Update dependency payload to v3.44.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
payload (source)	3.34.0 -> 3.44.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-4643

Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).

This issue has been fixed in version 3.44.0 of Payload.

CVE-2025-4644

A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user.

This issue has been fixed in version 3.44.0 of Payload.

---

Release Notes

payloadcms/payload (payload)

v3.44.0

Compare Source

🚨 Notice 🚨

If your project uses the local auth strategy with db-postgres or db-sqlite, a migration is required. This is due to a new security feature (enabled by default) that stores a unique auth session identifier in the database.

To opt out and continue using the previous behavior, you can disable the feature by setting auth.useSessions: false in your users collection config.

For example:

// payload.config.ts
collections: [
  {
    slug: 'users',
    auth: {
      useSessions: false,
    },
    fields: [],
  },
],

🚀 Features

• auth sessions (#​12483) (26d709d)
• collection-level preferences (#​12909) (c8b7214)
• collection-level disableBulkEdit (#​12850) (a5ec55c)
• plugin-import-export: preview displays CSV and JSON data accurately (#​12948) (3830d71)
• templates: added int and e2e tests to blank and website templates (#​12866) (87c7952)

🐛 Bug Fixes

• richTextField supports beforeInput/afterInput, but these were missing from types.ts (#​12889) (e769550)
• validate "null" value for point field as true when its not required (#​12908) (2da6d92)
• get external resource blocked (#​12927) (a7ad573)
• restore missing properties to live preview client config (#​12904) (bcb10b5)
• uses valid fractional index for test (#​12942) (8900a38)
• querying virtual fields deeply with draft: true (#​12868) (bc9b501)
• use small pill size when viewing version information (#​12844) (6c4dfe4)
• db-mongodb: strip deleted from the config blocks from the result (#​12869) (54afaf9)
• db-postgres: joins with custom schema (#​12937) (c1f6297)
• db-postgres: querying on hasMany: true select field in a relationship (#​12916) (b74969d)
• drizzle: skip column if undefined in findMany (#​12902) (605c993)
• live-preview: client-side live preview cannot populate more than 10 relationships at once (#​12929) (7472798)
• live-preview: foreign postMessage events reset client-side state (#​12925) (67fa5a0)
• next: live preview popup triggers leave without saving modal (#​12947) (141133a)
• next: prevent errors in globals version view (#​12920) (39e9519)
• next: remove error handling from next auth functions (#​12897) (1b5e3fe)
• next: remove console.error from next auth functions (#​12881) (fe58f03)
• plugin-import-export: duplicated rows and headers in CSV export when streaming paginated results (#​12941) (5cf9287)
• plugin-import-export: csv export for polymorphic relationship fields (#​12926) (6d76874)
• plugin-import-export: omit CSV columns when toCSV returns undefined (#​12923) (751691a)
• plugin-multi-tenant: updates tenant selector upon tenant creation (#​12936) (c76d839)
• richtext-lexical: consistent html converter inline padding (#​12848) (11ac230)
• ui: usePreventLeave should not show alert for exceptions (#​12722) (c3c1614)
• ui: vertically align table headers to the middle (#​12699) (0e9865c)
• ui: properly render create new button in polymorphic joins (#​12930) (a1822d2)
• ui: render DateTime label as instead of (#​12949) (4b9566f)
• ui: bulk upload losing state when adding additional files (#​12946) (d62d9b4)
• ui: unreachable custom views when admin route set to '/' (#​12812) (379fc12)
• ui: toggle list selections off on successful bulk action (#​12861) (9f17db8)
• ui: align caret on error tooltip for checkbox field (#​12917) (c094b0e)
• ui: updates auth fields UI to reflect access control (#​12745) (1845669)
• ui: folder server function must reference exports dir (#​12898) (0d50799)
• ui: custom row labels on arrays should not be removed on field duplication (#​12895) (37c945b)
• ui: date format of useAsTitle lost after changing value (#​12928) (20bbbcf)
• ui: properly differentiate between DOM events and raw values in setValue (#​12892) (c03e9c1)
• ui: should select document after creation from relationship field (#​12842) (25e3902)
• ui: support react node content in ConfirmationModal heading and body (#​12841) (dffdee8)

