Bump github.com/gohugoio/hugo from 0.149.1 to 0.161.0

[dependabot]

Bumps github.com/gohugoio/hugo from 0.149.1 to 0.161.0.

Release notes

Sourced from github.com/gohugoio/hugo's releases.

v0.161.0

This release contains two security hardening fixes:

• We now run the Node tools PostCSS, Babel and TailwindCSS, by default, with the --permission flag with the permissions defined in security.node.permissions. This means that you need Node >= 22 installed and that css.TailwindCSS now requires that the Tailwind CSS CLI must be installed as a Node.js package. The standalone executable is no longer supported
• We have made the defaults in security.http.urls more restrictive.

But there are some notable new features, as well:

Nested vars support in css.Build and css.Sass

A practical example in css.Build would be to have something like this in hugo.toml:

[params.style]
    primary    = "[#000000](https://github.com/gohugoio/hugo/issues/000000)"
    background = "#ffffff"
    [params.style.dark]
        primary    = "#ffffff"
        background = "[#000000](https://github.com/gohugoio/hugo/issues/000000)"

And in the stylesheet:

@import "hugo:vars";
@import "hugo:vars/dark" (prefers-color-scheme: dark);
:root {
color-scheme: light dark;
}

Slice-based permalinks config

The permalinks configuration is now much more flexible (the old setup still works). It uses the same target matchers as in the cascade config, meaning you can now do:

permalinks:
  - target:
      kind: page
      path: "/books/**"
    pattern: /books/:year/:slug/
  - target:
      kind: section
      path: "/{books,books/**}"
    pattern: /libros/:sections[1:]
  - target:
      kind: page
    pattern: /other/:slug/

The above example isn't great, but it at least shows the gist of it.

... (truncated)

Commits

• 98d396c releaser: Bump versions for release of 0.161.0
• d4ae662 build(deps): bump github.com/getkin/kin-openapi from 0.135.0 to 0.137.0
• 9ede5fb build(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22
• 833a878 build(deps): bump github.com/tdewolff/minify/v2 from 2.24.12 to 2.24.13
• 7622dd8 css: Support nested hugo:vars/<name> imports
• 0814059 github: Update GitHub actions versions
• 8920d56 hugolib: Do not render aliases if the page is not rendered
• 633cc77 langs/i18n: Improve default content language fallback
• 90d8bf3 Replace deprecated .Site.Sites/.Page.Sites with hugo.Sites intests
• 4c40c6d helpers: Remove unused code
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.