Debian Package Tracker
Register | Log in
Subscribe

hugo

Fast and flexible Static Site Generator written in Go

Choose email to subscribe with

general
  • source: hugo (main)
  • version: 0.162.1-1
  • maintainer: Debian Go Packaging Team (DMD)
  • uploaders: Anthony Fok [DMD] – Dr. Tobias Quathamer [DMD]
  • arch: any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 0.80.0-6
  • o-o-sec: 0.80.0-6+deb11u1
  • oldstable: 0.111.3-1
  • stable: 0.131.0-1
  • testing: 0.161.1-1
  • unstable: 0.162.1-1
versioned links
  • 0.80.0-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.80.0-6+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.111.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.131.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.161.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.162.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • hugo (2 bugs: 0, 2, 0, 0)
action needed
Marked for autoremoval on 18 August: #1141458 high
Version 0.161.1-1 of hugo is marked for autoremoval from testing on Tue 18 Aug 2026. It is affected by #1141458. The removal of hugo will also cause the removal of (transitive) reverse dependency: bornagain. You should try to prevent the removal by fixing these RC bugs.
Created: 2026-07-12 Last update: 2026-07-13 07:33
Debci reports failed tests high
  • unstable: fail (log)
    The tests ran in 0:06:25
    Last run: 2026-07-05T19:01:25.000Z
    Previous status: unknown

  • testing: pass (log)
    The tests ran in 0:04:40
    Last run: 2026-07-11T01:22:32.000Z
    Previous status: unknown

  • stable: fail (log)
    The tests ran in 0:04:04
    Last run: 2026-07-12T11:54:46.000Z
    Previous status: unknown

Created: 2025-02-02 Last update: 2026-07-13 07:00
A new upstream version is available: 0.164.0 high
A new upstream version 0.164.0 is available, you should consider packaging it.
Created: 2026-06-12 Last update: 2026-07-13 06:01
3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:
  • CVE-2026-58402: Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.
  • CVE-2026-58403: Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
  • CVE-2026-58404: Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.
Created: 2026-07-07 Last update: 2026-07-10 08:00
6 security issues in forky high

There are 6 open security issues in forky.

6 important issues:
  • CVE-2026-50133: Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
  • CVE-2026-50134: Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
  • CVE-2026-50135: Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
  • CVE-2026-58402: Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.
  • CVE-2026-58403: Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
  • CVE-2026-58404: Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.
Created: 2026-07-07 Last update: 2026-07-10 08:00
8 security issues in bullseye high

There are 8 open security issues in bullseye.

6 important issues:
  • CVE-2026-50133: Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
  • CVE-2026-50134: Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
  • CVE-2026-50135: Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
  • CVE-2026-58402: Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.
  • CVE-2026-58403: Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
  • CVE-2026-58404: Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.
2 issues postponed or untriaged:
  • CVE-2026-35166: (postponed; to be fixed through a stable update) Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
  • CVE-2026-44301: (needs triaging) Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0.
Created: 2026-07-07 Last update: 2026-07-10 08:00
8 security issues in bookworm high

There are 8 open security issues in bookworm.

6 important issues:
  • CVE-2026-50133: Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
  • CVE-2026-50134: Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
  • CVE-2026-50135: Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
  • CVE-2026-58402: Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.
  • CVE-2026-58403: Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
  • CVE-2026-58404: Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.
2 issues left for the package maintainer to handle:
  • CVE-2026-35166: (needs triaging) Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
  • CVE-2026-44301: (needs triaging) Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-04-06 Last update: 2026-07-10 08:00
The package has not entered testing even though the delay is over normal
The package has not entered testing even though the 5-day delay is over. Check why.
Created: 2026-06-09 Last update: 2026-07-13 07:33
2 new commits since last upload, is it time to release? normal
vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:
commit 7f1201c6082160383468e8317890a965268b19f9
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu Jul 9 00:26:13 2026 +0200

    Fix patch

commit 496cff138f1772c817e2ece505ff9b533c0572f6
Author: Jérémy Lal <kapouer@melix.org>
Date:   Wed Jul 8 23:58:49 2026 +0200

    patch: unpin tests dependency on esbuild version
Created: 2026-07-09 Last update: 2026-07-09 00:30
9 low-priority security issues in trixie low

There are 9 open security issues in trixie.