🛠 Refactors

• changed default exports to named exports in payload package (#​12871) (053192c)
• remove unused assets, move remaining assets out of payload packages (#​12874) (bb17cc3)
• simplify job queue error handling (#​12845) (59f536c)
• simplify job type (#​12816) (84cb2b5)

📚 Documentation

• remove group from list of default field validations (#​12921) (e5e0ec8)
• filterOptions anchor link fix (#​12883) (fcaf989)
• fix typo on authentication overview page (#​12891) (7a0308f)
• plugin-sentry: add pg query instrumentation guide (#​12229) (dede3a4)

🧪 Tests

• bulk edit flaky selectors (#​12950) (86e48ae)
• adds test for skipSafeFetch allowList (#​12954) (7ebac63)
• guard against null values in custom toCSV functions (#​12938) (1cdec86)
• fix database/int.spec.ts with postgres custom schema (#​12922) (cf87871)
• fix database integration tests with postgres (#​12919) (886c07e)

📝 Templates

• bump for v3.43.0 (#​12831) (d1826c6)

📓 Examples

• fix broken navigation to post in localization example (#​12810) (6a935d4)

⚙️ CI

• bring back CODEOWNERS file for reviews, approval not required [skip ci] (1db0619)
• revert bump pnpm to v10 (#​12840) (#​12906) (ca0d036)
• add timeout-minutes for int and e2e (#​12903) (c7dc1b4)
• adjust neverBuiltDependencies in test/package.json (#​12896) (a44e4c4)
• bump pnpm to v10 (#​12840) (85e0e0e)

🏡 Chores

• fix jest global teardown incorrectly always returning process exit status 0 (#​12907) (5368440)
• set trimTrailingWhitespace and insertFinalNewline in vscode settings (#​12939) (b1a57fa)
• fix withPayload helper jsdoc (#​12503) (57f4fb6)
• remove neverBuiltDependencies from test/package.json (4831f66)
• add eslint rule to ignore default exports in test suite configs (#​12655) (9c5adba)

🤝 Contributors

• James Mikrut (@​jmikrut)
• Jacob Fletcher (@​jacobsfletch)
• Elliot DeNolf (@​denolfe)
• Roman (@​spielerx)
• Jesper We (@​JesperWe)
• ThijsAtFreave (@​ThijsAtFreave)
• Sam Wheeler (@​swheeler7)
• Chandler Gonzales (@​jcgsville)
• Jessica Rynkar (@​jessrynkar)
• Said Akhrarov (@​akhrarovsaid)
• Dani Calero 🚀 (@​danicaleroo)
• Sasha (@​r1tsuu)
• Dan Ribbens (@​DanRibbens)
• Patrik (@​PatrikKozak)
• Dave Ryan (@​dave-wwg)
• Jarrod Flesch (@​JarrodMFlesch)
• Kendell (@​kendelljoseph)
• Ondřej Závodný (@​ozavodny)
• Paul (@​paulpopus)
• Ruby Jasmin (@​rubyjasmin)
• Anatoly Kopyl (@​anatolykopyl)
• Alessio Gravili (@​AlessioGr)
• Andrea Ghidini (@​ghidosoft)
• Adler Weber (@​adlrwbr)
• Marcus Michaels (@​marcusmichaels)
• Philip (@​stuckinsnow)

v3.43.0

Compare Source

🚀 Features

• admin upload controls (#​11615) (f2e0422)
• expose data argument in afterChange hook for collections and globals (#​12756) (458a04b)
• db-postgres: allow to store blocks in a JSON column (#​12750) (215f49e)
• db-postgres: support read replicas (#​12728) (0a35737)
• version diff view overhaul (#​12027) (4e2e4d2)
• next: reorder document view tabs (#​12288) (65309b1)
• storage-s3: dynamic presigned URL downloads (#​12706) (865a9cd)
• ui: adds constructorOptions to upload config (#​12766) (b372a34)
• ui: moves folder rendering from the client to the server (#​12710) (a43d1a6)

