Replace to gopkg.in/yaml with github.com/goccy/go-yaml (note)

This commit also adds validation to prevent the "Billion Laughs" attack (see goccy/go-yaml#461). The limit of non-scalar aliases to the same node is set to 10,000. See benchmarks below.

```                                                            │        sec/op         │
UnmarshalBillionLaughs/Billion_Laughs_no_validation-10                 125.2µ ± ∞ ¹
UnmarshalBillionLaughs/Billion_Laughs_with_validation-10               655.8µ ± ∞ ¹
UnmarshalBillionLaughs/YAML_Front_Matter_no_validation-10              9.223µ ± ∞ ¹
UnmarshalBillionLaughs/YAML_Front_Matter_with_validation-10            9.443µ ± ∞ ¹
geomean                                                                51.71µ
¹ need >= 6 samples for confidence interval at level 0.95

                                                            │ fix-goyaml-8822.bench │
                                                            │         B/op          │
UnmarshalBillionLaughs/Billion_Laughs_no_validation-10                177.0Ki ± ∞ ¹
UnmarshalBillionLaughs/Billion_Laughs_with_validation-10              177.0Ki ± ∞ ¹
UnmarshalBillionLaughs/YAML_Front_Matter_no_validation-10             11.67Ki ± ∞ ¹
UnmarshalBillionLaughs/YAML_Front_Matter_with_validation-10           11.67Ki ± ∞ ¹
geomean                                                               45.45Ki
¹ need >= 6 samples for confidence interval at level 0.95

                                                            │ fix-goyaml-8822.bench │
                                                            │       allocs/op       │
UnmarshalBillionLaughs/Billion_Laughs_no_validation-10                 3.302k ± ∞ ¹
UnmarshalBillionLaughs/Billion_Laughs_with_validation-10               3.305k ± ∞ ¹
UnmarshalBillionLaughs/YAML_Front_Matter_no_validation-10               253.0 ± ∞ ¹
UnmarshalBillionLaughs/YAML_Front_Matter_with_validation-10             253.0 ± ∞ ¹
````

Fixes #8822
Fixes #13043
Fixes #14053
Fixes ##8427

Author: bep

commands/gen.go

@@ -28,6 +28,7 @@ import (
 	"github.com/alecthomas/chroma/v2/formatters/html"
 	"github.com/alecthomas/chroma/v2/styles"
 	"github.com/bep/simplecobra"
+	"github.com/goccy/go-yaml"
 	"github.com/gohugoio/hugo/common/hugo"
 	"github.com/gohugoio/hugo/docshelper"
 	"github.com/gohugoio/hugo/helpers"
@@ -36,7 +37,6 @@ import (
 	"github.com/gohugoio/hugo/parser"
 	"github.com/spf13/cobra"
 	"github.com/spf13/cobra/doc"
-	"gopkg.in/yaml.v2"
 )
 
 func newGenCommand() *genCommand {

commands/server.go

@@ -1166,7 +1166,6 @@ func chmodFilter(dst, src os.FileInfo) bool {
 }
 
 func cleanErrorLog(content string) string {
-	content = strings.ReplaceAll(content, "\n", " ")
 	content = logReplacer.Replace(content)
 	content = logDuplicateTemplateExecuteRe.ReplaceAllString(content, "")
 	content = logDuplicateTemplateParseRe.ReplaceAllString(content, "")

common/herrors/file_error.go

@@ -110,11 +110,11 @@ func (fe *fileError) UpdateContent(r io.Reader, linematcher LineMatcherFn) FileE
 
 	fe.errorContext = ectx
 
-	if ectx.Position.LineNumber > 0 {
+	if ectx.Position.LineNumber > 0 && ectx.Position.LineNumber > fe.position.LineNumber {
 		fe.position.LineNumber = ectx.Position.LineNumber
 	}
 
-	if ectx.Position.ColumnNumber > 0 {
+	if ectx.Position.ColumnNumber > 0 && ectx.Position.ColumnNumber > fe.position.ColumnNumber {
 		fe.position.ColumnNumber = ectx.Position.ColumnNumber
 	}
 
