Skip to content

chore(deps): bump the go_modules group across 3 directories with 3 updates#2321

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/packages/api/go_modules-dd4263c881
Closed

chore(deps): bump the go_modules group across 3 directories with 3 updates#2321
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/packages/api/go_modules-dd4263c881

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 8, 2026
edited
Loading

Bumps the go_modules group with 1 update in the /packages/api directory: github.com/gohugoio/hugo.
Bumps the go_modules group with 2 updates in the /packages/orchestrator directory: github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream and github.com/go-jose/go-jose/v4.
Bumps the go_modules group with 2 updates in the /packages/shared directory: github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream and github.com/go-jose/go-jose/v4.

Updates github.com/gohugoio/hugo from 0.139.4 to 0.159.2

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.159.2

Note that the security fix below is not a potential threat if you either:

EDIT IN: This release also adds release archives for non-extended-withdeploy builds.

What's Changed

  • Fix potential content XSS by escaping dangerous URLs in Markdown links and images 479fe6c6 @​bep
  • resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser df520e31 @​jmooring #14684

v0.159.1

The regression fixed in this release isn't new, but it's so subtle that we thought we'd release this sooner rather than later. For some time now, the minifier we use have stripped namespaced attributes in SVGs, which broke dynamic constructs using e.g. AlpineJS' x-bind: namespace (library used by Hugo's documentation site).

To fix this, the upstream library has hadded a keepNamespaces slice option. It was not possible to find a default that would make all happy, so we opted for an option that at least would make AlpineJS sites work out of the box:

 [minify.tdewolff.svg]
      keepNamespaces = ['', 'x-bind']

What's Changed

  • minifiers: Keep x-bind and blank namespace in SVG minification 42289d76 @​bep #14669

v0.159.0

This release greatly improves and simplifies management of Node.js/npm dependencies in a multi-module setup. See this page for more information.

Note

  • Replace deprecated site.Data with hugo.Data in tests a8fca598 @​bep
  • Replace deprecated excludeFiles and includeFiles with files in tests 182b1045 @​bep
  • Replace deprecated :filename with :contentbasename in the permalinks test eb11c3d0 @​bep

Bug fixes

Improvements

  • create: Return error instead of panic when page not found 807cae1d @​mango766 #14112
  • commands: Preserve non-content files in convert output c4fb61d9 @​xndvaz #4621
  • npm: Use workspaces to simplify hugo mod npm pack d88a29e0 @​bep

... (truncated)

Commits
  • 5f4646a releaser: Bump versions for release of 0.159.2
  • 479fe6c Fix potential content XSS by escaping dangerous URLs in links and images
  • 81a5cdc releaser: Add standard withdeploy release assets
  • df520e3 resources/page: Fix shared reader in Source.ValueAsOpenReadSeekCloser
  • b55d452 testing: Simplify line ending handling in tests
  • ea7eac6 readme: Update Go version to 1.25.0
  • 458ebdd releaser: Prepare repository for 0.160.0-DEV
  • 86c7d3a releaser: Bump versions for release of 0.159.1
  • 42289d7 minifiers: Keep x-bind and blank namespace in SVG minification
  • 0c013c2 Adjust depreceated syntax in tests
  • Additional commits viewable in compare view

Updates github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream from 1.6.10 to 1.7.8

Commits

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

Commits

Updates github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream from 1.6.10 to 1.7.8

Commits

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

Commits

Updates github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream from 1.6.10 to 1.7.8

Commits

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

Commits

Updates github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream from 1.6.10 to 1.7.8

Commits

Updates github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4

Release notes

Sourced from github.com/go-jose/go-jose/v4's releases.

v4.1.4

What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: go-jose/go-jose@v4.1.3...v4.1.4

Commits

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 8, 2026
@dependabot dependabot bot mentioned this pull request Apr 8, 2026
Closed
claude[bot]
claude bot reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — routine dependency bumps including security fixes for go-jose (GHSA-78h2-9frx-2jm8 panic in JWE decryption) and hugo (XSS fix), all as indirect dependencies with no application code changes.

Extended reasoning...

Overview

This PR updates go.mod and go.sum files across three packages (api, orchestrator, shared). No application code is modified. The key updates are: go-jose/v4 4.1.3→4.1.4, aws-sdk-go-v2/aws/protocol/eventstream 1.6.10→1.7.8, and gohugoio/hugo 0.139.4→0.159.2, along with cascading transitive dependency updates.

Security Risks

Two of the updates address security issues: go-jose/v4 4.1.4 fixes a panic in JWE decryption (GHSA-78h2-9frx-2jm8), and hugo 0.159.2 fixes a potential content XSS via dangerous URLs in Markdown links/images. All updated packages are indirect dependencies, meaning they are transitive inclusions not directly called by application code. The security fixes are desirable and the risk of the upgrades is low.

Level of Scrutiny

Low scrutiny is appropriate. Dependabot-generated dependency-only PRs touching only go.mod/go.sum are mechanical and well-understood. The hugo version jump is large (0.139.4→0.159.2) but as an indirect dependency it does not affect application behavior directly.

Other Factors

No bugs were found by the automated bug hunting system. There are no prior reviews or outstanding comments on this PR. The changes follow the established pattern for dependency maintenance in this repository.

@dependabot
chore(deps): bump the go_modules group across 3 directories with 3 up…
fd4a027 
…dates

Bumps the go_modules group with 1 update in the /packages/api directory: [github.com/gohugoio/hugo](https://github.com/gohugoio/hugo).
Bumps the go_modules group with 2 updates in the /packages/orchestrator directory: [github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream](https://github.com/aws/aws-sdk-go-v2) and [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose).
Bumps the go_modules group with 2 updates in the /packages/shared directory: [github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream](https://github.com/aws/aws-sdk-go-v2) and [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose).


Updates `github.com/gohugoio/hugo` from 0.139.4 to 0.159.2
- [Release notes](https://github.com/gohugoio/hugo/releases)
- [Commits](gohugoio/hugo@v0.139.4...v0.159.2)

Updates `github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream` from 1.6.10 to 1.7.8
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/rum/v1.6.10...service/m2/v1.7.8)

Updates `github.com/go-jose/go-jose/v4` from 4.1.3 to 4.1.4
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](go-jose/go-jose@v4.1.3...v4.1.4)

Updates `github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream` from 1.6.10 to 1.7.8
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@service/rum/v1.6.10...service/m2/v1.7.8)

Updates `github.com/go-jose/go-jose/v4` from 4.1.3 to 4.1.4
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Commits](go-jose/go-jose@v4.1.3...v4.1.4)

---
updated-dependencies:
- dependency-name: github.com/gohugoio/hugo
  dependency-version: 0.159.2
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
  dependency-version: 1.7.8
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.4
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
  dependency-version: 1.7.8
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.4
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/packages/api/go_modules-dd4263c881 branch from 55a755a to fd4a027 Compare April 8, 2026 18:47
@ValentaTomas ValentaTomas removed their assignment Apr 8, 2026
@jakubno jakubno closed this Apr 9, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Apr 9, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/go_modules/packages/api/go_modules-dd4263c881 branch April 9, 2026 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@ValentaTomas ValentaTomas Awaiting requested review from ValentaTomas ValentaTomas is a code owner

@jakubno jakubno Awaiting requested review from jakubno jakubno is a code owner

@dobrac dobrac Awaiting requested review from dobrac dobrac is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ValentaTomas @jakubno