Hugo 0.158.0-0.163.x upgrade guide
This post summarizes breaking, security, and notable changes in Hugo 0.158.0 to 0.163.2 that are relevant to Docsy users. It is a companion post to the Docsy 0.16.0 release and upgrade guide.
Docsy 0.16.0 requires Hugo 0.158.0 or later. The Docsy project build is tested with Hugo 0.163.2, which is the recommended target for this upgrade range.
Upgrade summary
This guide highlights Hugo changes that may require action when upgrading a Docsy site to 0.16.0.
- Review BREAKING changes:
- Review deprecations:
- Optionally skim:
- Jump to Upgrade to Hugo 0.163.2 once you’re ready.
Hugo version for Docsy 0.16.0
Docsy 0.16.0 raises the theme’s minimum supported Hugo version from 0.146.0 to 0.158.0. Theme templates now use Hugo language APIs introduced in 0.158.0, so older Hugo versions will fail with template errors.
The theme minimum remains 0.158.0 through the 0.163.x range. However, we recommend upgrading directly to Hugo 0.163.2 because the later releases include security fixes, avoid a short-lived 0.159.x link-escaping regression, and are the versions validated across Docsy, the Docsy example site, and at least one large downstream Docsy site.
Actions
Applies to all sites upgrading to Docsy 0.16.0.
Upgrade Hugo to 0.158.0 or later. Prefer 0.163.2.
If your project declares
module.hugoVersion.min, set it to at least0.158.0.If you use
hugo-extended, pin a compatible version in your site:npm install hugo-extended@0.163.2 --save-devIf you use hvm, select the latest compatible Hugo release:
hvm use 0.163.2
Language API deprecations (0.158.0)
Hugo 0.158.0 renamed several language configuration keys and template methods. The old names log deprecation notices first, then move toward warnings and eventual errors on Hugo’s deprecation timeline.
Docsy’s own templates and docs now use the new names, which is why Docsy 0.16.0 requires Hugo 0.158.0 or later.
Actions
Applies if your multilingual site config uses older language keys. Rename them when convenient:
# OLD
languages:
en:
languageName: English
languageDirection: ltr
# NEW
languages:
en:
label: English
direction: ltr
Applies if your site overrides language-related templates or partials. Review custom template code for these replacements:
| Deprecated | Replacement |
|---|---|
.Language.Lang | .Language.Name |
.Language.LanguageCode | .Language.Locale |
.Language.LanguageName | .Language.Label |
.Language.LanguageDirection | .Language.Direction |
.Site.LanguageCode | .Site.Language.Locale |
(Page|Site).Language.Weight | no direct replacement |
.Site.Languages for cross-site language | hugo.Sites or .Sites |
For current Docsy examples, see Multi-language support.
Markdown-link escaping (0.159.2 to 0.160.1)
Hugo 0.159.2 included a security fix for dangerous URLs in Markdown links and
images. It also introduced a regression that could double-escape & in rendered
Markdown link URLs, producing & in HTML output.
Hugo 0.160.0 fixed that regression, and Hugo 0.160.1 is the safer 0.160.x patch release. If you are moving through this range, do not stop at 0.159.2.
Actions
Applies if you briefly tested or deployed Hugo 0.159.2.
- Upgrade to Hugo 0.160.1 or later.
- Search generated HTML for
&in link URLs. - Pay closest attention to monolingual sites without custom link render hooks.
Multilingual single-host sites are usually shielded because Hugo’s
useEmbedded: auto behavior activates the embedded link render hook. Sites with
custom link render hooks are also usually shielded. The safest path is still to
use Hugo 0.160.1 or later.
Template and module cleanup (0.159.x-0.160.x)
Hugo 0.159.x continued several cleanup paths that may show up in older Docsy sites, Docsy forks, or large downstream sites with local template overrides. Hugo 0.160.1 then fixed several rendering issues in this range.
Actions
Applies if your site has custom templates, module mounts, or conversion scripts.
- Replace deprecated
site.Datausage withhugo.Data. - Replace deprecated
includeFilesandexcludeFilesmodule mount options withfiles. - Replace deprecated
:filenamepermalink placeholders with:contentbasename. - If you run
hugo mod npm pack, test it after upgrading. - If you use
hugo convert, review generated output before committing it.
Applies if your site uses Goldmark passthrough, RenderShortcodes, or
multilingual root sections. Prefer Hugo 0.160.1 or later and include these pages
in smoke tests. Hugo 0.160.1 fixed relevant regressions around passthrough
elements in headings, shortcode rendering context markers, and multilingual root
section generation.
Node-managed tools (0.161.x)
Hugo 0.161.x runs Node-based tools such as PostCSS, Babel, and Tailwind under
Node’s --permission sandbox. This requires Node 22 or later. Docsy
continues to recommend Node LTS 24 for supported builds.
Docsy sites commonly use PostCSS for CSS processing, so this can be a practical breaking change even when the Docsy theme itself has not changed.
Hugo 0.163.2 fixes an ERR_ACCESS_DENIED regression in this permission model
that could abort builds when node_modules lives outside the project tree, such
as in a CI provider’s shared cache (for example, Netlify). It is another reason
to prefer 0.163.2 for PostCSS pipelines.