🐛 Bug Fixes

• ensure job autoruns are not triggered if jobs collection not enabled (#​12808) (769ca03)
• filtering joins in where by ID (#​12804) (9943b35)
• change payload.jobs.run and bin script to only run jobs from default queue by default, adds support for allQueues argument (#​12799) (06ad171)
• remove unsupported path property from default document view configs (#​12774) (f64a0ae)
• field inside an unnamed group field erroring when used as a title (#​12771) (143aff5)
• error when saving global with versioning enabled (#​12778) (cf43c5c)
• reduce global DOM/Node type conflicts in server-only packages (#​12737) (67fb29b)
• orderable has incorrect sort results depending on capitalization (#​12758) (37afbe6)
• ensure redirect route is correctly formatted for "Copy to locale" (#​12560) (9d2817e)
• db-mongodb: 4x and more level deep relationships querying (#​12800) (245a2de)
• db-mongodb: bump mongoose to 8.15.1 (#​12755) (860e0b4)
• db-postgres: reordering of enum values, bump [email protected] and [email protected] (#​12256) (7045182)
• db-postgres: x3 and more nested blocks regression (#​12770) (df8be92)
• db-sqlite: sqlite unique validation messages (#​12740) (254ffec)
• plugin-import-export: download button in collection edit view (#​12805) (8235fe1)
• plugin-import-export: incorrect custom type on toCSVFunction changed to toCSV (#​12796) (3edcc40)
• plugin-import-export: export all available fields by default (#​12731) (c4e5831)
• plugin-nested-docs: check error name that is changed at compile time (#​12798) (729b676)
• plugin-redirects: add missing optional chaining (#​12753) (d0e647a)
• storage-azure: return error status 404 when file is not found instead of 500 (#​11734) (018317d)
• storage-gcs: return 404 on file not found instead of 500 (#​11746) (d8626ad)
• storage-s3: return error status 404 when file is not found instead of 500 (#​11733) (a19921d)
• translations: reformats bnBD and bnIN translation imports to camelCase (#​12736) (08fbcb5)
• ui: reordering with a join field inside a group (#​12803) (e60db07)
• ui: adjust alignment of list header actions (#​12793) (77f3805)
• ui: not showing hyphenated field values in table (#​12791) (e7b5884)
• ui: inconsistent pill sizes across admin panel (#​12788) (9364d51)

⚡ Performance

• ui: do not re-animate drawer on re-render, reduce useEffects (#​12743) (cb3f9bb)

🛠 Refactors

• next: simplify document tab rendering logic (#​12795) (53835f2)
• next: simplify document view routing (#​12777) (b556fe3)

📚 Documentation

• fix header custom component example (#​12801) (7fef589)
• remove outdated buildPath property (#​12741) (38652d7)
• add info about localized/built-in validation error messages (#​12718) (96f417b)
• fix invalid code block language (#​12734) (ebe7fde)

🏡 Chores

• adds filters (#​12622) (c04c257)
• remove invalid colon from workspaces key in package.json (#​12757) (08d5b2b)
• migrate to TypeScript strict in Payload package - #​4/4 (#​12733) (53f8838)
• scripts: fix tsconfig.base.json reset (3313ab7)

