The majority of the fixes in this release are security related (including the upstream fix in 93c8c7d3 (golang.org/x/image)). Thanks to @vnth4nhnt for finding the issues fixed in a00b5c72 and cf9c8f93 (I will do the CVE work on this later). There has been a uptick in security reports lately, which doesn't mean that Hugo has gotten less secure, this is mostly the work of the new and powerful AI tools using Hugo's restrictive security model as their baseline. Just take a look at Go's recent security issue list to see a demonstration of this.

What's Changed

• build(deps): bump golang.org/x/image from 0.41.0 to 0.42.0 93c8c7d3 @dependabot[bot]
• Fix multi --renderSegments merge behavior 95e5e9f4 @bep #15024
• security: Normalize integer IPv4 host encodings in http.urls check a00b5c72 @bep
• Drop symlinks in os.ReadDir, os.ReadFile, os.Stat and os.FileExists cf9c8f93 @bep #15019
• commands: Fix convert command 2602796c @jmooring #15012