v3.79.1

Compare Source

🐛 Bug Fixes

• text field validation rejecting localized object values (#​15932) (fac59c8)
• use Sec-Fetch-Site header for cookie authentication validation (#​15751) (ef507a6)
• improved request origin retrieval (#​15919) (f30d34f)
• generate:types inlines all blocks, add forceInlineBlocks property to use in plugin mcp (#​15892) (6a9e367)
• update broken custom components docs link in config types jsdoc (#​15794) (17aa1b5)
• run sanitizeWhereQuery for join query access result (#​15891) (dc049fe)
• early return out of me access (#​15883) (c6054c5)
• scope orderable join reordering by parent relation (#​15842) (17a0d19)
• stricter input validation (#​15868) (e474205)
• drizzle: avoid ts errors for payload generate:db-schema with circular references (#​15895) (66a2efa)
• drizzle: error when using contains operator on hasMany select fields (#​15865) (fba2438)
• drizzle: correctly apply query limit on polymorphic joins (#​15652) (fe36dde)
• plugin-import-export: add space in zh translation for exportDocu… (#​15833) (43d5596)
• plugin-mcp: bump @​modelcontextprotocol/sdk from 1.25.2 to 1.27.1 (#​15942) (94d2249)
• storage-azure: add stream aborts for error handling and connection closure (#​15768) (b2a03c9)
• ui: stale data modal incorrectly shown when user saves their own document (#​15933) (a5d9388)
• ui: copy & pasting block content duplicates array items in editor UI (#​15941) (9bcedc8)
• ui: deleted array item reappears after reorder with autosave (#​15906) (752c15a)
• ui: use consistent empty state styling in relationship table (#​15914) (93b90da)
• ui: clicking filtered Combobox entries fails to trigger selection (#​15788) (de3e5ae)
• ui: document status shows changed after publishing specific locale (#​15765) (b95df0b)
• ui: split only on first colon in toast error messages (#​15894) (fd64504)
• ui: block clipboard paste causes duplicate ID errors in Postgres (#​15863) (e7d6331)
• ui: monomorphic relationship fields don't support multi-select with in/not_in operators (#​15886) (f71ef61)
• ui: equal column widths for block-drawer blocks (#​15867) (07f7802)
• ui: isolate join table column preferences from list view (#​15846) (649f117)
• ui: falling back to UTC timezones in timezone picker (#​15841) (70099b7)

⚡ Performance

• richtext-lexical: 3-15x less main thread blocking via centralized toolbar state (#​15832) (2bdf7ce)

📚 Documentation

• correct type name in editMenuItems client component example (#​15904) (03b20d0)
• adds req to available args and wraps examples with proper String type conversions in nested-docs (#​15931) (d2a0740)
• adds docs for logger config (#​15927) (46e43fc)
• fix links to virtual relationship documentation in both Blocks and Array field documentation (#​15888) (fff60c8)
• broken anchor link in blocks field table (#​15887) (36c051a)
• examples: clarify MongoDB prerequisites in Mongo-backed examples (#​15860) (2aa973f)
• plugin-mcp: updates MCP plugin documentation (#​15729) (b97b4e7)

🧪 Tests

• adjust total test count to exclude todo tests in summary output (#​15943) (e46daec)
• fixes pagination and sorting list-view tests due to hydration timing issues (#​15925) (b0f00c4)
• flaky timeout when clicking Create New button in versions test suite (#​15850) (3fb10e1)

🏡 Chores

• bump next.js canary in monorepo (#​15900) (62f2b7c)

🤝 Contributors

• Jessica Rynkar (@​JessRynkar)
• Patrik (@​PatrikKozak)
• German Jablonski (@​GermanJablo)
• Copilot (@​Copilot)
• Leon Gattermayer (@​LeonGatt)
• Omar Yusuf Abdi (@​omar-y-abdi)
• Sean Zubrickas (@​zubricks)
• Eduardo Costa (@​ed-cscosta)
• Jarrod Flesch (@​JarrodMFlesch)
• Sasha (@​r1tsuu)
• Alessio Gravili (@​AlessioGr)
• Seiya (@​silmin)
• Maxim Seshuk (@​maximseshuk)
• Kendell (@​kendelljoseph)
• Divyam gupta (@​divyamdotfoo)
• deepshekhardas (@​deepshekhardas)
• Paul (@​paulpopus)
• zzz1220 (@​zzz1220)
• Mikko Vänskä (@​vanska)

v3.79.0

Compare Source

🚀 Features

• richtext-lexical: separate configuration for lexical block icons (#​15632) (f0498f2)
• richtext-lexical: upgrade lexical from 0.35.0 to 0.41.0 (#​15760) (ba3bd74)
• translations: add i18n translations for modular dashboards (#​15004) (cef2838)

