Update dependency payload to v3.79.1 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
payload (source)	3.34.0 → 3.79.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-4643

Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).

This issue has been fixed in version 3.44.0 of Payload.

CVE-2025-4644

A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user.

This issue has been fixed in version 3.44.0 of Payload.

CVE-2026-25574

Impact

A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide.

Users are affected if ALL of these are true:

• Multiple auth collections configured (e.g., admins + customers)
• Postgres or SQLite database adapter with serial/auto-increment IDs
• Users in different auth collections with the same numeric ID

Not affected:

• @payloadcms/db-mongodb adapter
• Single auth collection environments
• Postgres/SQLite with idType: 'uuid'

Patches

This vulnerability has been patched in v3.74.0. Users should upgrade to v3.74.0 or later.

Workarounds

There is no workaround other than upgrading. Users with multiple auth collections using Postgres or SQLite with serial IDs should upgrade immediately.

CVE-2026-27567

Impact

A Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources.

Users are affected if ALL of these are true:

• Payload version < v3.75.0
• At least one collection with upload enabled
• A user has create access to that upload-enabled collection

An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application.

Patches

This vulnerability has been patched in v3.75.0. Users should upgrade to v3.75.0 or later.

Workarounds

If users cannot upgrade immediately, they can mitigate this vulnerability by disabling external file uploads via the disableExternalFile upload collection option, or by restricting create access on upload-enabled collections to trusted users only.

CVE-2026-34751

Impact

A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.

Users are affected if:

• They are using Payload version < v3.79.1 with any auth-enabled collection using the built-in forgot-password functionality.

Patches

Input validation and URL construction in the password recovery flow have been hardened.

Users should upgrade to v3.79.1 or later.

Workarounds

There are no complete workarounds. Upgrading to v3.79.1 is recommended.

CVE-2026-34747

Impact

Certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections.

Patches

This issue has been fixed in v3.79.1 and later. Query input validation has been hardened.

Upgrade to v3.79.1 or later.

Workarounds

Until developers can upgrade:

• Limit access to endpoints that accept dynamic query inputs to trusted users only.
• Validate or sanitize input from untrusted clients before sending it to query endpoints.

CVE-2026-34746

Impact

An authenticated Server-Side Request Forgery (SSRF) vulnerability existed in the upload functionality.

Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs.

Consumers are affected if ALL of these are true:

• Payload version < v3.79.1
• At least one collection with upload enabled
• An authenticated user has create or update access to that collection

Patches

This vulnerability has been patched in v3.79.1. Users should upgrade to v3.79.1 or later.

Workarounds

Until consumers can upgrade:

• Restrict create and update access to upload-enabled collections to trusted roles only.
• Limit outbound network access from your Payload server where possible.

CVE-2026-34749

Impact

A Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.

Consumers are affected if ALL of these are true:

• Payload version < v3.79.1
• serverURL is configured

Patches

This vulnerability has been patched in v3.79.1. Additional validation has been added to the authentication flow.

Consumers should upgrade to v3.79.1 or later.

Workarounds

There is no complete workaround without upgrading.

If consumers cannot upgrade immediately, setting cookies.sameSite to 'Strict' will prevent the session cookie from being sent cross-site. However, this will also require users to re-authenticate when navigating to the application from external links (e.g. email, other sites).

---

Release Notes

payloadcms/payload (payload)