🤝 Contributors

• Sasha (@​r1tsuu)
• Jessica Rynkar (@​jessrynkar)
• Alessio Gravili (@​AlessioGr)
• Dan Ribbens (@​DanRibbens)
• Kendell Joseph (@​kendelljoseph)
• Paul (@​paulpopus)
• Jacob Fletcher (@​jacobsfletch)
• Jayce Pulsipher (@​jaycetde)
• Patrik (@​PatrikKozak)
• Jarrod Flesch (@​JarrodMFlesch)
• Patrick Roelofs (@​Patrickroelofs)
• Anders Semb Hermansen (@​andershermansen)
• Said Akhrarov (@​akhrarovsaid)
• Elliot DeNolf (@​denolfe)
• Anyu Jiang (@​anyuj)
• Germán Jabloñski (@​GermanJablo)
• codeflorist (@​codeflorist)

v3.42.0

Compare Source

🚀 Features

• create the importmap file if missing and the location can be found (#​12727) (c6659db)
• plugin-import-export: add custom toCSV function on fields (#​12533) (8f4c442)
• plugin-import-export: add debug logging option (#​12705) (678bfc7)
• translations: add Bangla translations (#​12696) (3f670ca)

🐛 Bug Fixes

• proper globals max versions clean up (#​12611) (9fbc3f6)
• adds routeParams to the req on views (#​12711) (773e4ad)
• plugin-form-builder: export DateField type (#​12695) (8d7dbe6)
• plugin-import-export: incorrect config extension of jobs (#​12730) (ff615d3)
• plugin-import-export: revise zhTw translations (#​12685) (afbdf3d)
• richtext-lexical: text state css not applied if 2+ text state groups present (#​12726) (3d177fd)
• richtext-lexical: prevent runtime error if using TextStateFeature without props (#​12668) (6f82154)
• richtext-slate: add 'li' string literal to RichTextElement type (#​12693) (e10e445)
• translations: correct i18n dynamic variable name for 'movingFromFolder' (#​12642) (6f76d72)

⚡ Performance

• richtext-lexical: improve typing performance while toolbars are enabled (#​12669) (aef4f77)

📚 Documentation

• document how to expose the jobs collection in Admin UI (#​12707) (34fe36b)
• fix formatting in custom components > edit view paragraph (#​12697) (6466684)
• improve jobs autorun docs, adds e2e test (#​12196) (7c05c77)
• enhance drafts documentation with examples for REST, Local, and GraphQL APIs (#​12575) (629e74d)
• removes duplicate headline in building without a db connection (#​12694) (4ee4aa7)
• plugin-form-builder: add warning about GraphQL type name collis… (#​12720) (7b21270)

🏡 Chores

• enable turbopack by default in monorepo (#​12684) (f80dc5b)

🤝 Contributors

• Dan Ribbens (@​DanRibbens)
• Sasha (@​r1tsuu)
• sonny.you (@​SonnyYou)
• Jarrod Flesch (@​JarrodMFlesch)
• Alessio Gravili (@​AlessioGr)
• Germán Jabloñski (@​GermanJablo)
• Gordon Westerman (@​gwesterman)
• Willian de Souza (@​WillFelisberto)
• Anyu Jiang (@​anyuj)
• SHOMRIDDHO'S WORLD (@​shomriddho)
• Jessica Rynkar (@​jessrynkar)
• Paul (@​paulpopus)
• Sean Zubrickas (@​zubricks)

v3.41.0

Compare Source

🚀 Features

• optionally exclude collection documents from appearing in browse-by-folder (#​12654) (337f618)
• improve turbopack compatibility (#​11376) (319d335)
• polymorphic join querying by fields that don't exist in every collection (#​12648) (2b40e0f)
• ui: use document drawers for folder edit/create (#​12676) (9581092)
• ui: adds new editMenuItems custom component (#​12649) (625d8d9)

