge existing hugo_stats.json when renderSegments is set aeb9a5cc @​bep #14939
• all: Replace RWMutex struct caches with ConcurrentMap c4bbc280 @​bep
• tpl/tplimpl: Consolidate and improve embedded template integration tests d8c70218 @​jmooring #14932
• parser: Drop empty sub maps from hugo config output ee4f1acd @​bep #14855
• markup/highlight: Allow overriding type and code via options b6133657 @​bep #11872
• Update AI assistance disclosure requirements d2c821b5 @​bep
• hugolib: Use AllTranslated in IsTranslated 4ed7600f @​bep
• tpl: Simplify sitemap template cbe4339a @​bep #14912
• tpl: Use AllTranslations in sitemap template 6475d308 @​bep #14912 #14917
• tpl/collections: Make dict return nil when no values are provided 67aede43 @​bep
• Sync Go template package to 1.26.3 87f194b2 @​bep #14897
• Upgrade to Go 1.26.3 d81e3c29 @​bep #14897
• ci: Check embedded template formatting with gotmplfmt 7c65a4db @​bep
• tpl: Run gotmplfmt -w . d31a9275 @​bep
• markup/goldmark/codeblocks: Always split Chroma options into .Options c36608c5 @​jmooring #14909

... (truncated)

Commits

• 076dfe1 releaser: Bump versions for release of 0.162.0
• e41a064 Disallow HTML content by default
• 90d9f81 Add image processing support for AVIF
• 80e6084 config: Preserve intentionally empty maps
• df54219 hugolib: Fix Page.GitInfo for modules with go.mod in a repo subdirectory
• aeb9a5c hugolib: Merge existing hugo_stats.json when renderSegments is set
• c4bbc28 all: Replace RWMutex struct caches with ConcurrentMap
• d8c7021 tpl/tplimpl: Consolidate and improve embedded template integration tests
• ee4f1ac parser: Drop empty sub maps from hugo config output
• b613365 markup/highlight: Allow overriding type and code via options
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)