v3.79.1

Compare Source

🐛 Bug Fixes

• text field validation rejecting localized object values (#​15932) (fac59c8)
• use Sec-Fetch-Site header for cookie authentication validation (#​15751) (ef507a6)
• improved request origin retrieval (#​15919) (f30d34f)
• generate:types inlines all blocks, add forceInlineBlocks property to use in plugin mcp (#​15892) (6a9e367)
• update broken custom components docs link in config types jsdoc (#​15794) (17aa1b5)
• run sanitizeWhereQuery for join query access result (#​15891) (dc049fe)
• early return out of me access (#​15883) (c6054c5)
• scope orderable join reordering by parent relation (#​15842) (17a0d19)
• stricter input validation (#​15868) (e474205)
• drizzle: avoid ts errors for payload generate:db-schema with circular references (#​15895) (66a2efa)
• drizzle: error when using contains operator on hasMany select fields (#​15865) (fba2438)
• drizzle: correctly apply query limit on polymorphic joins (#​15652) (fe36dde)
• plugin-import-export: add space in zh translation for exportDocu… (#​15833) (43d5596)
• plugin-mcp: bump @​modelcontextprotocol/sdk from 1.25.2 to 1.27.1 (#​15942) (94d2249)
• storage-azure: add stream aborts for error handling and connection closure (#​15768) (b2a03c9)
• ui: stale data modal incorrectly shown when user saves their own document (#​15933) (a5d9388)
• ui: copy & pasting block content duplicates array items in editor UI (#​15941) (9bcedc8)
• ui: deleted array item reappears after reorder with autosave (#​15906) (752c15a)
• ui: use consistent empty state styling in relationship table (#​15914) (93b90da)
• ui: clicking filtered Combobox entries fails to trigger selection (#​15788) (de3e5ae)
• ui: document status shows changed after publishing specific locale (#​15765) (b95df0b)
• ui: split only on first colon in toast error messages (#​15894) (fd64504)
• ui: block clipboard paste causes duplicate ID errors in Postgres (#​15863) (e7d6331)
• ui: monomorphic relationship fields don't support multi-select with in/not_in operators (#​15886) (f71ef61)
• ui: equal column widths for block-drawer blocks (#​15867) (07f7802)
• ui: isolate join table column preferences from list view (#​15846) (649f117)
• ui: falling back to UTC timezones in timezone picker (#​15841) (70099b7)

⚡ Performance

• richtext-lexical: 3-15x less main thread blocking via centralized toolbar state (#​15832) (2bdf7ce)

📚 Documentation

• correct type name in editMenuItems client component example (#​15904) (03b20d0)
• adds req to available args and wraps examples with proper String type conversions in nested-docs (#​15931) (d2a0740)
• adds docs for logger config (#​15927) (46e43fc)
• fix links to virtual relationship documentation in both Blocks and Array field documentation (#​15888) (fff60c8)
• broken anchor link in blocks field table (#​15887) (36c051a)
• examples: clarify MongoDB prerequisites in Mongo-backed examples (#​15860) (2aa973f)
• plugin-mcp: updates MCP plugin documentation (#​15729) (b97b4e7)

🧪 Tests

• adjust total test count to exclude todo tests in summary output (#​15943) (e46daec)
• fixes pagination and sorting list-view tests due to hydration timing issues (#​15925) (b0f00c4)
• flaky timeout when clicking Create New button in versions test suite (#​15850) (3fb10e1)

🏡 Chores

• bump next.js canary in monorepo (#​15900) (62f2b7c)

🤝 Contributors

• Jessica Rynkar (@​JessRynkar)
• Patrik (@​PatrikKozak)
• German Jablonski (@​GermanJablo)
• Copilot (@​Copilot)
• Leon Gattermayer (@​LeonGatt)
• Omar Yusuf Abdi (@​omar-y-abdi)
• Sean Zubrickas (@​zubricks)
• Eduardo Costa (@​ed-cscosta)
• Jarrod Flesch (@​JarrodMFlesch)
• Sasha (@​r1tsuu)
• Alessio Gravili (@​AlessioGr)
• Seiya (@​silmin)
• Maxim Seshuk (@​maximseshuk)
• Kendell (@​kendelljoseph)
• Divyam gupta (@​divyamdotfoo)
• deepshekhardas (@​deepshekhardas)
• Paul (@​paulpopus)
• zzz1220 (@​zzz1220)
• Mikko Vänskä (@​vanska)

v3.79.0

Compare Source

🚀 Features

• richtext-lexical: separate configuration for lexical block icons (#​15632) (f0498f2)
• richtext-lexical: upgrade lexical from 0.35.0 to 0.41.0 (#​15760) (ba3bd74)
• translations: add i18n translations for modular dashboards (#​15004) (cef2838)