Separate Block Icon Configuration (richtext-lexical) — Configure different images for Lexical block icons and block drawer thumbnails independently. Previously, imageURL served both contexts, forcing a compromise between a good 20x20px icon and a good drawer thumbnail. The new images property supports separate icon and thumbnail values with automatic fallback. Fully backwards compatible — imageURL still works but is deprecated. #​15632

const QuoteBlock: Block = {
  slug: 'quote',
  images: {
    icon: 'https://example.com/icons/quote-20x20.svg',
    thumbnail: { url: 'https://example.com/thumbnails/quote-480x320.jpg', alt: 'Quote block' },
  },
  fields: [...],
}

Lexical Upgrade 0.35.0 → 0.41.0 (richtext-lexical) — Upgrades the Lexical rich text editor dependency from v0.35.0 to v0.41.0. Includes upstream fixes like normalizeMarkdown (facebook/lexical#7812). All Lexical breaking changes are handled internally by Payload — no action required for standard usage. If you installed lexical manually, update it to 0.41.0 (though using the re-exported versions from @payloadcms/richtext-lexical/lexical/* is recommended). #​15760

Modular Dashboard Translations (translations) — Adds i18n translation support for the Modular Dashboards feature, covering all dashboard widget buttons and error messages. Previously, dashboard UI elements lacked translation keys, making them inaccessible for non-English users. Also updates the automatic translation script to use GPT-4.1 for improved cost efficiency. #​15004

🐛 Bug Fixes

• restoreVersion validation for localized required fields (#​15821) (e899182)
• draft doc validation when duplicating docs (#​15816) (f470699)
• plugin-ecommerce: pass req to Payload API calls in Stripe adapter (#​15839) (74799ea)
• plugin-import-export: automatically inherit locale and limit from URL queries (#​15812) (ee083f0)
• plugin-import-export: fix imports with locales in a different column order than exported (#​15808) (410912c)
• plugin-import-export: fix exports in other non-latin scripts being broken when opened in excel (#​15813) (d931894)
• ui: drag and drop not working for sortable hasMany fields (#​15845) (2c7ef3f)
• ui: prevent false positive stale data modal on autosave-enabled documents (#​15817) (6aff717)
• ui: typo in CodeEditor export statement (#​15795) (c5b2a91)

🛠 Refactors

• rename widget ComponentPath to Component for consistency (#​15780) (f7d0d04)

📚 Documentation

• add documentation for conditional tabs (#​15809) (a1d6733)
• fix table formatting in import-export plugin (#​15792) (0dba95a)

🧪 Tests

• update suites selected by default in runTestsWithSummary (#​15789) (07f2f05)

🏡 Chores

• prevent dev server from dirtying tracked files (#​15826) (cb6f426)
• plugin-search: clean up .DS_Store file and resulting empty images directory (#​14506) (f6f73dd)

⚠️ BREAKING CHANGES

• rename widget ComponentPath to Component for consistency (#​15780) (f7d0d04)

  • Renames Widget.ComponentPath to Widget.Component and types it as PayloadComponentinstead ofstring`
  • This aligns dashboard widgets with every other component reference in (collections, globals, fields, admin components) - none of them path in the property name, and all of them are typed as PayloadComponent
  • Enables new typescript plugin to work for widget paths (the plugin uses PayloadComponent contextual type detection - string-typed properties were invisible to it)

• ui: typo in CodeEditor export statement (#​15795) (c5b2a91)

🤝 Contributors

• Patrik (@​PatrikKozak)
• Jens Becker (@​jhb-dev)
• Paul (@​paulpopus)
• German Jablonski (@​GermanJablo)
• Elliot DeNolf (@​denolfe)
• Luiz Cláudio (@​lcnogueira)
• Palamar Roman (@​VeiaG)
• Sebastian Blank (@​blankse)
• Alessio Gravili (@​AlessioGr)
• Mahmoud Hassan (@​Mhmod-Hsn)

v3.78.0

Compare Source

🚀 Features

• typescript plugin for import paths (#​15779) (7639664)
• move trash out of beta and delete access can now be limited to trash only (#​15210) (2347cd9)
• next, ui: widget fields (#​15700) (0a123b5)
• plugin-mcp: out of beta (#​15711) (1b19d5f)
• plugin-mcp: ignore virtual fields in create and update operations (#​15680) (cc8f888)
• richtext-lexical: add markdown transformer for upload nodes (#​15630) (4af5a85)
• ui: adds dashed button style (#​15728) (d570787)
• ui: make query-presets editable from the form view (#​15657) (575f8e9)

Feature Details

TypeScript Plugin for Component Paths - New @payloadcms/typescript-plugin validates PayloadComponent import paths directly in your IDE. It checks that referenced files and exports exist, provides autocomplete for file paths and export names, supports go-to-definition on component path strings, and understands all Payload path conventions including absolute paths, relative paths, tsconfig aliases, and package imports. #​15779

pnpm add -D @​payloadcms/typescript-plugin

{
  "compilerOptions": {
    "plugins": [{ "name": "next" }, { "name": "@​payloadcms/typescript-plugin" }]
  }
}

Trash Out of Beta with Granular Delete Access - Trash is now a stable feature. Delete access control can now distinguish between trashing and permanently deleting — allowing you to permit users to soft-delete documents while restricting permanent deletion to admins. When data.deletedAt is being set, the operation is a trash; otherwise it's a permanent delete. #​15210

import type { CollectionConfig } from 'payload'

export const Posts: CollectionConfig = {
  slug: 'posts',
  trash: true,
  access: {
    delete: ({ req: { user }, data }) => {
      // Not logged in - no access
      if (!user) {
        return false
      }

      // Admins can do anything (trash or permanently delete)
      if (user.roles?.includes('admin')) {
        return true
      }

      // Regular users: check what operation they're attempting
      // If data.deletedAt is being set, it's a trash operation - allow it
      if (data?.deletedAt) {
        return true
      }

      // Otherwise it's a permanent delete - deny for non-admins
      return false
    },
  },
  fields: [
    // ...
  ],
}

Widget Fields (next, ui) - Dashboard widgets can now declare configurable fields, similar to Blocks. Widget data is editable from a new drawer UI when in dashboard editing mode. Full type generation is included — WidgetInstance<T> is generic with typed data and width, and WidgetServerProps is generic so widget components receive typed widgetData. #​15700

import { buildConfig } from 'payload'

export default buildConfig({
  admin: {
    dashboard: {
      widgets: [
        {
          slug: 'sales-summary',
          ComponentPath: './components/SalesSummary.tsx#default',
          fields: [
            { name: 'title', type: 'text' },
            {
              name: 'timeframe',
              type: 'select',
              options: ['daily', 'weekly', 'monthly', 'yearly'],
            },
            { name: 'showTrend', type: 'checkbox' },
          ],
          minWidth: 'small',
          maxWidth: 'medium',
        },
      ],
    },
  },
})

import type { WidgetServerProps } from 'payload'

import type { SalesSummaryWidget } from '../payload-types'

export default async function SalesSummaryWidgetComponent({
  widgetData,
}: WidgetServerProps<SalesSummaryWidget>) {
  const title = widgetData?.title ?? 'Sales Summary'
  const timeframe = widgetData?.timeframe ?? 'monthly'

  return (
    <div className="card">
      <h3>
        {title} ({timeframe})
      </h3>
    </div>
  )
}

MCP Plugin Out of Beta (plugin-mcp) - @payloadcms/plugin-mcp is now stable and ready for production use. #​15711

Virtual Field Filtering in MCP (plugin-mcp) - Virtual fields (virtual: true) are now automatically stripped from MCP tool input schemas and filtered from parsed data before create, update, and updateGlobal operations. This prevents non-stored fields from appearing as accepted MCP parameters. #​15680

Markdown Transformer for Upload Nodes (richtext-lexical) - Upload nodes are now properly converted when using convertLexicalToMarkdown. Previously, upload nodes were silently dropped during markdown conversion. Now populated image uploads output ![alt text](/uploads/image.jpg), non-image uploads output link syntax, and non-populated uploads output a reference placeholder so data is never lost. #​15630

Dashed Button Style (ui) - Adds a new dashed button style variant. Also replaces box-shadow with border on all buttons and fixes icon-only button padding. #​15728

Editable Query Presets from Form View (ui) - Query presets can now be created and edited directly from the document form view using a full WhereBuilder, column picker, and groupBy selector — no longer requiring the list view to build queries first. #​15657

🐛 Bug Fixes

• getFieldsToSign crashes when user missing group/tab fields (#​15775) (9f0c101)
• improve mobile touch support for dnd (#​15771) (418bb92)
• prevent silent data overwrites on concurrent edits (#​15749) (7a3f43f)
• preserve block metadata in mergeLocalizedData and filterDataToSelectedLocales (#​15715) (6557292)
• return 400 for malformed JSON request bodies (#​15706) (4861fa1)
• globals not updating updatedAt when saving drafts (#​15764) (df17cb1)
• return early if pasteURL is not defined (#​15748) (23d52a0)
• prevent req.file leak between sequential duplicate() calls on upload collections (#​15620) (2baea2e)
• sanitize filenames in storage adapters (#​15746) (45bd2f1)
• throw error for unknown query operators (#​15739) (08226db)
• preserve locale data in unnamed groups with localizeStatus (#​15658) (38b8c68)
• next: conditionally query snapshot field based on localization (#​15693) (d5706ee)
• plugin-import-export: update docs on jobs and basic usage as well as visibility (#​15695) (a40210c)
• plugin-mcp: use inline block schemas in JSON output (#​15675) (a66e844)
• plugin-multi-tenant: hasMany tenant fields double-wrap arrays in filterOptions (#​15709) (aaddeac)
• plugin-multi-tenant: return false instead of query when no tenants (#​15679) (f5a5bd8)
• richtext-lexical: bump acorn to resolve type mismatch with transitive dep (#​15791) (801e851)
• richtext-lexical: link markdown regex should not match similar looking image markdown (#​15713) (0a0afb0)
• richtext-lexical: use headingLevel in danish heading label (#​15685) (ad4c0f6)
• richtext-lexical: strip server-only properties from blocks in lexical client schema map (#​15756) (c05ace2)
• templates: ecommerce find my order access functionality to use email (#​15736) (b317eaa)
• ui: array field add button margin not applying consistently (#​15773) (ee298f5)
• ui: respect custom Cell components on richText fields in list view (#​15762) (139cf3e)
• ui: use correct translation key for collection version restore modal (#​15757) (c1892eb)
• ui: encode HTML special characters in version diff view (#​15747) (30fee83)
• ui: flash of border on list selection buttons (#​15735) (7f3c6c8)

🛠 Refactors

• extract regex escape pattern into shared utility (#​15676) (8ce389e)
• plugin-mcp: reduced code and de-duplication (#​15705) (039e6c9)

🎨 Styles

• richtext-lexical: lists and quotes have inconsistent letter spacing (#​15682) (f2397a8)

🧪 Tests

• fix flaky versions tests timing out on link clicks before hydration (#​15790) (02da3fd)
• fix flaky lexical code block test with incorrect error expectations (#​15776) (4e3e780)
• trash e2e list view clicks timing out in CI (#​15778) (fd81fd5)
• fix flaky localization tests with race conditions (#​15777) (bda5d0d)
• bulk upload button clicks timeout in CI (#​15703) (8228a7d)
• field update access control test times out locally (#​15691) (78e8e14)
• fix flaky account unlock test in postgres-uuid and custom-schema (#​15696) (e3a76e3)
• fix flaky lexical e2e navigation timeouts and drawer clicks (#​15694) (9ca5cda)
• fix flaky access-control bulk delete tests failing due to timing issues (#​15692) (558345b)
• fix flaky drawer open and column sort timing issues (#​15677) (00f763b)

📝 Templates

• fix cloudflare logger error in with-cloudflare-d1 template (#​15752) (8791a72)
• ecommerce add missing access control on collections (#​15744) (c74d91d)
• fix ecommerce webhooks url and update docs on using stripe webhooks (#​15681) (677596c)

🏡 Chores

• make test:e2e agent-friendly with --grep support and dev server reuse (#​15755) (929203c)
• deps: bump next.js canary in monorepo (#​15708) (e3d8a94)
• plugin-mcp: improve schema sanitization and test coverage (#​15704) (7e20b5c)
• templates: bump versions to 3.77.0 (#​15678) (e26df27)

🤝 Contributors

• Elliot DeNolf (@​denolfe)
• Alessio Gravili (@​AlessioGr)
• Patrik (@​PatrikKozak)
• Sean Zubrickas (@​zubricks)
• Benedikt Rötsch (@​axe312ger)
• Shobhit Singhal (@​shobhitsinghal624)
• The Mavik (@​themavik)
• Divyesh Jain (@​divyesh123-jain)
• Paul (@​paulpopus)
• German Jablonski (@​GermanJablo)
• Jens Becker (@​jhb-dev)
• Jarrod Flesch (@​JarrodMFlesch)
• Jessica Rynkar (@​JessRynkar)
• Kendell (@​kendelljoseph)
• Varun Chawla (@​veeceey)

v3.77.0

Compare Source

🚀 Features

• pass local API depth through to req.query.depth for consistency (#​15023) (9a38469)
• db-*: add customID arg to db.create (#​15653) (0935824)
• plugin-mcp: migrate from @​vercel/mcp-adapter to mcp-handler (#​15661) (24025fd)

Feature Details

Local API Depth Consistency - The depth option passed to Local API calls like payload.find() is now automatically set on req.query.depth. Previously, hooks relying on req.query.depth would behave differently between Local API and REST/GraphQL calls unless you manually passed req: { query: { depth: x } } in addition to depth: x. This change ensures consistent behavior across all API methods. #​15023

Custom ID Support in db.create (db-*) - New customID argument on payload.db.create allows creating documents with a specific ID without requiring a custom ID field in your collection schema. #​15653

payload.db.create({ collection: 'posts', customID: 'ce98d6c4-c3ab-45de-9dfc-bf33d94cc941', data: { } })

MCP Plugin Migration (plugin-mcp) - Migrates from the deprecated @vercel/mcp-adapter to mcp-handler and bumps @modelcontextprotocol/sdk to 1.25.2 addressing a security vulnerability. Exposes new handler options: disableSse, onEvent, and redisUrl. #​15661

import { mcpPlugin } from '@​payloadcms/plugin-mcp'

export default buildConfig({
  plugins: [
    mcpPlugin({
      // Optional: Enable SSE transport (disabled by default)
      disableSse: false,
      // Optional: Redis URL for SSE session management (defaults to REDIS_URL env)
      redisUrl: 'redis://localhost:6379',
      // Optional: Track MCP events for analytics/debugging
      onEvent: (event) => {
        console.log('MCP event:', event)
      },
    }),
  ],
})

🐛 Bug Fixes

• hasMany text fields cannot be filtered with contains operator (#​15671) (4513a05)
• use consistent empty state styling between list and folder views (#​15555) (8953b37)
• populate previousValue correctly in afterChange hooks for nested lexical fields (#​15623) (1cc3bb9)
• add i18n support for dashboard edit mode buttons (#​15564) (818e31d)
• next: handle undefined fieldTab in version diff tabs (#​15590) (bbacab8)
• plugin-cloud-storage: ensure file data persists across operations (#​15570) (6af3673)
• plugin-cloud-storage: generateFileURL only ran when disablePayloadAccessControl was true (#​15667) (6c5611c)
• plugin-import-export: remove deprecated import (#​15666) (733b1df)
• plugin-import-export: export and import issues when using custom IDs (#​15518) (7e2a3ab)
• plugin-import-export: columns being duplicated when using toCSV hook (#​15597) (28e07dc)
• plugin-mcp: resolve union type fields failing in update tool (#​15660) (9ae89dd)
• plugin-multi-tenant: improve translation for "Tenant" (use "Mandant" instead of "Mieter") (#​15537) (4d4033b)
• plugin-multi-tenant: tenant selector not appearing after login (#​15617) (dd09f67)
• storage-r2: build error due to types issue in R2 Bucket type (#​15670) (7d1e233)
• ui: fix broken polymorphic join edit drawer (#​15621) (d450e99)

