fix(deps): update all non-major dependencies in config/_default/params.yaml

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
coreruleset-v4		minor	4.19.0 -> 4.20.0
gohugoio/hugo		minor	0.151.2 -> 0.152.2
hugo-extended	dependencies	minor	^0.151.0 -> ^0.152.0
lycheeverse/lychee-action	action	minor	v2.6.1 -> v2.7.0

---

Release Notes

coreruleset/coreruleset (coreruleset-v4)

v4.20.0

Compare Source

What's Changed

🆕 New features and detections 🎉

• feat: update restricted file extensions by @​EsadCetiner in #​4287
• feat(930120): adding conf file for PrestaShop 1.6 / 1.7 / 8+ & Magento 2 by @​touchweb-vincent in #​4303
• feat: add expect header to list of restricted headers by @​franbuehler in #​4298

🧰 Other Changes

• fix(942560): missing capture keyword by @​touchweb-vincent in #​4285
• fix(932281): reduce false positive matches with json payload by @​EsadCetiner in #​4288
• fix(932240): reduce false positive matches with json payloads by @​EsadCetiner in #​4290
• fix(921180, 921210, 921220): should be block not pass by @​touchweb-vincent in #​4294
• fix(942550): partial revert - too high risk of false positive by @​touchweb-vincent in #​4284
• fix(942160): updating regex to deal with new payloads by @​touchweb-vincent in #​4292

Full Changelog: coreruleset/coreruleset@v4.19.0...v4.20.0

gohugoio/hugo (gohugoio/hugo)

v0.152.2

Compare Source

In v0.152.0 we tightened the source validation for file mounts. We always said that project mounts can mount with absolute file/directorynames, modules/themes are restricted to relative. In v0.152.0 we narrowed module/themes mounts to be local, which made the setup in the bug report listed below fail:

[[module.mounts]]
source = '../../node_modules/bootstrap'
target = 'assets/vendor/bootstrap'

One part of this is security. But the construct above is usually very odd (the project uses files in a theme/module, not the other way around) and not very portable. But the example above demonstrates a valid exception, that we now have added support for in a portable way. The above example now works as it did before v0.152.0, but going forward you can also write:

[[module.mounts]]
source = 'node_modules/bootstrap'
target = 'assets/vendor/bootstrap'

We now have the node_modules as a special case: For themes/modules we first check if the mounted source exists locally, if not we try relative to the project root.

What's Changed

• deps: Update github.com/tdewolff/minify v2.24.4 => v2.24.5 1c8c21e @​jmooring #​14086
• hugofs: Make node_modules a "special case" mount 809ebe0 @​bep #​14089
• github: Fix typo in stale PR message 08a0679 @​jordelver

v0.152.1

Compare Source

These fixes are are all related to the YAML library upgrade in v0.152.0.

• Expand the numeric conversions to template funcs/methods e08278d @​bep #​14079
• Fix where with uint64 df4f80d @​bep #​14081
• Fix it so YAML integer types can be used where Go int types are expected d4c7888 @​bep #​14079
• tpl/compare: Fix compare/sort of uint64s 29e2c2f @​bep #​14078
• Fix "assignment to entry in nil map" on empty YAML config files 0579afc @​bep #​14074

v0.152.0

Compare Source

The big new thing and the motivation behind this release is the upgrade to a more modern YAML library in @​goccy 's github.com/goccy/go-yaml. It's been a surprisingly long and winding road to get here. Note that this upgrade comes with some minor breaking changes, most notably that the old YAML 1.1 spec listed a set of strings that, when unquoted, were treated as boolean true or false. So if you're using any of the values in the table below as booleans, you need to adjust your YAML, but I suspect that fixing this very surprising behavior will fix more issues than it introduces. A big new thing with this new YAML library is the support for YAML anchors and aliases which helps to reduce duplication in e.g. your configuration. There are some examples in Hugo's release build configuration and in the Hugo's CI release setup.

Values	Old meaning	New meaning
yes, Yes, YES, y, Y, on, On, ON	true (bool)	yes, Yes, YES, y, Y, on, On, ON (string)
no, No, NO, n, N, off, Off, OFF	false (bool)	no, No, NO, n, N, off, Off, OFF (string)

Note

• Replace to gopkg.in/yaml with github.com/goccy/go-yaml (note) a3d9548 @​bep #​8822 #​13043 #​14053

Improvements

• config: Clone language map entries before modifying them a130770 @​bep #​14072
• Skip flaky test for now 9425b93 @​bep #​14072
• Misc YAML adjustments bd50c9c @​bep #​14067
• hugofs: Make sure that non-project module mounts are local paths a8e0ca9 @​bep #​14069
• langs/i18n: Improve reserved key error message 559a029 @​jmooring #​14061
• langs: Add test case using a "reserved" i18n code 5bad0d5 @​bep #​14061

Dependency Updates

• deps: Upgrade github.com/gohugoio/go-i18n/v2 184b10e @​bep
• build(deps): bump github.com/tdewolff/minify/v2 from 2.24.3 to 2.24.4 9e344bb @​dependabot[bot]

Build Setup

• Merge branch 'release-0.151.2' d51adca @​bep

jakejarvis/hugo-extended (hugo-extended)

v0.152.2

Compare Source

v0.152.1

Compare Source

v0.152.0

Compare Source

lycheeverse/lychee-action (lycheeverse/lychee-action)

v2.7.0: Version 2.7.0

Compare Source

Breaking changes

If you're using --base, you must now provide either a URL (with scheme) or an absolute local path. See lychee --help for more information. If you want to resolve root-relative links in local files, also see --root-dir.

What's Changed

• Bump peter-evans/create-issue-from-file from 5 to 6 by @​dependabot[bot] in #​307
• Upgrade checkout action from v4 to v5 by @​jacobdalamb in #​310
• Update lycheeVersion to v0.21.0 by @​github-actions[bot] in #​312
  See https://github.com/lycheeverse/lychee/releases/tag/lychee-v0.21.0 for the lychee changelog.

Full Changelog: lycheeverse/lychee-action@v2...v2.7.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying website with    Cloudflare Pages

Latest commit:	588aa4c
Status:	⚡️  Build in progress...

View logs