@@ -177,6 +177,7 @@ func NewFileErrorFromName(err error, name string) FileError {
 	// Filetype is used to determine the Chroma lexer to use.
 	fileType, pos := extractFileTypePos(err)
 	pos.Filename = name
+
 	if fileType == "" {
 		_, fileType = paths.FileAndExtNoDelimiter(filepath.Clean(name))
 	}
@@ -234,7 +235,9 @@ func NewFileErrorFromFile(err error, filename string, fs afero.Fs, linematcher L
 		return NewFileErrorFromName(err, realFilename)
 	}
 	defer f.Close()
-	return NewFileErrorFromName(err, realFilename).UpdateContent(f, linematcher)
+	fe := NewFileErrorFromName(err, realFilename)
+	fe = fe.UpdateContent(f, linematcher)
+	return fe
 }
 
 func openFile(filename string, fs afero.Fs) (afero.File, string, error) {
@@ -321,13 +324,9 @@ func extractFileTypePos(err error) (string, text.Position) {
 	}
 
 	// Look in the error message for the line number.
-	for _, handle := range lineNumberExtractors {
-		lno, col := handle(err)
-		if lno > 0 {
-			pos.ColumnNumber = col
-			pos.LineNumber = lno
-			break
-		}
+	if lno, col := commonLineNumberExtractor(err); lno > 0 {
+		pos.ColumnNumber = col
+		pos.LineNumber = lno
 	}
 
 	if fileType == "" && pos.Filename != "" {

common/herrors/line_number_extractors.go

@@ -19,17 +19,27 @@ import (
 )
 
 var lineNumberExtractors = []lineNumberExtractor{
+	// YAML parse errors.
+	newLineNumberErrHandlerFromRegexp(`\[(\d+):(\d+)\]`),
+
 	// Template/shortcode parse errors
 	newLineNumberErrHandlerFromRegexp(`:(\d+):(\d*):`),
 	newLineNumberErrHandlerFromRegexp(`:(\d+):`),
 
-	// YAML parse errors
-	newLineNumberErrHandlerFromRegexp(`line (\d+):`),
-
 	// i18n bundle errors
 	newLineNumberErrHandlerFromRegexp(`\((\d+),\s(\d*)`),
 }
 
+func commonLineNumberExtractor(e error) (int, int) {
+	for _, handler := range lineNumberExtractors {
+		lno, col := handler(e)
+		if lno > 0 {
+			return lno, col
+		}
+	}
+	return 0, 0
+}
+
 type lineNumberExtractor func(e error) (int, int)
 
 func newLineNumberErrHandlerFromRegexp(expression string) lineNumberExtractor {

common/herrors/line_number_extractors_test.go

@@ -0,0 +1,31 @@
+// Copyright 2025 The Hugo Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package herrors
+
+import (
+	"errors"
+	"testing"
+
+	qt "github.com/frankban/quicktest"
+)
+
+func TestCommonLineNumberExtractor(t *testing.T) {
+	t.Parallel()
+
+	c := qt.New(t)
+
+	lno, col := commonLineNumberExtractor(errors.New("[4:9] value is not allowed in this context"))
+	c.Assert(lno, qt.Equals, 4)
+	c.Assert(col, qt.Equals, 9)
+}

go.mod

@@ -33,9 +33,9 @@ require (
 	github.com/frankban/quicktest v1.14.6
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/getkin/kin-openapi v0.133.0
-	github.com/ghodss/yaml v1.0.0
 	github.com/gobuffalo/flect v1.0.3
 	github.com/gobwas/glob v0.2.3
+	github.com/goccy/go-yaml v1.18.0
 	github.com/gohugoio/go-i18n/v2 v2.1.3-0.20230805085216-e63c13218d0e
 	github.com/gohugoio/hashstructure v0.6.0
 	github.com/gohugoio/httpcache v0.8.0
@@ -83,7 +83,6 @@ require (
 	golang.org/x/text v0.30.0
 	golang.org/x/tools v0.38.0
 	google.golang.org/api v0.251.0
-	gopkg.in/yaml.v2 v2.4.0
 	rsc.io/qr v0.2.0
 )
 
@@ -188,6 +187,7 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 // indirect
 	google.golang.org/grpc v1.75.1 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
 	software.sslmate.com/src/go-pkcs12 v0.2.0 // indirect

