Merge remote-tracking branch 'origin/main' into feat/content-translator-incremental-richtext

# Conflicts:
#	content-translator/CHANGELOG.md
#	content-translator/dev/src/seed.ts
#	content-translator/package.json
#	content-translator/pnpm-lock.yaml
#	content-translator/src/translate/traverseFields.ts
#	content-translator/src/translate/traverseRichText.ts

Author: claude

.claude/skills/bump-dependencies/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: bump-dependencies
-description: Run the bundled bump-dependencies.sh to bump plugin dependencies, then walk every non-patch version change to surface breaking changes and apply any plugin-side updates needed. Use when the user says "bump dependencies", "upgrade dependencies", "update dependencies", or wants to refresh a single plugin's dependencies.
+description: Run the bundled bump-dependencies.sh to bump plugin dependencies, then walk every non-patch version change to surface breaking changes and apply any plugin-side updates needed. Also audits every workspace for security advisories (audit-dependencies.sh) and fixes them via override floors or direct-dependency pins. Use when the user says "bump dependencies", "upgrade dependencies", "update dependencies", "audit dependencies", "check for vulnerabilities", or wants to refresh a single plugin's dependencies.
 ---
 
 # Bump plugin dependencies and review breaking changes
@@ -69,6 +69,52 @@ Goal: bump the dependencies via the bundled script, then for every non-patch jum
 
    Don't commit. The user runs `git commit` themselves so they can review the diff.
 
+## Reconcile `pnpm-workspace.yaml` overrides
+
+The script bumps `package.json` and `pnpm-lock.yaml` but never touches the `overrides:` block in each plugin's `pnpm-workspace.yaml`. Overrides win during resolution, so any dependency pinned there is silently capped — `package.json` shows the new version while the lockfile keeps the old one. After the bump, audit the overrides:
+
+1. **Find the mismatch.** For every dependency that appears in both the bump diff and an `overrides:` block, compare declared vs resolved:
+
+   ```sh
+   grep -E "^  <dep>:" <plugin>/pnpm-workspace.yaml      # the pin
+   pnpm -C <plugin> list <dep>                            # what actually resolved
+   ```
+
+   An exact pin (`next: '16.2.6'`) caps the dep; a `^`-floor (`mongoose: '^8.22.1'`) only sets a minimum and won't block an upgrade.
+
+2. **Bump exact-pin dedup overrides; never remove them.** `next` is pinned to one exact version on purpose: it forces a single `next` (and therefore one React) across the plugin root, the `dev*/` apps, and the `@payloadcms/*` peers. Remove the pin and the `@payloadcms/*` multi-window peer range (`>=16.2.6 <17`) lets a transitive dep pull a second `next`, so the tree resolves two versions at once — the duplicate-deps Payload admin crash (`Cannot destructure property 'config' of useConfig()`; see the `fix-payload-duplicate-deps` skill). Bump the pin to match the new `package.json`, reinstall, and confirm one version remains:
+
+   ```sh
+   pnpm -C <plugin> list next | grep -oE 'next@[0-9.]+' | sort -u   # must be a single line
+   ```
+
+3. **Audit `^` security floors for redundancy.** A floor exists because some transitive dep once pulled a vulnerable version. Once that dep updates its own range, the floor is dead weight. Test it empirically: strip the floor lines (keep the dedup pins), reinstall every plugin, and compare each package's lowest resolved version to its floor.
+   - natural resolution **≥ floor** → redundant, drop the override.
+   - natural resolution **< floor** → still load-bearing, keep it (removing it puts a below-floor version back in the lockfile).
+
+   A downward drop after stripping is proof the floor does real work: the pre-strip lockfile held the forced safe version, so re-resolving lower means the natural range sits below the floor. A bump as large as a Payload minor rarely retires a floor — at the 3.84→3.85 bump, even `mongoose` (whose `@payloadcms/db-mongodb` consumer now requires `8.22.1` directly) still resolved `8.15.1` from another consumer, so every floor stayed. Restore the tree with `git stash` (not `git checkout -- .`, which is denied) once measured.
+
+## Audit for vulnerabilities and fix them
+
+A version bump is the natural moment to clear advisories. Each plugin is its own workspace, so audit per lockfile and consolidate.
+
+1. **Run the consolidated audit.** The helper next to this skill runs `pnpm audit` in every folder with its own `pnpm-lock.yaml` and prints one deduplicated table (one row per advisory, with the count of affected plugins) — what a per-folder loop can't show:
+
+   ```sh
+   ./.claude/skills/bump-dependencies/audit-dependencies.sh           # any advisory → exit 1
+   ./.claude/skills/bump-dependencies/audit-dependencies.sh high      # CI gate: only high+ fails
+   ```
+
+   The same advisory usually spans many plugins (shared Payload/tooling deps), so fix it once per package, not once per plugin.
+
+2. **Prefer the root-cause fix — update the owning dependency before reaching for an override.** Run `pnpm -C <plugin> why <pkg>` to find which direct/parent dependency pulls the vulnerable version. If a newer release of that owner requires the patched range, bumping the owner clears the advisory _and_ leaves no override behind — the cleanest fix, and it tracks upstream instead of pinning against it. The bump step (`bump-dependencies.sh` → `pnpm up --latest`) already does this for **direct** deps, so within the full flow the survivors are usually transitive-only with an already-current owner — those genuinely need step 3/4. Reach for an override only after confirming the owner can't move (already latest, or its range still spans the vulnerable version). An override is a forceful pin: it masks the real graph and accumulates, so it's the fallback, not the default.
+
+3. **Otherwise, fix with an override floor — the same mechanism as the security floors above.** For each advisory add (or raise) `pkg: '^<patched>'` in every plugin's `overrides:` block. Watch for a floor that _caps below_ the patched version: `esbuild: '^0.27.0'` excludes the `0.28.1` fix, so it has to move to `^0.28.1`, not just gain a sibling.
+
+4. **When the override won't move a transitive, pin it as a direct devDependency.** pnpm applies overrides during _fresh_ resolution but will not re-resolve an already-locked transitive to satisfy a changed override — `install`, `install --force`, `dedupe`, and `update <pkg>` all leave it in place (the lockfile even records the new override next to the old resolved version). The reliable escape hatch is to add the package as a direct `devDependency` at the patched range in the plugin that pulls it; a direct dep always resolves to its declared range, and the transitive consumer dedupes onto it. Example: `vite` (pulled by `vitest`, peer `^6 || ^7 || ^8`) stayed on the vulnerable line under a `vite: '^8.0.16'` override, so `"vite": "^8.0.16"` went into chat-agent and vercel-deployments `devDependencies` next to `vitest`.
+
+5. **Reinstall, re-audit to zero, then verify the toolchain.** Forcing a build-tool version is exactly where things break — `esbuild` minors (`0.x` = breaking by convention) and a `vite` major shift the transform/bundle path. After the fix, re-run the audit _and_ `typecheck` + `test` for every plugin, plus `build` for any plugin that uses the tool directly (e.g. astro's `esbuild` + `vite-plugin-dts`). Don't claim the advisories are cleared until the audit is empty and the suites are green.
+
 ## Heuristics for what to read carefully vs skim
 
