Update dependency gohugoio/hugo from v0.152.1 to v0.152.2 (.github/workflows/validate_docs_build.yml)

[renovate]

This PR contains the following updates:

Package	Update	Change
gohugoio/hugo	patch	0.152.1 -> 0.152.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

gohugoio/hugo (gohugoio/hugo)

v0.152.2

Compare Source

In v0.152.0 we tightened the source validation for file mounts. We always said that project mounts can mount with absolute file/directorynames, modules/themes are restricted to relative. In v0.152.0 we narrowed module/themes mounts to be local, which made the setup in the bug report listed below fail:

[[module.mounts]]
source = '../../node_modules/bootstrap'
target = 'assets/vendor/bootstrap'

One part of this is security. But the construct above is usually very odd (the project uses files in a theme/module, not the other way around) and not very portable. But the example above demonstrates a valid exception, that we now have added support for in a portable way. The above example now works as it did before v0.152.0, but going forward you can also write:

[[module.mounts]]
source = 'node_modules/bootstrap'
target = 'assets/vendor/bootstrap'

We now have the node_modules as a special case: For themes/modules we first check if the mounted source exists locally, if not we try relative to the project root.

What's Changed

• deps: Update github.com/tdewolff/minify v2.24.4 => v2.24.5 1c8c21e @​jmooring #​14086
• hugofs: Make node_modules a "special case" mount 809ebe0 @​bep #​14089
• github: Fix typo in stale PR message 08a0679 @​jordelver

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dryrunsecurity]

This pull request uses an unusual Hugo version ("0.152.2") in the CI workflow which appears to be non-existent or unstable, risking build failures and pipeline instability; consider pinning to a known stable Hugo release.

Use of Potentially Unstable or Non-Existent Dependency Version in .github/workflows/gh-pages.yml

Vulnerability

Use of Potentially Unstable or Non-Existent Dependency Version

Description

The CI/CD pipeline is configured to use Hugo version '0.152.2'. This version number is highly unusual for a stable Hugo release, which typically follows a '0.XX.X' pattern with much lower patch numbers. Searches for this specific version using vulnerability lookup tools and general release information yielded no results, indicating it is likely a non-existent, pre-release, or otherwise unstable version not intended for production use. While no specific CVEs were found for this version (likely because it's not a recognized stable release), its use introduces significant risk of build failures and instability in the CI/CD pipeline.

django-DefectDojo/.github/workflows/gh-pages.yml

Lines 18 to 21 in 5e59c34

	hugo-version: '0.152.2' # renovate: datasource=github-releases depName=gohugoio/hugo
	extended: true
	- name: Setup Node

---

All finding details can be found in the DryRun Security Dashboard.

[mtesauro]

I'm going to let @paulOsinski have the first approval on this one.

[paulOsinski]

All good!

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.