🐛 Bug Fixes

• correctly detect glb & gltf mimetypes during upload (#​12623) (05eeddb)
• allow unnamed group fields to not set a label at all (#​12580) (d561195)
• cpa: generate .env when using the --example flag (#​12572) (836fd86)
• db-postgres: ensure deletion of numbers and texts in upsertRow (#​11787) (bd512f1)
• db-postgres: in query with null (#​12661) (c08cdff)
• live-preview: correct type inference (#​12619) (c83e791)
• next: cannot override tab of default views (#​11789) (c639c5f)
• plugin-seo: thread allowCreate to meta image component (#​12624) (ede5c67)
• richtext-lexical: export defaultColors for use in client components (#​12627) (8199a7d)
• richtext-lexical: enable select inputs with ctrl+a or cmd+a (#​12453) (89ced5e)
• translations: add missing import for lv locale from date-fns (#​12577) (cbc37d8)
• ui: adjusts margin spacing on upload actions (#​12692) (1dd4a12)
• ui: safely extract text from React nodes (#​12419) (48e5ee6)
• ui: formatDate and formatTimeToNow utility type error on i18n arg to support I18nClient too (#​12576) (76bf459)
• ui: correctly thread through the autoComplete attribute from admin config to the text input (#​12473) (08ec837)
• ui: clear miliseconds in date fields unless theyre explicitly provided in the display format (#​12650) (a9ff375)
• ui: reset columns state throwing errors (#​11903) (08a6f88)
• ui: upload action button styles (#​12592) (6119d89)

⚡ Performance

• ui: prevent unnecessary client config sanitization (#​12665) (2bd098c)

🛠 Refactors

• translations: correct i18n translation for Mandarin (#​12561) (6f8cff7)
• ui: improve relationship field option loading reliability using queues (#​12653) (30dd9a2)

📚 Documentation

• add Content-Type header for JWT authentication (#​12513) (3f7debd)
• fix import statements for plugin-nested-docs (#​12494) (5635ec5)
• improve rich-text documentation with hasText usage tip (#​12645) (53de775)
• fix beforeHook documentation to reflect actual behaviour (#​12651) (fd5cd1a)
• improve module augmentation docs for request context (#​12681) (0c3ff88)
• update seo plugin tabbedUI docs to mention potential pitfalls with the config option (#​12549) (505eaa2)
• missing dash (#​12644) (684c436)
• building without a db connection (#​12607) (7c094dc)

📝 Templates

• do not expose users in example custom routes (#​12677) (be52a20)
• bump for v3.40.0 (#​12613) (71df378)

⚙️ CI

• skip flaky test on supabase (#​12667) (30bb749)
• ability to test against turbopack (#​12652) (0ceb96b)

🏡 Chores

• fix various e2e test setup issues (#​12670) (545d870)
• fix lint warnings for default exports, unused imports, unused err in catch (#​12666) (48218bc)
• migrate to TypeScript strict in Payload package (enable strictNullChecks) - #​3 (#​12586) (6ec21a5)
• update CONTRIBUTING.md (#​12511) (5e3a94b)

🤝 Contributors

• Patrik (@​PatrikKozak)
• Kamil Troczewski (@​kamiloox)
• codeflorist (@​codeflorist)
• Rot4tion (@​Rot4tion)
• iamacup (@​iamacup)
• Jacob Fletcher (@​jacobsfletch)
• Alessio Gravili (@​AlessioGr)
• Jarrod Flesch (@​JarrodMFlesch)
• Elliot DeNolf (@​denolfe)
• Said Akhrarov (@​akhrarovsaid)
• Sasha (@​r1tsuu)
• Paul (@​paulpopus)
• Germán Jabloñski (@​GermanJablo)
• Jessica Rynkar (@​jessrynkar)
• Jacob (@​chmielulu)
• Tobias Odendahl (@​tak-amboss)
• Anyu Jiang (@​anyuj)

v3.40.0

Compare Source

🚀 Features

• adds new canSetHeaders prop to auth strategies (#​12591) (ca6f849)
• moves getSafeRedirect into payload package (#​12593) (7e873a9)
• adds calling of before and after operation hooks to resetPassword (#​12581) (54a0484)
• show nested fields in named tabs as separate columns in the list view (#​12530) (20f7017)
• filter query preset constraints (#​12485) (0204f0d)
• select field filter options (#​12487) (f75d62c)
• ui: export FieldAction type (#​12589) (699af8d)