---

Separate Block Icon Configuration (richtext-lexical) — Configure different images for Lexical block icons and block drawer thumbnails independently. Previously, imageURL served both contexts, forcing a compromise between a good 20x20px icon and a good drawer thumbnail. The new images property supports separate icon and thumbnail values with automatic fallback. Fully backwards compatible — imageURL still works but is deprecated. #​15632

const QuoteBlock: Block = {
  slug: 'quote',
  images: {
    icon: 'https://example.com/icons/quote-20x20.svg',
    thumbnail: { url: 'https://example.com/thumbnails/quote-480x320.jpg', alt: 'Quote block' },
  },
  fields: [...],
}

Lexical Upgrade 0.35.0 → 0.41.0 (richtext-lexical) — Upgrades the Lexical rich text editor dependency from v0.35.0 to v0.41.0. Includes upstream fixes like normalizeMarkdown (facebook/lexical#7812). All Lexical breaking changes are handled internally by Payload — no action required for standard usage. If you installed lexical manually, update it to 0.41.0 (though using the re-exported versions from @payloadcms/richtext-lexical/lexical/* is recommended). #​15760

Modular Dashboard Translations (translations) — Adds i18n translation support for the Modular Dashboards feature, covering all dashboard widget buttons and error messages. Previously, dashboard UI elements lacked translation keys, making them inaccessible for non-English users. Also updates the automatic translation script to use GPT-4.1 for improved cost efficiency. #​15004

🐛 Bug Fixes

• restoreVersion validation for localized required fields (#​15821) (e899182)
• draft doc validation when duplicating docs (#​15816) (f470699)
• plugin-ecommerce: pass req to Payload API calls in Stripe adapter (#​15839) (74799ea)
• plugin-import-export: automatically inherit locale and limit from URL queries (#​15812) (ee083f0)
• plugin-import-export: fix imports with locales in a different column order than exported (#​15808) (410912c)
• plugin-import-export: fix exports in other non-latin scripts being broken when opened in excel (#​15813) (d931894)
• ui: drag and drop not working for sortable hasMany fields (#​15845) (2c7ef3f)
• ui: prevent false positive stale data modal on autosave-enabled documents (#​15817) (6aff717)
• ui: typo in CodeEditor export statement (#​15795) (c5b2a91)

🛠 Refactors

• rename widget ComponentPath to Component for consistency (#​15780) (f7d0d04)

📚 Documentation

• add documentation for conditional tabs (#​15809) (a1d6733)
• fix table formatting in import-export plugin (#​15792) (0dba95a)

🧪 Tests

• update suites selected by default in runTestsWithSummary (#​15789) (07f2f05)

🏡 Chores

• prevent dev server from dirtying tracked files (#​15826) (cb6f426)
• plugin-search: clean up .DS_Store file and resulting empty images directory (#​14506) (f6f73dd)

⚠️ BREAKING CHANGES

• rename widget ComponentPath to Component for consistency (#​15780) (f7d0d04)

  • Renames Widget.ComponentPath to Widget.Component and types it as PayloadComponentinstead ofstring`
  • This aligns dashboard widgets with every other component reference in (collections, globals, fields, admin components) - none of them path in the property name, and all of them are typed as PayloadComponent
  • Enables new typescript plugin to work for widget paths (the plugin uses PayloadComponent contextual type detection - string-typed properties were invisible to it)

• ui: typo in CodeEditor export statement (#​15795) (c5b2a91)