📚 Documentation

• update cell component docs (#​15574) (c403b00)
• outline html lexical content conversion (#​15601) (dc1b799)
• updates collection admin options (#​14605) (8e92f7f)
• update custom components docs (#​15576) (ae82294)
• clarify supported Next.js versions and optional dependencies in installation guide (#​15604) (409bc0d)

🧪 Tests

• trash e2e tests check URL before navigation completes (#​15599) (7fe5a8c)

🏡 Chores

• add md and mdx language block linting (#​15309) (5415516)
• bump playwright to fix vscode run test indicators (#​15626) (f74d288)
• only add publishAllLocales to publish when localizeStatus is enabled (#​15610) (d57bc22)

🤝 Contributors

• Paul (@​paulpopus)
• Patrik (@​PatrikKozak)
• Jessica Rynkar (@​JessRynkar)
• German Jablonski (@​GermanJablo)
• Kendell (@​kendelljoseph)
• Ahmad Yasser (@​AhmadYasser1)
• Sasha (@​r1tsuu)
• Philipp Schneider (@​philipp-tailor)
• Philipp Brumm (@​brumm)
• Sebastian Blank (@​blankse)
• Sean Zubrickas (@​zubricks)
• Alessio Gravili (@​AlessioGr)
• Vaishnav Patil (@​vaishnav-3)
• Divyesh Jain (@​divyesh123-jain)

v3.76.1

Compare Source

🐛 Bug Fixes

• use optional chaining for adminThumbnail size lookup to prevent crash (#​15586) (6937eec)
• non-image files should not recieve 0 bytes with useTempFiles (#​15538) (a313627)
• add CSP headers to SVG uploads to prevent XSS (#​15506) (8283c25)
• richtext-lexical: link tooltip overflows outside viewport with long URLs (#​15584) (af6b1a1)
• ui: prevent Tabs field crash when stored tabIndex exceeds tab count (#​15588) (a9e296e)
• ui: copy to locale function swallowing errors (#​15562) (8ce62d8)
• ui: ensure unpublish button only shows when drafts are enabled (#​15459) (69dc5e6)

⚙️ CI

• releaser always pull latest on release (#​15566) (84344a2)

v3.76.0

Compare Source

🚀 Features

• plugin-import-export: adds new exportLimit, importLimit and per collection limit control (#​15405) (a7beeca)

🐛 Bug Fixes

• drizzle: use dynamic import for typescript to avoid dependency in production (#​15545) (98a756c)
• live-preview-vue: update build config to compile as esm (#​14293) (60c65ed)
• next: drop support for Next.js versions with known CVEs, add canary 16.2.0 support (#​15547) (2b3061a)
• next: suppress webpack "Critical dependency" warning in dynamicImport (#​15534) (6158489)
• plugin-import-export: errors when import/export files were stored in a storage adapter such as S3 (#​15441) (73a9650)
• ui: tab error badge not counting required array validation errors (#​15563) (0ce6193)
• ui: folder view toggle button styles overridden due to equal specificity (#​15544) (df42bec)
• ui: remove clearData call in dropzone drop handler (#​10475) (b4e6761)

📝 Templates

• fix deprecation warnings during install (#​15536) (5edba8e)
• bump to 3.75.0 (#​15533) (8ea162c)

⚙️ CI

• do not wait for generating int and e2e matrix (#​15546) (de43402)

🏡 Chores

• fix deprecation warning when running reinstall or clean:all monorepo script (#​15535) (03bfaf4)
• drizzle: add logs indicating which migration statements are generated (#​15374) (306974d)

🤝 Contributors

• Alessio Gravili (@​AlessioGr)
• Patrik (@​PatrikKozak)
• Sasha (@​r1tsuu)
• Paul (@​paulpopus)
• Daniel Waltz (@​danielwaltz)
• Said Akhrarov (@​akhrarovsaid)

v3.75.0

Compare Source

🚀 Features

• adds beforeNav and afterNav component slots (#​15493) (f23a1df)
• next: pass full initReq context to server functions and dashboard widgets (#​15427) ([ce13e97](https://redirect.github.com/payloadcms/payload/comm