fix(deps): update dependency payload to v3 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
payload (source)	^2.0.0 → ^3.0.0

GitHub Vulnerability Alerts

CVE-2025-4643

Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).

This issue has been fixed in version 3.44.0 of Payload.

CVE-2025-4644

A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user.

This issue has been fixed in version 3.44.0 of Payload.

CVE-2026-25574

Impact

A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide.

Users are affected if ALL of these are true:

• Multiple auth collections configured (e.g., admins + customers)
• Postgres or SQLite database adapter with serial/auto-increment IDs
• Users in different auth collections with the same numeric ID

Not affected:

• @payloadcms/db-mongodb adapter
• Single auth collection environments
• Postgres/SQLite with idType: 'uuid'

Patches

This vulnerability has been patched in v3.74.0. Users should upgrade to v3.74.0 or later.

Workarounds

There is no workaround other than upgrading. Users with multiple auth collections using Postgres or SQLite with serial IDs should upgrade immediately.

---

Release Notes

payloadcms/payload (payload)

v3.74.0

Compare Source

🚀 Features

• thread override access in doc level hooks (#​15421) (85d5263)
• extend strictDraftTypes to all draft operations (#​15292) (9239164)
• add support for custom UnpublishButton component (#​15400) (94254da)
• storage-r2: client uploads using R2 multipart api (#​14733) (5c38902)
• ui: allows opting out of popup closing logic (#​15407) (fb2b602)
• ui: allows customizing Popup component portal className (#​15406) (0f55464)

---

Override Access in Document-Level Hooks - Access the overrideAccess value inside collection and global hooks. Useful when hook logic needs to know whether access control was bypassed, such as when querying related documents up a hierarchy. #​15421

export const Posts: CollectionConfig = {
  slug: 'posts',
  hooks: {
    beforeChange: [
      ({ overrideAccess, req }) => {
        if (overrideAccess) {
          // Access control was bypassed
        }
      },
    ],
  },
}

---

Extended strictDraftTypes to All Operations - When strictDraftTypes: true is enabled, TypeScript now enforces draft type safety across all Local API operations (not just queries). The draft option is forbidden for collections/globals without drafts enabled, preventing silent runtime behavior where draft flags are ignored. #​15292

import { buildConfig } from 'payload'

export default buildConfig({
  typescript: {
    strictDraftTypes: true, // Enables compile-time draft enforcement
  },
  // ...
})

⚠️ Note: Generic collection slugs may require explicit type assertions when using draft options.

---

Custom UnpublishButton Component - Customize the UnpublishButton in collection and global configs, following the same pattern as PublishButton and SaveButton. Previously hardcoded. #​15400

export const Posts: CollectionConfig = {
  slug: 'posts',
  admin: {
    components: {
      edit: {
        UnpublishButton: '/components/CustomUnpublishButton',
      },
    },
  },
}

---

R2 Multipart Client Uploads (storage-r2) - Upload large files directly from the client using R2's multipart API. Files are split into smaller parts and uploaded separately, avoiding Cloudflare Worker memory limits. #​14733

---

Popup Prevent Close Attribute (ui) - Add interactive elements inside popups without triggering close behavior by adding the data-popup-prevent-close attribute. #​15407

<Popup>
  <button data-popup-prevent-close onClick={handleClick}>
    Click me without closing
  </button>
</Popup>

---

Popup Portal className (ui) - Customize the Popup component's portal container with the new portalClassName prop. #​15406

<Popup portalClassName="my-custom-portal-class">
  {/* content */}
</Popup>

🐛 Bug Fixes

• isolate payload-preferences by auth collection (#​15425) (2dc2e7c)
• traverseFields returning wrong parentPath dot notation for non-localised tabs (#​15394) (99b051e)
• widgets and other features failing with transitive dependency imports (#​15392) (5561799)
• replace deprecated scmp with crypto.timingSafeEqual (#​15322) (2511c02)
• find afterRead hooks should behave like findByID (#​15357) (3e27155)
• remove depth from count operation types (#​15356) (dfc1600)
• publish button incorrectly shown after saving draft when access denied (#​15319) (e833fe6)
• next: version view throws useLocale() server error (#​15380) (2ce26fa)
• next: ensure query preset from url is applied (#​15323) (592f404)
• next: ensure save preset button is not shown when there are no changes (#​15320) (e9af097)
• plugin-cloud-storage: prevent infinite loop when cropping media (#​15393) (345a9c7)
• plugin-cloud-storage: adds beforeChange hook to generate url on create (#​15401) (d269d39)
• richtext-slate: localized indicator not displaying in label (#​15412) (126f713)
• ui: use the formatAdminUrl function to generate unpublish url (#​15375) (453e8a6)
• ui: restore default columns after clearing query preset (#​15360) (029699d)
• ui: prevent globals crash with arrays fields when lock state user is undefined in handleDocumentLocking (#​15259) (ea76ca0)
• ui: getEntityConfig did not respect globalSlug if collectionSlug is undefined (#​15362) (b54059c)

📚 Documentation

• clarify beforeValidate and beforeChange hook data behavior (#​15300) (ba9605e)
• add payload.logger.error usage guidelines to CLAUDE.md (#​15398) (cdbfda2)
• updated redirects plugin integration docs and postgres connection troubleshooting (#​15383) (9b2221e)
• improve select jsdocs and empty select docs (#​15336) (4181a12)

🧪 Tests

• make integration tests for the fields and select suites faster (#​15434) (26ba779)

📝 Templates

• deps: bump Next.js versions (#​15365) (5658ec2)

🔨 Build

• add node-gyp for native module rebuilds (#​15396) (50c087f)

⚙️ CI

• enable retries for int and unit tests (#​15397) (8b21263)
• cache e2e prod preparation to run once instead of per-shard, various improvements and flake fixes (#​15368) (2b3b9d5)
• automatically shard int tests (#​15367) (1041b15)
• disable playwright tracing for first test runs, to improve performance and reduce flakes (#​15337) (ab603c3)
• automatically shard e2e tests (#​15366) (2f19f8f)
• add missing value property to outputs (#​15338) (479b057)
• bump monorepo Node.js version from 23.11.0 to 24.13.0 (#​15364) (d95c365)
• add linked PR feature to popular-issues action (#​15355) (614f13c)

🏡 Chores

• export getSafeFileName utility (#​15424) (6b45fee)
• replace rmdirSync to rmSync (#​15420) (17c0a3f)
• claude: add respond-to-discussion-features claude command (#​15391) (1f7fe63)
• deps: bump form-data, tar, wrangler, and @​opennextjs/cloudflare dependencies (#​15435) (5875cd0)
• deps: bump tsx (#​15363) (7043e3f)
• plugin-multi-tenant: removes basePath arg (#​15202) (bd80784)
• ui: move unpublish actions into document controls dropdown (#​15417) (99d61db)

🤝 Contributors

• Ricardo Tavares (@​rjgtav)
• Patrik (@​PatrikKozak)
• German Jablonski (@​GermanJablo)
• Jessica Rynkar (@​jessrynkar)
• Jarrod Flesch (@​JarrodMFlesch)
• Tobias Odendahl (@​tak-amboss)
• Paul (@​paulpopus)
• Elliot DeNolf (@​denolfe)
• Sean Zubrickas (@​zubricks)
• Alessio Gravili (@​AlessioGr)
• Georg Schelkshorn (@​GeorgS)
• Muhammad Hassaan Farooq (@​Muhammad-Hassaan-Farooq)
• RajeshKumar11 (@​RajeshKumar11)

v3.73.0

Compare Source

🚀 Features

• next.js 16 support (#​14456) (18ca83b)
• db-sqlite: add busyTimeout option (#​15317) (0c235c3)
• db-sqlite: add WAL mode support (#​15278) (3357aa6)
• drizzle: predefined migration for blocksAsJSON: true (#​15257) (1b7b13d)
• live-preview: expose requestHandler arg to hooks (#​15302) (4f3c31f)
• plugin-mcp: adds select API with CRUD tools (#​15301) (268b33a)
• ui: use native useEffectEvent if available (#​15304) (f0458fb)

Feature Details

🔥 Next.js 16 Support - Full compatibility with Next.js 16, including Turbopack HMR and build support. Requires Next.js >16.1.1-canary.35 or 16.2.0+. Templates will be updated after Next.js 16.2.0 is released. Support for cache components will follow in a future release #​14456

WAL Mode Support (db-sqlite) - Enable SQLite Write-Ahead Logging for improved concurrent read/write performance. Configurable synchronous mode and journal size limit. #​15278

Busy Timeout Option (db-sqlite) - Set maximum wait time in milliseconds when the database is locked, preventing SQLITE_BUSY errors in high-concurrency scenarios. #​15317

Predefined Migration for blocksAsJSON (drizzle) - Migrate existing projects to use blocksAsJSON: true with a single command. Automatically updates your Payload config and generates the required migration. #​15257

pnpm payload migrate:create --file @​payloadcms/db-postgres/blocks-as-json

Request Handler in Live Preview Hooks (live-preview) - The useLivePreview hook (React and Vue) now accepts a requestHandler argument, allowing customization of data fetching. Useful when your frontend proxies requests or uses external middleware. #​15302

Select API for MCP Tools (plugin-mcp) - Find, Create, and Update tools for Globals and Collections now support the select API, reducing token usage and aligning with Payload's existing query capabilities. #​15301

Native useEffectEvent (ui) - Uses React's native useEffectEvent when available (React 19.2.0+), falling back to the existing polyfill for older versions. #​15304

🐛 Bug Fixes

• select hasMany prevent duplicate values (#​15218) (f4e8990)
• orderable fractional indexing case-sensitivity issue with PostgreSQL (#​14867) (ef27ad9)
• find distinct sort on a different field (#​15233) (e95f26d)
• conditional tabs breaking in Next.js 16 due to unstable tab id (#​15270) (f5a7a00)
• correct previousValue and value in afterChange when using seo-plugin (#​15253) (b6b6bab)
• db-mongodb: fix projection handling for relationship fields in GraphQL queries with select (#​14850) (ace3447)
• drizzle: d1 sqlite IN querying of id when any other join is present in the query (#​15290) (4f5a9c2)
• next: relationship fields with maxDepth: 0 show "Untitled - ID" in diff view (#​15305) (65238c5)
• plugin-mcp: auto-detect basePath from Payload config routes (#​15189) (dbc06f6)
• richtext-lexical: internal links render as href="#" in versions view (#​15308) (ab4102c)
• sdk: correct return types with select (#​15289) (db40d7b)
• ui: diff view columns have unequal widths for nested fields causing text misalignment (#​15330) (db72a65)
• ui: upsertPreferences did not return preferences when creating new preferences (#​15321) (94d5728)
• ui: pass the locale to reorder endpoint in orderable table (#​14839) (d6bb3de)

📚 Documentation

• add jsdocs to query presets api (#​15306) (3dbaed8)
• small md fix (#​15299) (9a1eb77)
• remove csv as a language for code blocks (#​15265) (259eac4)

📝 Templates

• upgrade website template and examples tailwind to v4 (#​11197) (e77f9b6)

⚙️ CI

• prevent rate limiting in release-commenter action (#​15298) (71b35fa)

🏡 Chores

• removes never implemented readDrafts access arg on globals (#​15297) (12b679f)
• export fractional indexing utilities (#​15286) (02800b0)

🤝 Contributors

• Sasha (@​r1tsuu)
• Patrik (@​PatrikKozak)
• Alessio Gravili (@​AlessioGr)
• Kendell (@​kendelljoseph)
• David Murdoch (@​dsm23)
• Rafau (@​RafalFilipek)
• Aaron Claes (@​AaronClaes)
• Jarrod Flesch (@​JarrodMFlesch)
• German Jablonski (@​GermanJablo)
• Elliot DeNolf (@​denolfe)
• Jens Becker (@​jhb-dev)
• Paul (@​paulpopus)
• Vladyslav Prosolupov (@​vladyslavprosolupov)
• Jessica Rynkar (@​jessrynkar)

v3.72.0

Compare Source

🚀 Features

• adds experimental option localizeStatus and allows unpublish per-locale functionality (#​14667) (d77af00)
• plugin-mcp: add depth parameter support to all MCP find resource tools (#​14931) (c979fb3)