🤝 Contributors

• Patrik (@​PatrikKozak)
• Jens Becker (@​jhb-dev)
• Paul (@​paulpopus)
• German Jablonski (@​GermanJablo)
• Elliot DeNolf (@​denolfe)
• Luiz Cláudio (@​lcnogueira)
• Palamar Roman (@​VeiaG)
• Sebastian Blank (@​blankse)
• Alessio Gravili (@​AlessioGr)
• Mahmoud Hassan (@​Mhmod-Hsn)

v3.78.0

Compare Source

🚀 Features

• typescript plugin for import paths (#​15779) (7639664)
• move trash out of beta and delete access can now be limited to trash only (#​15210) (2347cd9)
• next, ui: widget fields (#​15700) (0a123b5)
• plugin-mcp: out of beta (#​15711) (1b19d5f)
• plugin-mcp: ignore virtual fields in create and update operations (#​15680) (cc8f888)
• richtext-lexical: add markdown transformer for upload nodes (#​15630) (4af5a85)
• ui: adds dashed button style (#​15728) (d570787)
• ui: make query-presets editable from the form view (#​15657) (575f8e9)

---

Feature Details

TypeScript Plugin for Component Paths - New @payloadcms/typescript-plugin validates PayloadComponent import paths directly in your IDE. It checks that referenced files and exports exist, provides autocomplete for file paths and export names, supports go-to-definition on component path strings, and understands all Payload path conventions including absolute paths, relative paths, tsconfig aliases, and package imports. #​15779

screenshot.2026-02-26.at.15.55.40.mp4

pnpm add -D @​payloadcms/typescript-plugin

{
  "compilerOptions": {
    "plugins": [{ "name": "next" }, { "name": "@​payloadcms/typescript-plugin" }]
  }
}

Trash Out of Beta with Granular Delete Access - Trash is now a stable feature. Delete access control can now distinguish between trashing and permanently deleting — allowing you to permit users to soft-delete documents while restricting permanent deletion to admins. When data.deletedAt is being set, the operation is a trash; otherwise it's a permanent delete. #​15210

import type { CollectionConfig } from 'payload'

export const Posts: CollectionConfig = {
  slug: 'posts',
  trash: true,
  access: {
    delete: ({ req: { user }, data }) => {
      // Not logged in - no access
      if (!user) {
        return false
      }

      // Admins can do anything (trash or permanently delete)
      if (user.roles?.includes('admin')) {
        return true
      }

      // Regular users: check what operation they're attempting
      // If data.deletedAt is being set, it's a trash operation - allow it
      if (data?.deletedAt) {
        return true
      }

      // Otherwise it's a permanent delete - deny for non-admins
      return false
    },
  },
  fields: [
    // ...
  ],
}

Widget Fields (next, ui) - Dashboard widgets can now declare configurable fields, similar to Blocks. Widget data is editable from a new drawer UI when in dashboard editing mode. Full type generation is included — WidgetInstance<T> is generic with typed data and width, and WidgetServerProps is generic so widget components receive typed widgetData. #​15700

Screen.Recording.2026-02-23.at.16.25.40.mov

import { buildConfig } from 'payload'

export default buildConfig({
  admin: {
    dashboard: {
      widgets: [
        {
          slug: 'sales-summary',
          ComponentPath: './components/SalesSummary.tsx#default',
          fields: [
            { name: 'title', type: 'text' },
            {
              name: 'timeframe',
              type: 'select',
              options: ['daily', 'weekly', 'monthly', 'yearly'],
            },
            { name: 'showTrend', type: 'checkbox' },
          ],
          minWidth: 'small',
          maxWidth: 'medium',
        },
      ],
    },
  },
})

import type { WidgetServerProps } from 'payload'

import type { SalesSummaryWidget } from '../payload-types'

export default async function SalesSummaryWidgetComponent({
  widgetData,
}: WidgetServerProps<SalesSummaryWidget>) {
  const title = widgetData?.title ?? 'Sales Summary'
  const timeframe = widgetData?.timeframe ?? 'monthly'

  return (
    <div className="card">
      <h3>
        {title} ({timeframe})
      </h3>
    </div>
  )
}

MCP Plugin Out of Beta (plugin-mcp) - @payloadcms/plugin-mcp is now stable and ready for production use. #​15711