 - **Payload core (`payload`, `@payloadcms/*`)** — read every minor's release notes; this repo's plugins live or die by Payload API stability. Pay attention to field-config, plugin API, and admin component prop changes.
@@ -83,3 +129,4 @@ Goal: bump the dependencies via the bundled script, then for every non-patch jum
 - Script returns `FAILED` for any plugin → report and stop, don't try to fix it inline.
 - A breaking change requires an architectural decision (e.g. Payload removes a hook the plugin depends on) → write up the options and ask before picking one.
 - Peer-dependency range needs to widen or narrow to track upstream → confirm with the user; this changes the plugin's public install matrix.
+- An exact-pin override (e.g. `next`) needs to cross a major, or a security floor's removal can't be proven redundant by the strip-and-reinstall test → confirm with the user before changing the `overrides:` block.

.claude/skills/bump-dependencies/audit-dependencies.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+# audit-dependencies.sh — consolidated `pnpm audit` across every plugin workspace.
+#
+# Runs `pnpm audit` in each folder that has its own pnpm-lock.yaml and prints a
+# single deduplicated table (one row per advisory, with the count of affected
+# plugins) — the Dependabot-style overview that a per-folder loop can't give.
+#
+# Usage (from the repo root):
+#   ./.claude/skills/bump-dependencies/audit-dependencies.sh [severity]
+#
+#   severity (optional): low | moderate | high | critical
+#     Exit non-zero only when an advisory at or above this level remains.
+#     Default: any advisory (low) fails. Use `high` for a CI gate that
+#     tolerates dev-only moderate/low noise.
+
+set -uo pipefail
+
+THRESHOLD="${1:-low}"
+# macOS ships bash 3.2 (no associative arrays); use a case lookup.
+rank_of() {
+    case "$1" in
+        low) echo 1 ;; moderate) echo 2 ;; high) echo 3 ;; critical) echo 4 ;;
+        *) echo 1 ;;
+    esac
+}
+MIN_RANK="$(rank_of "$THRESHOLD")"
+
+# Discover workspaces: every depth-1 dir with its own lockfile.
+PLUGINS=()
+for lock in */pnpm-lock.yaml; do
+    [ -f "$lock" ] && PLUGINS+=("$(dirname "$lock")")
+done
+if [ ${#PLUGINS[@]} -eq 0 ]; then
+    echo "No */pnpm-lock.yaml found. Run this from the repo root." >&2
+    exit 2
+fi
+
+TMPDIR_AUDIT="$(mktemp -d)"
+trap 'rm -f "$TMPDIR_AUDIT"/*.json 2>/dev/null; rmdir "$TMPDIR_AUDIT" 2>/dev/null' EXIT
+
+for p in "${PLUGINS[@]}"; do
+    pnpm -C "$p" audit --json > "$TMPDIR_AUDIT/$p.json" 2>/dev/null || true
+done
+
+python3 - "$TMPDIR_AUDIT" "$MIN_RANK" "${PLUGINS[@]}" <<'PY'
+import sys, os, json
+from collections import defaultdict
+
+tmp = sys.argv[1]
+min_rank = int(sys.argv[2])
+plugins = sys.argv[3:]
+RANK = {"low": 1, "moderate": 2, "high": 3, "critical": 4, "info": 0}
+
+adv = {}                       # id -> advisory dict
+affected = defaultdict(set)    # id -> {plugin}
+for p in plugins:
+    path = os.path.join(tmp, f"{p}.json")
+    try:
+        data = json.load(open(path))
+    except Exception:
+        continue
+    for aid, a in (data.get("advisories") or {}).items():
+        adv[aid] = a
+        affected[aid].add(p)
+
+if not adv:
+    print("\n✓ No known vulnerabilities in any workspace.")
+    sys.exit(0)
+
+rows = []
+for aid, a in adv.items():
+    sev = a.get("severity", "info")
+    patched = a.get("patched_versions", "") or ""
+    fixable = "yes" if patched and patched not in ("<0.0.0", "") else "NO"
+    rows.append((RANK.get(sev, 0), sev, a.get("module_name", "?"),
+                 (a.get("vulnerable_versions") or "")[:15],
+                 (patched or "")[:13], fixable, len(affected[aid]),
+                 (a.get("title") or "").strip()[:46], a.get("url", "")))
+rows.sort(key=lambda r: (-r[0], r[2]))
+
+print(f"\n{'sev':<9}{'package':<22}{'vulnerable':<16}{'patched':<14}{'fix':<5}{'#plug':<6}title")
+print("-" * 100)
+worst = 0
+for rank, sev, mod, vuln, patched, fixable, n, title, url in rows:
+    worst = max(worst, rank)
+    print(f"{sev:<9}{mod:<22}{vuln:<16}{patched:<14}{fixable:<5}{n:<6}{title}")
+    print(f"{'':<9}{url}")
+
+tot = defaultdict(int)
+for r in rows:
+    tot[r[1]] += 1
+print(f"\n{len(rows)} unique advisories: " + ", ".join(f"{k} {v}" for k, v in
+      sorted(tot.items(), key=lambda kv: -RANK.get(kv[0], 0))))
+
+# Exit non-zero when anything at/above the threshold remains.
+sys.exit(1 if worst >= min_rank else 0)
+PY

.github/workflows/ci.yml

@@ -136,6 +136,9 @@ jobs:
       - name: Run tests (astro-payload-richtext-lexical)
         run: cd astro-payload-richtext-lexical && pnpm test
 
+      - name: Run tests (cloudinary)
+        run: cd cloudinary && pnpm test
+
       - name: Run tests (content-translator)
         run: cd content-translator && pnpm test
 

admin-search/dev/package.json

@@ -38,5 +38,5 @@
   "engines": {
     "node": ">=22.12.0"
   },
-  "packageManager": "pnpm@11.1.1"
+  "packageManager": "pnpm@11.8.0"
 }

admin-search/package.json

@@ -29,24 +29,24 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@payloadcms/translations": "^3.84.1"
+    "@payloadcms/translations": "^3.85.1"
   },
   "peerDependencies": {
-    "@payloadcms/ui": "^3.84.1",
+    "@payloadcms/ui": "^3.85.1",
     "next": "^15.0.0 || ^16.0.0",
-    "payload": "^3.84.1",
-    "react": "19.2.6",
-    "react-dom": "19.2.6"
+    "payload": "^3.85.1",
+    "react": "19.2.7",
+    "react-dom": "19.2.7"
   },
   "devDependencies": {
     "@payloadcms/eslint-config": "^3.28.0",
     "@swc/cli": "^0.8.1",
-    "@swc/core": "^1.15.33",
-    "@types/react": "^19.2.14",
+    "@swc/core": "^1.15.41",
+    "@types/react": "^19.2.17",
     "@types/react-dom": "^19.2.3",
     "copyfiles": "^2.4.1",
     "eslint": "^9.39.4",
-    "prettier": "^3.8.3",
+    "prettier": "^3.8.4",
     "rimraf": "^6.1.3",
     "typescript": "^6.0.3"
   },
@@ -84,5 +84,5 @@
   "engines": {
     "node": ">=22.12.0"
   },
-  "packageManager": "pnpm@11.1.1"
+  "packageManager": "pnpm@11.8.0"
 }