9 issues left for the package maintainer to handle:
  • CVE-2024-55601: (needs triaging) Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.
  • CVE-2026-35166: (needs triaging) Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
  • CVE-2026-44301: (needs triaging) Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0.
  • CVE-2026-50133: (needs triaging) Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
  • CVE-2026-50134: (needs triaging) Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
  • CVE-2026-50135: (needs triaging) Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
  • CVE-2026-58402: (needs triaging) Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.
  • CVE-2026-58403: (needs triaging) Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
  • CVE-2026-58404: (needs triaging) Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-12-11 Last update: 2026-07-10 08:00
debian/patches: 1 patch to forward upstream low

Among the 13 debian patches available in version 0.162.1-1 of the package, we noticed the following issues:

  • 1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2026-06-04 Last update: 2026-06-04 19:00
testing migrations
  • excuses:
    • Migration status for hugo (0.161.1-1 to 0.162.1-1): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ Updating hugo would introduce bugs in testing: #1140254
    • ∙ ∙ Missing build on armhf
    • ∙ ∙ Missing build on i386
    • ∙ ∙ Missing build on loong64
    • ∙ ∙ Missing build on ppc64el
    • ∙ ∙ Missing build on riscv64
    • ∙ ∙ Missing build on s390x
    • ∙ ∙ Autopkgtest deferred on armhf: missing arch:armhf build
    • ∙ ∙ Autopkgtest deferred on i386: missing arch:i386 build
    • ∙ ∙ Autopkgtest deferred on loong64: missing arch:loong64 build
    • ∙ ∙ Autopkgtest deferred on ppc64el: missing arch:ppc64el build
    • ∙ ∙ Autopkgtest deferred on riscv64: missing arch:riscv64 build
    • ∙ ∙ Autopkgtest deferred on s390x: missing arch:s390x build
    • ∙ ∙ Autopkgtest for hugo/0.162.1-1: amd64: Pass, arm64: Pass
    • ∙ ∙ Lintian check waiting for test results on riscv64, loong64, s390x, armhf, ppc64el, i386 - info
    • ∙ ∙ Reproducibility check deferred on armhf: missing builds - info
    • ∙ ∙ Reproducibility check deferred on i386: missing builds - info
    • Additional info (not blocking):
    • ∙ ∙ Updating hugo will fix bugs in testing: #1141458
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/h/hugo.html
    • ∙ ∙ Reproduced on amd64 - info
    • ∙ ∙ Reproduced on arm64 - info
    • ∙ ∙ 39 days old (needed 5 days)
    • Not considered
news
[rss feed]
  • [2026-06-04] Accepted hugo 0.162.1-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-05-16] hugo 0.161.1-1 MIGRATED to testing (Debian testing watch)
  • [2026-05-04] Accepted hugo 0.161.1-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-05-04] hugo 0.161.0-1 MIGRATED to testing (Debian testing watch)
  • [2026-04-28] Accepted hugo 0.161.0-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-04-14] hugo 0.160.1-1 MIGRATED to testing (Debian testing watch)
  • [2026-04-11] hugo 0.160.0-2 MIGRATED to testing (Debian testing watch)
  • [2026-04-10] Accepted hugo 0.160.1-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-04-08] Accepted hugo 0.160.0-2 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-04-07] Accepted hugo 0.160.0-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-04-06] hugo 0.159.2-1 MIGRATED to testing (Debian testing watch)
  • [2026-04-03] Accepted hugo 0.159.2-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-04-03] hugo 0.159.1-1 MIGRATED to testing (Debian testing watch)
  • [2026-03-30] Accepted hugo 0.159.1-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-03-28] hugo 0.159.0-1 MIGRATED to testing (Debian testing watch)
  • [2026-03-26] Accepted hugo 0.159.0-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-03-22] hugo 0.158.0-3 MIGRATED to testing (Debian testing watch)
  • [2026-03-20] Accepted hugo 0.158.0-3 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-03-19] Accepted hugo 0.158.0-2 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-03-19] Accepted hugo 0.158.0-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-03-04] hugo 0.157.0-3 MIGRATED to testing (Debian testing watch)
  • [2026-02-28] Accepted hugo 0.157.0-3 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-02-28] Accepted hugo 0.157.0-2 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-02-27] Accepted hugo 0.157.0-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-02-14] Accepted hugo 0.155.3-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-02-07] Accepted hugo 0.155.2-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-01-30] Accepted hugo 0.155.1-1 (source) into unstable (Dr. Tobias Quathamer)
  • [2026-01-20] hugo 0.154.5-1 MIGRATED to testing (Debian testing watch)
  • [2026-01-14] hugo 0.154.3-1 MIGRATED to testing (Debian testing watch)
  • [2026-01-13] Accepted hugo 0.154.5-1 (source) into unstable (Dr. Tobias Quathamer)
  • 1
  • 2
bugs [bug history graph]
  • all: 6
  • RC: 1
  • I&N: 5
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 0.154.5-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing