Today I upgrade Hugo from v0.75 to the latest version (v0.92). When I run the deployment script to build the site and push, I saw the following error:

error: Error building site: “/Users/jdhao/Blog/content/post/back-propagation-in-mlp-explained.pdc:1:1”: access denied: “pandoc” is not whitelisted in policy “security.exec.allow”;

The cause

From the release note of v0.91, we can find the reason (the part about New Security Configuration).

This release also adds some new security hardening measures for the Hugo build runtime in the form of a new security configuration. There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the “external helpers”.

So Hugo v0.91 introduces a set of security config meant to harden the building environment. If we use external tools like pandoc (as the Markdown renderer), nvim or emacs (as the new content editor), we now need to allow them explicitly in our configuration. Otherwise, they are not allowed to run.


The solution is simple. Edit the config.toml under site root, and add the following security section:

  enableInlineShortcodes = false
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$', '^pandoc$', '^nvim$']

    getenv = ['^HUGO_']

    methods = ['(?i)GET|POST']
    urls = ['.*']

Add the needed executable to the security.exec.allow white list. After that, the error should disappear.