Virtual Field Filtering in MCP (plugin-mcp) - Virtual fields (virtual: true) are now automatically stripped from MCP tool input schemas and filtered from parsed data before create, update, and updateGlobal operations. This prevents non-stored fields from appearing as accepted MCP parameters. #​15680

Markdown Transformer for Upload Nodes (richtext-lexical) - Upload nodes are now properly converted when using convertLexicalToMarkdown. Previously, upload nodes were silently dropped during markdown conversion. Now populated image uploads output ![alt text](/uploads/image.jpg), non-image uploads output link syntax, and non-populated uploads output a reference placeholder so data is never lost. #​15630

Dashed Button Style (ui) - Adds a new dashed button style variant. Also replaces box-shadow with border on all buttons and fixes icon-only button padding. #​15728

Editable Query Presets from Form View (ui) - Query presets can now be created and edited directly from the document form view using a full WhereBuilder, column picker, and groupBy selector — no longer requiring the list view to build queries first. #​15657

Screen.Recording.2026-02-17.at.18.15.34.mov

---

🐛 Bug Fixes

• getFieldsToSign crashes when user missing group/tab fields (#​15775) (9f0c101)
• improve mobile touch support for dnd (#​15771) (418bb92)
• prevent silent data overwrites on concurrent edits (#​15749) (7a3f43f)
• preserve block metadata in mergeLocalizedData and filterDataToSelectedLocales (#​15715) (6557292)
• return 400 for malformed JSON request bodies (#​15706) (4861fa1)
• globals not updating updatedAt when saving drafts (#​15764) (df17cb1)
• return early if pasteURL is not defined (#​15748) (23d52a0)
• prevent req.file leak between sequential duplicate() calls on upload collections (#​15620) (2baea2e)
• sanitize filenames in storage adapters (#​15746) (45bd2f1)
• throw error for unknown query operators (#​15739) (08226db)
• preserve locale data in unnamed groups with localizeStatus (#​15658) (38b8c68)
• next: conditionally query snapshot field based on localization (#​15693) (d5706ee)
• plugin-import-export: update docs on jobs and basic usage as well as visibility (#​15695) (a40210c)
• plugin-mcp: use inline block schemas in JSON output (#​15675) (a66e844)
• plugin-multi-tenant: hasMany tenant fields double-wrap arrays in filterOptions (#​15709) (aaddeac)
• plugin-multi-tenant: return false instead of query when no tenants (#​15679) (f5a5bd8)
• richtext-lexical: bump acorn to resolve type mismatch with transitive dep (#​15791) (801e851)
• richtext-lexical: link markdown regex should not match similar looking image markdown (#​15713) (0a0afb0)
• richtext-lexical: use headingLevel in danish heading label (#​15685) (ad4c0f6)
• richtext-lexical: strip server-only properties from blocks in lexical client schema map (#​15756) (c05ace2)
• templates: ecommerce find my order access functionality to use email (#​15736) (b317eaa)
• ui: array field add button margin not applying consistently (#​15773) (ee298f5)
• ui: respect custom Cell components on richText fields in list view (#​15762) (139cf3e)
• ui: use correct translation key for collection version restore modal (#​15757) (c1892eb)
• ui: encode HTML special characters in version diff view (#​15747) (30fee83)
• ui: flash of border on list selection buttons (#​15735) (7f3c6c8)

🛠 Refactors

• extract regex escape pattern into shared utility (#​15676) (8ce389e)
• plugin-mcp: reduced code and de-duplication (#​15705) (039e6c9)

🎨 Styles

• richtext-lexical: lists and quotes have inconsistent letter spacing (#​15682) (f2397a8)