---

Localized Status (Experimental) - Each locale can now track and manage its own publication status independently. Publish or unpublish individual locales without affecting others, with locale-aware UI and version history. Requires enabling at both config and collection level. #​14667

// payload.config.ts
export default buildConfig({
  experimental: {
    localizeStatus: true,
  },
  // ...
})

// collections/Posts.ts
export const Posts: CollectionConfig = {
  slug: 'posts',
  versions: {
    drafts: {
      localizeStatus: true,
    },
  },
}

⚠️ Migration Required: If you have existing version data, run the provided migration helper to convert _status fields from strings to locale objects. See PR #​14667 for full migration guide.

---

Depth Parameter Support (plugin-mcp) - MCP resource tools now support a depth parameter (0-10) to control relationship population depth. Use depth: 0 for lightweight ID-only responses or higher values for fully populated relationship data. Significantly reduces token count when reading documents. #​14931

---

🐛 Bug Fixes

• thumbnailURL hook, virtually populate from thumbnail size (#​15232) (beeb269)
  (4f452ac))
• select in findByID with draft: true may return a wrong version (#​14742) (49c9fa9)
• use window.location.origin as fallback for API URL copy (#​15220) (a46e3a2)
• folder creation errors when collection uses translation function labels (#​15216) (1a3aeb8)
• correct image size URLs in beforeChange (#​15214) (da12eed)
• db-mongodb: hasMany relationship filtering with equals operator returns no results (#​15204) (1756c0d)
• deps: bump undici to 7.18.2 to mitigate chained decompression (#​15221) (591f9d2)
• plugin-ecommerce: issue with slug map ignoring variants and threading through cart data (#​15234) (4b6529f)
• plugin-ecommerce: translations not being mapped correctly (#​15205) (3337403)
• templates: prevent jobs run if secret unset (#​15207) (8f50f83)
• translations: correct Russian translations for UI states in general section (#​14953) (454042e)
• ui: truncates long JSON cells in list view (#​9214) (6827978)

📚 Documentation

• fix beforeChange field hook documentation to reflect actual behaviour (#​14798) (533ae92)

🧪 Tests

• fix race condition in language switcher helper (#​15206) (f98d915)
• add @payloadcms/storage-s3 clientUploads integration test suite (#​15194) (4dce061)
• fields with defaultValue ​​should not be overwritten in upsert (#​15197) (c684c6b)

⚙️ CI

• announce releases in discord general channel (#​15201) (734453d)

🏡 Chores

• adds generate-translations claude skill (#​15215) (f1f2be6)
• enforce no-console rule for @payloadcms/ui (#​15195) (54db43d)
• plugin-redirects: add Swedish translation (#​15213) (e19f432)
• translations: fixes to Swedish translation (#​15212) (d3b12a1)

🤝 Contributors

• Jarrod Flesch (@​JarrodMFlesch)
• German Jablonski (@​GermanJablo)
• Vincent Vu (@​rubixvi)
• Sasha (@​r1tsuu)
• Paul (@​paulpopus)
• Kendell (@​kendelljoseph)
• Elliot DeNolf (@​denolfe)
• Jens Becker (@​jhb-dev)
• Patrik (@​PatrikKozak)
• spiner2000 (@​spiner2000)
• Marcus Forsberg (@​marcusforsberg)
• Jessica Rynkar (@​jessrynkar)
• Said Akhrarov (@​akhrarovsaid)
• Jeffery To (@​jefferyto)

v3.71.1

Compare Source

🐛 Bug Fixes

• ui: remove debug console.log from Form component (#​15191) (5529f9b)

🤝 Contributors

• Patrik (@​PatrikKozak)

v3.71.0

Compare Source

🚀 Features

• supersedes option to job queue concurrency controls (#​15179) (9aeb843)
• add support for custom Status component in document controls (#​11154) (ef863e6)
• add exclusive concurrency controls for workflows and tasks (#​15177) (35fe09d)
• add bulkOperations.singleTransaction config option (#​14387) (92da9fa)
• add support for additional IANA timezones, custom UTC offsets and overriding the timezone field (#​15120) (a8785ba)
• ability to cancel current job from within workflow or task handlers (#​15119) (1bd3146)
• add typescript.strictDraftTypes flag for opt-in draft query type safety (#​14388) (58faafd)
• drizzle: include collection and global slugs in validation errors (#​15147) (910d274)
• plugin-ecommerce: new hooks, cart logic moved to the server and fixed several bugs (#​15142) (dcd4030)
• plugin-ecommerce: add new method refreshCart in useCart (#​14765) (#​14767) (529726e)
• plugin-import-export: refactor plugin and add import functionality (#​14782) (13e6035)
• plugin-mcp: add draft parameter support to MCP find resource tool (#​14924) (744a593)
• plugin-mcp: adds tools that can find and update globals (#​15091) (f6d9873)
• plugin-nested-docs: add req parameter to GenerateURL and GenerateLabel types in nested docs (#​14617) (6821a09)
• plugin-redirects: add Japanese translations (#​15080) (c5b57f7)
• plugin-search: enables skipping of document syncing (#​14928) (dfcf15c)
• sdk: automatically fallback to generated types attempt (#​15167) (ae50d39)
• sdk: add proper error handling (#​15148) (bfe2154)

---

Feature Details

Job Queue Concurrency Supersedes - Newer jobs can automatically delete older pending jobs with the same concurrency key. Enables "last queued wins" behavior for scenarios where only the latest state matters. #​15179

concurrency: {
  key: ({ input }) => `generate:${input.documentId}`,
  exclusive: true,
  supersedes: true,  // Newer jobs delete older pending ones (not yet completed and did not start processing yet)
}

Exclusive Concurrency Controls - Prevents race conditions when multiple jobs operate on the same resource. Jobs with the same concurrency key will not run in parallel. Requires enableConcurrencyControl: true (will default to true in v4.0). #​15177

export default buildConfig({
  jobs: {
    enableConcurrencyControl: true,
    workflows: [{
      slug: 'syncDocument',
      concurrency: ({ input }) => `sync:${input.documentId}`,
      handler: async ({ job }) => {
        // Only one job per documentId runs at a time
      }
    }]
  }
})

Job Cancellation from Handlers - Throw JobCancelledError from within a task or workflow handler to stop the job without retrying. #​15119

Custom Status Component - Replace the Status section in document or global edit views without replacing the entire Edit view. Useful for custom locale publishing logic or additional status indicators. #​11154

admin: {
  components: {
    edit: {
      Status: '/components/Status/index.tsx#Status',
    },
  },
},

Bulk Operations Single Transaction (db-mongodb) - Handle database transaction limitations when processing large numbers of documents in bulk operations. Useful for DocumentDB and Cosmos DB which have cursor limitations within transactions. #​14387

Additional IANA Timezones & Custom UTC Offsets - Support for additional IANA timezone names via DateTimeFormat API validation, custom UTC offsets in ±HH:mm format, and the ability to override the timezone field configuration. #​15120

{
  name: 'eventTime',
  type: 'date',
  timezone: {
    supportedTimezones: [
      { label: 'UTC+5:30 (India)', value: '+05:30' },
      { label: 'UTC-8 (Pacific)', value: '-08:00' },
      { label: 'UTC+0', value: '+00:00' },
    ],
  },
}

Override the timezone field:

{
  name: 'publishedAt',
  type: 'date',
  label: 'Published At',
  timezone: {
    override: ({ baseField }) => ({
      ...baseField,
      admin: {
        ...baseField.admin,
        disableListColumn: true, // Hide from list view columns
      },
    }),
  },
}

Strict Draft Types (typescript) - Opt-in strictDraftTypes flag for correct type safety when querying drafts. When enabled, find operations with draft: true will correctly type required fields as optional. Will become default in v4.0. #​14388

export default buildConfig({
  typescript: {
    strictDraftTypes: true,  // defaults to false
  },
})

Validation Error Context (drizzle) - Unique constraint ValidationErrors now include data.collection or data.global for better error context when debugging. #​15147

Server-Side Cart Logic (plugin-ecommerce) - Cart logic moved to the server with new REST API endpoints. New hooks: onLogin (merge guest cart with user cart), onLogout (clear session), clearSession, mergeCart, and refreshCart. Support for custom cart item matchers and MongoDB-style $inc operator for quantity changes. #​15142

/**
 * Custom cart item matcher that includes fulfillment option.
 */
const fulfillmentCartItemMatcher: CartItemMatcher = ({ existingItem, newItem }) => {
  const existingProductID =
    typeof existingItem.product === 'object' ? existingItem.product.id : existingItem.product

  const existingVariantID =
    existingItem.variant && typeof existingItem.variant === 'object'
      ? existingItem.variant.id
      : existingItem.variant

  const productMatches = existingProductID === newItem.product

  const variantMatches = newItem.variant
    ? existingVariantID === newItem.variant
    : !existingVariantID

  const existingFulfillment = existingItem.fulfillment as string | undefined
  const newFulfillment = newItem.fulfillment as string | undefined
  const fulfillmentMatches = existingFulfillment === newFulfillment

  return productMatches && variantMatches && fulfillmentMatches
}

refreshCart Method (plugin-ecommerce) - Manually refresh cart state after direct modifications, allowing the UI to stay in sync without being blocked by addItem's uniqueness validation. #​14767

Import Functionality (plugin-import-export) - Complete plugin refactor with new import functionality. Config is now per-collection with required collections array. Supports disabling import/export per collection and custom collection overrides. #​14782 ⚠️ BREAKING CHANGE

importExportPlugin({
  overrideExportCollection: (collection) => {
    collection.admin.group = 'System'
    collection.upload.staticDir = path.resolve(dirname, 'uploads')
    return collection
  },
  overrideImportCollection: (collection) => {
    collection.admin.group = 'System'
    collection.upload.staticDir = path.resolve(dirname, 'uploads')
    return collection
  },
  collections: [
    {
      slug: 'posts',
      import: false, // disables import functionality, export enabled by default
    },
    {
      slug: 'pages',
      export: ({ collection }) => {
        collection.admin.group = 'System'
        collection.upload.staticDir = path.resolve(dirname, 'uploads')
        return collection
      },
      disableJobsQueue: true, // disable jobs queue for this collection only
    },
  ],
  debug: true,
})

Draft Parameter for MCP Find (plugin-mcp) - Query draft/unpublished documents via the MCP plugin's find tool using the new draft boolean parameter. #​14924

Globals Support (plugin-mcp) - New MCP tools to find and update globals. #​15091

Request Parameter in Nested Docs (plugin-nested-docs) - req parameter added to generateURL and generateLabel functions for more flexibility (e.g., reading current locale). #​14617

Skip Sync (plugin-search) - Conditionally skip syncing documents to the search index based on locale, document properties, or other criteria. #​14928

skipSync: async ({ locale, doc, collectionSlug, req }) => {
  if (!locale) return false

  const tenant = await req.payload.findByID({
    collection: 'tenants',
    id: doc.tenant.id,
  })

  return !tenant.allowedLocales.includes(locale)
}

Automatic Type Inference (sdk) - The SDK automatically uses your generated types via module augmentation—no need to manually pass GeneratedTypes. #​15167

import { PayloadSDK } from '@​payloadcms/sdk'

const sdk = new PayloadSDK({}) // Types inferred automatically from payload-types.ts

Proper Error Handling (sdk) - The SDK now throws PayloadSDKError on failed API requests with status, errors, response, and message properties. #​15148

import { PayloadSDKError } from '@​payloadcms/sdk'

try {
  await sdk.create({ collection: 'posts', data: { ... } })
} catch (err) {
  if (err instanceof PayloadSDKError) {
    console.log(err.status)  // 400
    console.log(err.errors)  // [{ name: 'ValidationError', message: '...', data: {...} }]
  }
}

Japanese Translations (plugin-redirects) - Localized admin UI strings for Japanese users. #​15080