Actions
Applies if your site uses Hugo 0.161.x or later and runs PostCSS, Babel, Tailwind, or similar Node tools during the Hugo build.
- Upgrade Node to the active LTS release. For Docsy 0.16.0, use Node LTS 24.
- Build locally and check for Node permission errors.
- If your CI keeps
node_modulesoutside the project tree (for example, Netlify’s shared cache) and the build fails withERR_ACCESS_DENIED, upgrade to Hugo 0.163.2. - If your project uses Tailwind, install Tailwind as an npm package. Hugo no longer supports the standalone Tailwind binary in this path.
Content and resource security (0.161.x-0.163.x)
Hugo tightened several security boundaries in this range:
security.http.urlsdefaults became more restrictive, andresources.GetRemotere-checks redirects.text/htmlcontent files are denied by default unless allowed throughsecurity.allowContent.- Symlinked entries are rejected or ignored by more template/resource functions,
including
resources.Getand, in 0.163.1,os.ReadDir,os.ReadFile,os.Stat, andos.FileExists.
Docsy’s own workspace and smoke-test install shapes were validated across these changes, but site-specific mounts, symlinks, and remote resource fetches are always project-specific.
Actions
Applies if your site uses remote resources,
hand-authored .html content files, or symlinked content/assets.
- Build locally with your target Hugo version and review security-related errors or warnings.
- If you intentionally publish
.htmlcontent files, configuresecurity.allowContentexplicitly. - If templates call
resources.GetRemote, reviewsecurity.http.urlsand test redirecting URLs. - If your content or assets are symlinked into the project, test those pages and consider replacing symlinks with Hugo mounts or real files if Hugo blocks them.
- If templates use
templates.DeferinsidepartialCached, move that deferred work outside the cached partial; Hugo now reports this invalid combination instead of silently doing the wrong thing.
Imaging deprecations and URL churn (0.163.x)
Hugo 0.163.0 deprecated global imaging quality settings in favor of per-format settings. It also introduced AVIF-related imaging configuration and changed internal resized-image cache keys.
Docsy’s website configuration was streamlined as part of the upgrade: settings
that matched Hugo defaults were removed, and resampleFilter: CatmullRom was
kept because it materially affects photo downscaling quality.
Actions
Applies if your site config uses global imaging.quality or
imaging.compression.
- Replace global settings with per-format settings, or remove them if they match Hugo defaults.
- Keep
resampleFilter: CatmullRomif your site relies on Docsy-style sharp photographic downscaling.
For example:
imaging:
resampleFilter: CatmullRom
Image URL churn
Applies if your site commits generated output, compares public builds, or uses a CDN that caches generated image resources aggressively.
Hugo 0.161.x-0.163.x can change resized-image filenames that contain
_hu_<HASH> even when the source image and visual output are unchanged. Treat
this as expected cache-key churn. It can create noisy diffs and cache misses,
but it is not usually a content regression.
Other deprecations and notable changes
Template and config deprecations
Review these if your site has custom templates, external content converters, or JavaScript tooling config:
.IsNodeis deprecated; use.IsBranch.jsconfigbaseUrlsupport was removed.- If you read Git metadata from module-mounted pages, verify
.Page.GitInfooutput. Hugo 0.162.0 fixed GitInfo handling for modules whosego.modlives in a repository subdirectory. - If you use
--renderSegments, prefer Hugo 0.163.1 for its segment-merge fix. - If your site renders Pandoc or reStructuredText content through external converters, Hugo 0.163.2 now fails the build when the converter binary is missing (matching AsciiDoc) instead of silently publishing raw content; ensure the converter is installed wherever you build.
Security fixes
This range includes multiple security-related updates, including Go
html/template fixes and stricter URL/content handling. This is a strong reason
to prefer 0.163.2 over stopping at the minimum 0.158.0.
New features worth knowing about
css.Buildand laterhugo:varssupport may be useful for site-specific CSS pipelines, but Docsy has not moved its Sass/PostCSS pipeline tocss.Build.- AVIF image processing was added and then tuned in the 0.162.x-0.163.x range.
strings.ReplacePairsis available for template authors on Hugo 0.158.0 or later.
Upgrade to Hugo 0.163.2
After addressing applicable breaking changes and deprecations, upgrade to Hugo 0.163.2.
If you use the hugo-extended npm package:
npm install hugo-extended@0.163.2 --save-dev
If you use hvm:
hvm use 0.163.2
Sanity checks
- Build output: ensure your site builds without errors, warnings, or deprecation notices.
- Node version: confirm Node 22 or later; use Node LTS 24 for Docsy 0.16.0.
- Multilingual sites: check language menu output and language config keys.
- Links: inspect generated HTML for
&amp;if you tested Hugo 0.159.2. - Images: expect
_hu_resized-image filename churn and verify the rendered images, not just filenames. - Security policy: test remote resources, symlinked inputs, and any
.htmlcontent files.
Cross-checks
Required actions, as applicable
Recommended review
Recommended minimum Hugo version
Docsy 0.16.0 requires Hugo 0.158.0 or later:
module:
hugoVersion:
min: 0.158.0
For local builds, deployments, and new upgrades, we recommend Hugo 0.163.2.