Why isn't all site config inherited from imported modules?

support
1

The doc says only module.hugoVersion, module.imports, mediatypes, and outputformats are inherited. Why not inherit all config? I’d like sites that import my theme module to inherit markup.highlight.{style,noclasses}, for instance (which they could override if they want to).

2

Security, among other things. For example, no one wants to inherit this from a module:

[markup.goldmark.renderer]
unsafe = true
3

Good point. Perhaps config with security concerns could be blacklisted, and everything else inherited? Or just whitelist certain ones like style?

4

I would not be happy if some module lightened my security setup or messed with my outputs config, both of which are examples that belong in the project.

But you can control this behavior yourself, see Introduction

5

It seems to me that:

  • if you want something specific for your own site, inheritance doesn’t prevent you from explicitly overriding with your own values
  • you can easily see with hugo config if you’re inheriting config you don’t want
  • you should always check what you’re importing, just like for Go code
6

Forgot to add that some theme users don’t know much about Hugo, they just know enough to start a site and install the theme, but then miss that there is config they still have to set manually, like style or noclasses, to get the intended default behavior. If they’re lucky, they start out by copying the example site, and unknowingly avoid that pitfall, but some aren’t and don’t. Makes it difficult to provide a turnkey solution.

7

sound contradictious

  • users can easily check (understand) config and check module imports

  • users cannot read the themes doc where mandatory settings are explained

8
  1. The primary motivation behind the security setup/config was so I could clone a random site and run hugo server without having to worry too much about mal/spyware.
  2. If I had to carefully inspect hugo config for every site/module I use/try, I would stop using Hugo.
9

I don’t follow how inheriting markup.highlight.style is a security concern. I acknowledged above that security concerns about something are a good reason to not inherit that specific thing.