🐛 Bug Fixes

• parseCookies ignore invalid encoded values (#​12515) (bfdcb51)
• improve translation script prompt and fix some incorrectly used terms in spanish and dutch (#​12548) (1731dd7)
• browseByFolder route should be optional (#​12527) (c010d51)
• thread req into interal folder payload operations (#​12523) (64443d8)
• infinite loop in findUp utility when a result is not found (#​12457) (842d184)
• delete subfolders hook with relational databases (#​12507) (45f4c5c)
• db-*: disable DB connection for payload migrate:create (#​12596) (12395e4)
• db-*: migrate:reset executes in a wrong order (#​12445) (1b1e36e)
• db-mongodb: exists query on checkbox fields (#​12567) (f2b6c4a)
• db-postgres: properly escape the ' character (#​12590) (6888f13)
• examples: update live-preview example to ESM (#​12570) (d6f6b05)
• next: folder redirects not working (#​12509) (bc43982)
• richtext-lexical: respect disableBlockName (#​12597) (ca26402)
• richtext-lexical, ui: opening relationship field with appearance: "drawer" inside rich text inline block (#​12529) (f2b54b5)
• storage-vercel-blob: client uploads with a prefix (#​12559) (b61ef13)
• templates: update template/plugin and fix import map issue (#​12305) (68ba24d)
• translations: improve Spanish translations (#​12555) (8a7ac78)
• translations: correct Norwegian terms for “locale” and language labels (#​12557) (bd2571c)
• ui: reduces pill sizing in autosave cells (#​12606) (a17d84e)
• ui: oversized column selector pills (#​12583) (3022cab)
• ui: filtering on hasMany fields (#​12579) (166dafe)
• ui: prevent textarea description overlapping fields and not honoring rows attribute (#​12406) (032375b)
• ui: cloudfront removing X-HTTP-Method-Override header (#​12571) (8448e5b)
• ui: live-preview-tab should show beforeDocumentControls (#​12568) (dfa0974)
• ui: safari css rendering issues with table and folder cards (#​12531) (293cdc1)
• ui: only and files/folders to the grid/list if they were added to the current folder (#​12525) (5a75881)
• ui: replaces css fn with css calc (#​12520) (feeee19)
• ui: index based ids without useAsTitle breaks folders (#​12519) (e9cda1e)

⚡ Performance

• folder views download only images and get best fit from image sizes (#​12514) (11a4a20)

🛠 Refactors

• use parseCookies method from Next.js (#​12599) (d85909e)

📚 Documentation

• autoLogin codeblock was not nested under 'admin' (#​12573) (0c0b0fe)
• typos and links (#​12484) (7fa879c)
• fix typos, duplicated words, wrong property names etc. (#​12480) (e2f7889)

📝 Templates

• bump for v3.39.1 (#​12504) (6b6948f)

🏡 Chores

• updates bug template (#​12587) (4a41369)
• fixes monorepo dev plugin-import-export (#​12528) (06fbc07)
• moves collections folders property to the top level (#​12508) (d83b2bf)
• examples: remove unused imports from custom server example (#​12467) (071c61f)
• examples: fix read permission in auth example (#​12403) (cceb793)
• ui: finish adding folders e2e tests (#​12524) (feb7e08)

🤝 Contributors

• Sasha (@​r1tsuu)
• Jarrod Flesch (@​JarrodMFlesch)
• James Mikrut (@​jmikrut)
• Alessio Gravili (@​AlessioGr)
• Jacob Fletcher ([@​jacobsfletch](https:

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.