go.sum

@@ -242,8 +242,6 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/getkin/kin-openapi v0.133.0 h1:pJdmNohVIJ97r4AUFtEXRXwESr8b0bD721u/Tz6k8PQ=
 github.com/getkin/kin-openapi v0.133.0/go.mod h1:boAciF6cXk5FhPqe/NQeBTeenbjqU4LhWBf09ILVvWE=
-github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -266,6 +264,8 @@ github.com/gobuffalo/flect v1.0.3 h1:xeWBM2nui+qnVvNM4S3foBhCAL2XgPU+a7FdpelbTq4
 github.com/gobuffalo/flect v1.0.3/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/gohugoio/go-i18n/v2 v2.1.3-0.20230805085216-e63c13218d0e h1:QArsSubW7eDh8APMXkByjQWvuljwPGAGQpJEFn0F0wY=
 github.com/gohugoio/go-i18n/v2 v2.1.3-0.20230805085216-e63c13218d0e/go.mod h1:3Ltoo9Banwq0gOtcOwxuHG6omk+AwsQPADyw2vQYOJQ=
 github.com/gohugoio/hashstructure v0.6.0 h1:7wMB/2CfXoThFYhdWRGv3u3rUM761Cq29CxUW+NltUg=

hugolib/alias_test.go

@@ -172,3 +172,26 @@ func TestTargetPathHTMLRedirectAlias(t *testing.T) {
 		}
 	}
 }
+
+func TestAliasNIssue14053(t *testing.T) {
+	t.Parallel()
+
+	files := `
+-- hugo.toml --
+baseURL = "http://example.com"
+-- layouts/all.html --
+All.
+-- content/page.md --
+---
+title: "Page"
+aliases:
+- n
+- y
+- no
+- yes
+---
+`
+	b := Test(t, files)
+
+	b.AssertPublishDir("n/index.html", "yes/index.html", "no/index.html", "yes/index.html")
+}

hugolib/frontmatter_test.go

@@ -40,7 +40,7 @@ Strings: {{ printf "%T" .Params.strings }} {{ range .Params.strings }}Strings: {
 
 	b.Build()
 
-	b.AssertFileContent("public/post/one/index.html", "Ints: []interface {} Int: 1 (int)|Int: 2 (int)|Int: 3 (int)|")
-	b.AssertFileContent("public/post/one/index.html", "Mixed: []interface {} Mixed: 1 (string)|Mixed: 2 (int)|Mixed: 3 (int)|")
+	b.AssertFileContent("public/post/one/index.html", "Ints: []interface {} Int: 1 (uint64)|Int: 2 (uint64)|Int: 3 (uint64)|")
+	b.AssertFileContent("public/post/one/index.html", "Mixed: []interface {} Mixed: 1 (string)|Mixed: 2 (uint64)|Mixed: 3 (uint64)|")
 	b.AssertFileContent("public/post/one/index.html", "Strings: []string Strings: 1 (string)|Strings: 2 (string)|Strings: 3 (string)|")
 }

hugolib/hugo_sites_build_errors_test.go

@@ -476,7 +476,7 @@ line 5
 	errors := herrors.UnwrapFileErrorsWithErrorContext(err)
 
 	b.Assert(errors, qt.HasLen, 3)
-	b.Assert(errors[0].Error(), qt.Contains, filepath.FromSlash(`"/content/_index.md:1:1": "/layouts/_default/_markup/render-heading.html:2:5": execute of template failed`))
+	b.Assert(errors[0].Error(), qt.Contains, filepath.FromSlash(`"/content/_index.md:2:5": "/layouts/_default/_markup/render-heading.html:2:5": execute of template failed`))
 }
 
 func TestErrorRenderHookCodeblock(t *testing.T) {
@@ -642,3 +642,35 @@ Home.
 	b.Assert(err.Error(), qt.Contains, filepath.FromSlash(`/layouts/index.html:2:3`))
 	b.Assert(err.Error(), qt.Contains, `can't evaluate field ThisDoesNotExist`)
 }
+
+func TestErrorFrontmatterYAMLSyntax(t *testing.T) {
+	t.Parallel()
+
+	files := `
+-- hugo.toml --
+-- content/_index.md --
+
+
+
+
+
+---
+line1: 'value1'
+x
+line2: 'value2'
+line3: 'value3'
+---	
+`
+
+	b, err := TestE(t, files)
+
+	b.Assert(err, qt.Not(qt.IsNil))
+	b.Assert(err.Error(), qt.Contains, "[2:1] non-map value is specified")
+	fe := herrors.UnwrapFileError(err)
+	b.Assert(fe, qt.Not(qt.IsNil))
+	pos := fe.Position()
+	b.Assert(pos.Filename, qt.Contains, filepath.FromSlash("content/_index.md"))
+	b.Assert(fe.ErrorContext(), qt.Not(qt.IsNil))
+	b.Assert(pos.LineNumber, qt.Equals, 8)
+	b.Assert(pos.ColumnNumber, qt.Equals, 1)
+}