payloadcms/payload v3.66.0 on GitHub

v3.66.0 (2025-12-03)

⚠️ Security Issue

A critical-severity vulnerability in React Server Components (CVE-2025-55182) affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478).

You are strongly encouraged to immediately upgrade your own apps to the nearest patched versions of React and Next.js.

While this is not a Payload vulnerability, it may affect any Payload project running on the affected versions of React or Next.js. Payload does not install any of these dependencies directly, it simply enforces their versions through its peer dependencies, which will only warn of the version incompatibilities.

You will need to upgrade React and Next.js yourself in your own apps to the patched versions listed below in order to receive these updates.

Quick steps:

If using pnpm as your package manager, here's a one-liner:

pnpm add react@19.2.1 next@15.4.8

To do this manually:

In your package.json:
- Bump react to 19.2.1
- Bump next to 15.4.8
Reinstall node modules, e.g. pnpm i
Redeploy your app

Here's a full breakdown of the vulnerable packages and their patched releases:

Vulnerable package	Patched release
React	19.0, 19.1, 19.2 19.0.1, 19.1.2, and 19.2.1
Next.js	14.3.0-canary, 15.x, and 16.x (App Router) 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

See #14807 for more details.

🚀 Features

support custom slugify functions (#14117) (59a1607)
accessibility testing and improvements (#14454) (42cbd70)
support external JSON schema file references in type generation (#14749) (cb3a078)
cpa: assume adapter for with-cloudflare-d1 template (#14799) (4f03016)
richtext-lexical: add align support to upload nodes (#14720) (a21c47b)

Feature Details

Custom Slugify Functions - Override the default slug field behavior with your own slugify function. Useful for special character encoding, additional language support, or custom slug formatting. Also deprecates fieldToUse in favor of useAsSlug for consistency with useAsTitle. #14117

import type { CollectionConfig } from 'payload'
import { slugField } from 'payload'
import slugify from 'slugify';

export const MyCollection: CollectionConfig = {
  // ...
  fields: [
    // ...
    slugField({
      slugify: ({ valueToSlugify }) => slugify(valueToSlugify, {
        // ...additional `slugify` options here
      })
    })
  ]
}

Accessibility Testing and Improvements - Adds automated accessibility testing infrastructure including axe a11y scans, focus indicator checks, and horizontal scroll overflow detection. Covers all fields, major views, components, plugins, and Lexical editor. See the a11y report discussion for tracked issues. #14454

External JSON Schema References in Type Generation - Enables $ref pointers to external .json schema files in typescriptSchema field config. External references are resolved relative to process.cwd(). #14749

// payload.config.ts
{
  typescript: {
    schema: [
      ({ jsonSchema }) => {
        jsonSchema.definitions.MyType = {
          $ref: './schemas/my-type.json'
        }
        return jsonSchema
      },
    ]
  }
}

Auto-detect D1 Adapter (cpa) - The with-cloudflare-d1 template now automatically assumes the D1 database adapter, eliminating the database selection prompt during project creation. #14799

Upload Node Alignment (richtext-lexical) - Adds alignment support to upload nodes in the Lexical editor. Upload/media blocks can now be aligned left, center, or right using the FORMAT_ELEMENT_COMMAND. #14720

🐛 Bug Fixes

remove "all" from JSDoc comment on supported http methods in endpoints (#14777) (8c8def9)
should exclude svg files from file buffer mime validation (#14751) (015b363)
deps: bump minimum react and next versions (#14807) (2dfe464)
plugin-import-export: incorrect user type in Export causing runtime type mismatch (#14790) (61f5aee)
plugin-multi-tenant: tenant modal not appearing when autosave is off (#14806) (b96e928)
plugin-multi-tenant: auto assign tenant when autosave is enabled (#14745) (b0674fa)
richtext-lexical: copying and pasting a single block in Lexical results in an error due to duplicate ID (#14738) (cd9addf)
richtext-lexical: export serverInlineBlock modules (#14739) (becceb7)
translations: translate slug field actions (#14784) (5542e56)
ui: prevent NaN page parameter in polymorphic relationship pagination (#14795) (bbdfdb8)
ui: reduce spacing between checkbox and first column when few columns shown (#14776) (6ae1bc8)

📚 Documentation

documents block field image aspect ratio (#14679) (b6a336e)
document default password reset URL (#14688) (a68423b)
adds strongly typed examples (#14513) (abe8563)

🧪 Tests

deflake sort e2e (#14746) (a07cf47)

📝 Templates

update with-cloudflare-d1 to the latest OpenNext and wrangler (#14509) (5150388)

⚙️ CI

auto-label issues (#14792) (ee632d4)

🏡 Chores

claude: enable obra/superpowers plugin (#14789) (32df641)

⚠️ BREAKING CHANGES

deps: bump minimum react and next versions (#14807) (2dfe464)e

🤝 Contributors

Jarrod Flesch (@JarrodMFlesch)
Jake Fletcher (@jacobsfletch)
German Jablonski (@GermanJablo)
Elliot DeNolf (@denolfe)
Sean Zubrickas (@zubricks)
Patrik (@PatrikKozak)
Paul (@paulpopus)
Jessica Rynkar (@jessrynkar)
Tobias Odendahl (@tak-amboss)
Ricardo Tavares (@rjgtav)