chore(deps): bump the go_modules group across 3 directories with 2 updates

[dependabot]

Bumps the go_modules group with 1 update in the /packages/api directory: github.com/gohugoio/hugo.
Bumps the go_modules group with 1 update in the /packages/orchestrator directory: github.com/go-jose/go-jose/v4.
Bumps the go_modules group with 1 update in the /packages/shared directory: github.com/go-jose/go-jose/v4.

Updates github.com/gohugoio/hugo from 0.139.4 to 0.159.2

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.159.2

Note that the security fix below is not a potential threat if you either:

• Trust your Markdown content files.
• Have custom render hook template for links and images.

EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

What's Changed

• Fix potential content XSS by escaping dangerous URLs in Markdown links and images 479fe6c6 @​bep
• resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser df520e31 @​jmooring #14684

v0.159.1

The regression fixed in this release isn't new, but it's so subtle that we thought we'd release this sooner rather than later. For some time now, the minifier we use have stripped namespaced attributes in SVGs, which broke dynamic constructs using e.g. AlpineJS' x-bind: namespace (library used by Hugo's documentation site).

To fix this, the upstream library has hadded a keepNamespaces slice option. It was not possible to find a default that would make all happy, so we opted for an option that at least would make AlpineJS sites work out of the box:

 [minify.tdewolff.svg]
      keepNamespaces = ['', 'x-bind']

What's Changed

• minifiers: Keep x-bind and blank namespace in SVG minification 42289d76 @​bep #14669

v0.159.0

This release greatly improves and simplifies management of Node.js/npm dependencies in a multi-module setup. See this page for more information.

Note

• Replace deprecated site.Data with hugo.Data in tests a8fca598 @​bep
• Replace deprecated excludeFiles and includeFiles with files in tests 182b1045 @​bep
• Replace deprecated :filename with :contentbasename in the permalinks test eb11c3d0 @​bep

Bug fixes

• tpl/tplimpl: Fix Vimeo shortcode test eaf4c751 @​jmooring #14649

Improvements

• create: Return error instead of panic when page not found 807cae1d @​mango766 #14112
• commands: Preserve non-content files in convert output c4fb61d9 @​xndvaz #4621
• npm: Use workspaces to simplify hugo mod npm pack d88a29e0 @​bep

... (truncated)

Commits

• 5f4646a releaser: Bump versions for release of 0.159.2
• 479fe6c Fix potential content XSS by escaping dangerous URLs in links and images
• 81a5cdc releaser: Add standard withdeploy release assets
• df520e3 resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser
• b55d452 testing: Simplify line ending handling in tests
• ea7eac6 readme: Update Go version to 1.25.0
• 458ebdd releaser: Prepare repository for 0.160.0-DEV
• 86c7d3a releaser: Bump versions for release of 0.159.1
• 42289d7 minifiers: Keep x-bind and blank namespace in SVG minification
• 0c013c2 Adjust depreceated syntax in tests
• Additional commits viewable in compare view

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Commits

• 0e59876 Merge commit from fork
• ddffdbc Bump actions/checkout from 5 to 6 (#213)
• See full diff in compare view

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Commits

• 0e59876 Merge commit from fork
• ddffdbc Bump actions/checkout from 5 to 6 (#213)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[claude]

LGTM — routine indirect dependency bumps with security fixes included.

Extended reasoning...

Overview

This PR updates indirect Go dependencies across three packages: go-jose/go-jose/v4 patch bump (4.1.3→4.1.4) in orchestrator and shared, and gohugoio/hugo minor bump (0.139.4→0.159.2) in api. All modified files are go.mod/go.sum only — no application logic is touched.

Security risks

The go-jose 4.1.4 release uses the "merge commit from fork" pattern typical of security patches in Go libraries. The hugo 0.159.2 release notes explicitly mention a fix for a potential content XSS via dangerous URLs in Markdown links/images. Both changes reduce security risk rather than introducing it. All updated packages are indirect dependencies.

Level of scrutiny

Low scrutiny is appropriate. These are automated Dependabot updates to indirect dependencies with no API surface changes. The hugo jump is large (20 minor versions) but since it is an indirect dependency and the intermediate changes are bug fixes and features rather than breaking changes, the risk of regression is minimal.

Other factors

No bugs found by the bug hunting system. No outstanding reviewer comments. The diff is mechanical and matches the expected shape of a Dependabot go module bump.