🧪 Tests

• fix flaky versions tests timing out on link clicks before hydration (#​15790) (02da3fd)
• fix flaky lexical code block test with incorrect error expectations (#​15776) (4e3e780)
• trash e2e list view clicks timing out in CI (#​15778) (fd81fd5)
• fix flaky localization tests with race conditions (#​15777) (bda5d0d)
• bulk upload button clicks timeout in CI (#​15703) (8228a7d)
• field update access control test times out locally (#​15691) (78e8e14)
• fix flaky account unlock test in postgres-uuid and custom-schema (#​15696) (e3a76e3)
• fix flaky lexical e2e navigation timeouts and drawer clicks (#​15694) (9ca5cda)
• fix flaky access-control bulk delete tests failing due to timing issues (#​15692) (558345b)
• fix flaky drawer open and column sort timing issues (#​15677) (00f763b)

📝 Templates

• fix cloudflare logger error in with-cloudflare-d1 template (#​15752) (8791a72)
• ecommerce add missing access control on collections (#​15744) (c74d91d)
• fix ecommerce webhooks url and update docs on using stripe webhooks (#​15681) (677596c)

🏡 Chores

• make test:e2e agent-friendly with --grep support and dev server reuse (#​15755) (929203c)
• deps: bump next.js canary in monorepo (#​15708) (e3d8a94)
• plugin-mcp: improve schema sanitization and test coverage (#​15704) (7e20b5c)
• templates: bump versions to 3.77.0 (#​15678) (e26df27)

🤝 Contributors

• Elliot DeNolf (@​denolfe)
• Alessio Gravili (@​AlessioGr)
• Patrik (@​PatrikKozak)
• Sean Zubrickas (@​zubricks)
• Benedikt Rötsch (@​axe312ger)
• Shobhit Singhal (@​shobhitsinghal624)
• The Mavik (@​themavik)
• Divyesh Jain (@​divyesh123-jain)
• Paul (@​paulpopus)
• German Jablonski (@​GermanJablo)
• Jens Becker (@​jhb-dev)
• Jarrod Flesch (@​JarrodMFlesch)
• Jessica Rynkar (@​JessRynkar)
• Kendell (@​kendelljoseph)
• Varun Chawla (@​veeceey)

v3.77.0

Compare Source

🚀 Features

• pass local API depth through to req.query.depth for consistency (#​15023) (9a38469)
• db-*: add customID arg to db.create (#​15653) (0935824)
• plugin-mcp: migrate from @​vercel/mcp-adapter to mcp-handler (#​15661) (24025fd)

---

Feature Details

Local API Depth Consistency - The depth option passed to Local API calls like payload.find() is now automatically set on req.query.depth. Previously, hooks relying on req.query.depth would behave differently between Local API and REST/GraphQL calls unless you manually passed req: { query: { depth: x } } in addition to depth: x. This change ensures consistent behavior across all API methods. #​15023

Custom ID Support in db.create (db-*) - New customID argument on payload.db.create allows creating documents with a specific ID without requiring a custom ID field in your collection schema. #​15653

payload.db.create({ collection: 'posts', customID: 'ce98d6c4-c3ab-45de-9dfc-bf33d94cc941', data: { } })

MCP Plugin Migration (plugin-mcp) - Migrates from the deprecated @vercel/mcp-adapter to mcp-handler and bumps @modelcontextprotocol/sdk to 1.25.2 addressing a security vulnerability. Exposes new handler options: disableSse, onEvent, and redisUrl. #​15661

import { mcpPlugin } from '@​payloadcms/plugin-mcp'

export default buildConfig({
  plugins: [
    mcpPlugin({
      // Optional: Enable SSE transport (disabled by default)
      disableSse: false,
      // Optional: Redis URL for SSE session management (defaults to REDIS_URL env)
      redisUrl: 'redis://localhost:6379',
      // Optional: Track MCP events for analytics/debugging
      onEvent: (event) => {
        console.log('MCP event:', event)
      },
    }),
  ],
})