🐛 Bug Fixes

• wrong construction of urlToUse leads to false alert with logger.error (#​15190) (ec6bba5)
• adds missing transactions to login and logout operations (#​15134) (dd494be)
• set basePath from next config as env variable (#​15154) (a8bfade)
• throw error on empty relationTo array and allow disabling lockDocuments on all collections (#​14871) (9521ec6)
• add distinct validate to richtext field type definition (#​15069) (d68e75a)
• exclude files from being sent to the form-state action (#​15174) (aaea133)
• full image urls stored in DB (#​15089) (d462f9b)
• field schema map paths (#​10852) (d288752)
• custom OPTIONS endpoints are intercepted and cannot set custom CORS headers (#​15153) (c103667)
• upload drawer not loading data for uploads without files (#​15150) (00fb6e8)
• cannot read private member #headers error on Node.js 24 when using isolateObjectProperty (#​15116) (e214deb)
• db-mongodb: avoid unnecessary $lookup when a join field is not selected (#​15149) (e39b1b5)
• db-mongodb: exists operator on fields that have an array value in the db (#​15152) (0afe200)
• db-mongodb: find id field from flattened fields (#​15110) (40081f4)
• db-postgres: add filenameCompoundIndex baseIndexes for upload collections (#​15182) (01f90c9)
• db-postgres: localized and hasMany/polymorphic relationships/uploads inside blocks (#​15095) (01e4412)
• drizzle: unique field errors were not thrown as ValidationErrors (#​15146) (43c19cb)
• live-preview: remove payload import (#​15160) (ec658a4)
• plugin-cloud-storage: should persist external data returned by handleUpload (#​15188) (7d80d21)
• plugin-cloud-storage: prevent deleting original file when duplicating (#​14961) (9d54267)
• plugin-mcp: handle defaultDepth: 0 in api key authentication (#​15014) (e0e058c)
• plugin-multi-tenant: cannot clear selected tenant from dashboard view (#​15141) (cd77e5d)
• richtext-lexical,ui: make uploadNode default to alt user-defined values. (#​15097) (3290b04)
• storage-*: add range headers to storage adapters (#​14890) (ef90811)
• storage-s3: respect upload limits with client uploads (#​15176) (4a6189e)
• templates: fix mobile menu auth buttons overflow in ecommerce template (#​15020) (6c1109f)
• templates: improve cli detection in cloudflare template (#​15098) (5d21ed1)
• templates: add recommended serverExternalPackages to cloudflare (#​15094) (0eed581)
• translations: improve Japanese translations for naturalness and consistency (#​15077) (88a901c)
• ui: ensure up-to-date upload preview thumbnails in admin panel (#​15029) (6f4b272)
• ui: use optional chaining for potentiallyStalePath (#​15185) (38cd67a)
• ui: virtual fields with virtual: true show sort chevrons in list view (#​15186) (33c3630)
• ui: prevent text overlap in breadcrumbs (#​15040) (0e27f19)
• ui: avoid creating hasMany options during IME composition (#​15086) (98bc876)
• ui: duplicate document has unused serverURL dependency (#​15178) (6d212b8)
• ui: bulk upload error count (#​15155) (0a46f4e)
• ui: margins on small screens when using hideGutter in group (#​15041) (22f94cd)
• ui: preserve beforeInput/afterInput components in bulk edit (#​14954) (c62dc2a)
• ui: prevent wrong scroll target when adding rows in repeated array blocks (#​15047) (f13a741)
• ui: crop width and height inputs limited to -1 of max (#​15101) (3a6d3bd)

⚡ Performance

• optimized collection create when versions are enabled (#​14885) (25813a7)
• graphql: optimized join count when docs are not needed (#​14872) (6025eff)

🛠 Refactors

• clean up generated type resolution (#​15163) (51d6cd2)
• deprecate returning failed state from job queue handlers (#​15102) (070ded7)

📚 Documentation

• clarify available operations for beforeOperation hook (#​14774) (8c59762)
• update link for MDN docs on cookies in requests ([#​15075](https://redirec

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.