---

🐛 Bug Fixes

• hasMany text fields cannot be filtered with contains operator (#​15671) (4513a05)
• use consistent empty state styling between list and folder views (#​15555) (8953b37)
• populate previousValue correctly in afterChange hooks for nested lexical fields (#​15623) (1cc3bb9)
• add i18n support for dashboard edit mode buttons (#​15564) (818e31d)
• next: handle undefined fieldTab in version diff tabs (#​15590) (bbacab8)
• plugin-cloud-storage: ensure file data persists across operations (#​15570) (6af3673)
• plugin-cloud-storage: generateFileURL only ran when disablePayloadAccessControl was true (#​15667) (6c5611c)
• plugin-import-export: remove deprecated import (#​15666) (733b1df)
• plugin-import-export: export and import issues when using custom IDs (#​15518) (7e2a3ab)
• plugin-import-export: columns being duplicated when using toCSV hook (#​15597) (28e07dc)
• plugin-mcp: resolve union type fields failing in update tool (#​15660) (9ae89dd)
• plugin-multi-tenant: improve translation for "Tenant" (use "Mandant" instead of "Mieter") (#​15537) (4d4033b)
• plugin-multi-tenant: tenant selector not appearing after login (#​15617) (dd09f67)
• storage-r2: build error due to types issue in R2 Bucket type (#​15670) (7d1e233)
• ui: fix broken polymorphic join edit drawer (#​15621) (d450e99)

📚 Documentation

• update cell component docs (#​15574) (c403b00)
• outline html lexical content conversion (#​15601) (dc1b799)
• updates collection admin options (#​14605) (8e92f7f)
• update custom components docs (#​15576) (ae82294)
• clarify supported Next.js versions and optional dependencies in installation guide (#​15604) (409bc0d)

🧪 Tests

• trash e2e tests check URL before navigation completes (#​15599) (7fe5a8c)

🏡 Chores

• add md and mdx language block linting (#​15309) (5415516)
• bump playwright to fix vscode run test indicators (#​15626) (f74d288)
• only add publishAllLocales to publish when localizeStatus is enabled (#​15610) (d57bc22)

🤝 Contributors

• Paul (@​paulpopus)
• Patrik (@​PatrikKozak)
• Jessica Rynkar (@​JessRynkar)
• German Jablonski (@​GermanJablo)
• Kendell (@​kendelljoseph)
• Ahmad Yasser (@​AhmadYasser1)
• Sasha (@​r1tsuu)
• Philipp Schneider (@​philipp-tailor)
• Philipp Brumm (@​brumm)
• Sebastian Blank (@​blankse)
• Sean Zubrickas (@​zubricks)
• Alessio Gravili (@​AlessioGr)
• Vaishnav Patil (@​vaishnav-3)
• Divyesh Jain (@​divyesh123-jain)

v3.76.1

Compare Source

🐛 Bug Fixes

• use optional chaining for adminThumbnail size lookup to prevent crash (#​15586) (6937eec)
• non-image files should not recieve 0 bytes with useTempFiles (#​15538) (a313627)
• add CSP headers to SVG uploads to prevent XSS (#​15506) (8283c25)
• richtext-lexical: link tooltip overflows outside viewport with long URLs (#​15584) (af6b1a1)
• ui: prevent Tabs field crash when stored tabIndex exceeds tab count (#​15588) (a9e296e)
• ui: copy to locale function swallowing errors (#​15562) (8ce62d8)
• ui: ensure unpublish button only shows when drafts are enabled (#​15459) (69dc5e6)

⚙️ CI

• releaser always pull latest on release (#​15566) (84344a2)

v3.76.0

Compare Source

🚀 Features

• plugin-import-export: adds new exportLimit, importLimit and per collection limit control (#​15405) (a7beeca)

🐛 Bug Fixes

• drizzle: use dynamic import for typescript to avoid dependency in production (#​15545) (98a756c)
• live-preview-vue: update build config to compile as esm (#​14293) (60c65ed)
• next: drop support for Next.js versions with known CVEs, add canary 16.2.0 support (#​15547) (2b3061a)
• next: suppress webpack "Critical dependency" warning in dynamicImport (#​15534) (6158489)
• plugin-import-export: errors when import/export files were stored in a storage adapter such as S3 (#​15441) (73a9650)
• ui: tab error badge not counting required array validation errors (#​15563

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.