[Snyk] Upgrade @payloadcms/next from 3.60.0 to 3.62.1

[MrFriggo]

Snyk has created this PR to upgrade @payloadcms/next from 3.60.0 to 3.62.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 30 versions ahead of your current version.

• The recommended version was released 21 days ago.

Release notes

Package name: @payloadcms/next

• 3.62.1 - 2025-11-03
  

  v3.62.1 (2025-11-03)

  🐛 Bug Fixes

  The KV implementation was requiring all postgres users to have to create a new migration. The following fix prevents that.

  • disable lockedDocuments if the kv adapter uses a collection (#14453) (6930aaf)
• 3.62.0 - 2025-10-30
  

  v3.62.0 (2025-10-30)

  🚀 Features

  Jobs Access Control

  Adds role-based access control for job queue and cancel operations, allowing you to restrict who can manage background jobs in your application. Both operations now support overrideAccess parameter and respect custom access control functions defined in your jobs configuration. #14404

  // Configure access control
  jobs: {
  access: {
  queue: ({ req }) => req.user?.roles?.includes('admin'),
  cancel: ({ req }) => req.user?.roles?.includes('admin'),
  }
  }

  // Use in Local API
  await payload.jobs.cancel({
  where: { workflowSlug: { equals: 'sync' } },
  overrideAccess: false,
  req,
  })

  Per-Field Timezone Configuration

  Date fields can now have individual timezone settings, allowing different date fields to support their own list of supported timezones with custom default values. This enables more flexible date handling across your application. #14410

  {
    name: 'date',
    type: 'date',
    timezone: {
      defaultTimezone: 'America/New_York',
      supportedTimezones: [
        { label: 'New York', value: 'America/New_York' },
        { label: 'Los Angeles', value: 'America/Los_Angeles' },
        { label: 'London', value: 'Europe/London' },
      ],
    },
  }

  You can also enforce a specific timezone by specifying just one with a default value:

  {
    name: 'date',
    type: 'date',
    timezone: {
      defaultTimezone: 'Europe/London',
      supportedTimezones: [
        { label: 'London', value: 'Europe/London' },
      ],
    },
  }

  KV Storage Adapters

  Introduces a new key-value storage system with multiple adapter options (Database, In-Memory, Redis) for enhanced data persistence and performance. This provides the foundation for the upcoming Realtime API and other features requiring fast key-value access. #9913

  Access the KV store via payload.kv with the following interface:

  interface KVAdapter {
  /**
  * Clears all entries in the store.
  * @ returns A promise that resolves once the store is cleared.
  */
  clear(): Promise<void>

/**
* Deletes a value from the store by its key.
* @ param key - The key to delete.
* @ returns A promise that resolves once the key is deleted.
*/
delete(key: string): Promise<void>

/**
* Retrieves a value from the store by its key.
* @ param key - The key to look up.
* @ returns A promise that resolves to the value, or null if not found.
*/
get(key: string): Promise<KVStoreValue | null>

/**
* Checks if a key exists in the store.
* @ param key - The key to check.
* @ returns A promise that resolves to true if the key exists, otherwise false.
*/
has(key: string): Promise<boolean>

/**
* Retrieves all the keys in the store.
* @ returns A promise that resolves to an array of keys.
*/
keys(): Promise<string[]>

/**
* Sets a value in the store with the given key.
* @ param key - The key to associate with the value.
* @ param value - The value to store.
* @ returns A promise that resolves once the value is stored.
*/
set(key: string, value: KVStoreValue): Promise<void>
}

Configure the adapter using the kv property:

buildConfig({
  kv: adapter()
})

Database KV adapter (default) - Uses your existing database with a hidden payload-kv collection:

import { databaseKVAdapter } from 'payload'

buildConfig({
kv: databaseKVAdapter({
kvCollectionOverrides: {
slug: 'custom-kv',
...(process.env.DEBUG === 'true' && {
admin: { hidden: false },
access: {},
}),
},
}),
})

In Memory KV adapter - Fast memory-based storage for development:

import { inMemoryKVAdapter } from 'payload'

buildConfig({
kv: inMemoryKVAdapter(),
})

Redis KV Adapter - Production-ready Redis integration:

pnpm add @ payloadcms/kv-redis

import { redisKVAdapter } from '@ payloadcms/kv-redis'

buildConfig({
kv: redisKVAdapter({
keyPrefix: "custom-prefix:", // defaults to 'payload-kv:'
redisURL: "redis://127.0.0.1:6379" // defaults to process.env.REDIS_URL
}),
})

Configurable Toast Position

Toast notifications can now be positioned anywhere on the screen (top-left, top-center, top-right, bottom-left, bottom-center, bottom-right), giving you control over where important messages appear to your users. This is particularly useful for applications with large screens or specific UI layouts. #14405

The position configuration is a direct pass-through of the Sonner library's position options, with 'bottom-right' remaining the default.

Feature PRs

• add access control for jobs queue and cancel operations (#14404) (0a37edb)
• timezone config can now be added on a per field basis (#14410) (a3df837)
• add KV storage adapters (#9913) (ffb9a2e)
• make toast position configurable (#14405) (d5fab43)
• ui: export useQueue React hook (#14396) (612880d)

🐛 Bug Fixes

• globals with versions return _status field when access denied (#14406) (b766ae6)
• custom dashboard component causes runtime error on create-first-user and account views (#14393) (d5f4e72)
• claude: remove invalid frontmatter fields (#14411) (118d005)
• db-*: findMigrationDir in projects without src folder (#14381) (059185f)
• db-mongodb: migration fails for cosmosDB (#14401) (10a640c)
• db-mongodb: type error with prodMigrations (#14394) (8e5e23a)
• db-mongodb: duplicate ids in sanitizeQueryValue (#11905) (36bb188)
• db-postgres: hasMany relationship/number/text fields inside blocks are incorrectly returned when using select (#14399) (850cc38)
• drizzle: number fields in generated schema with defaultValue (#14365) (8996b35)
• plugin-multi-tenant: remove unused syncTenants from useEffect deps (#14362) (906a3dc)
• richtext-lexical: do not run json.parse if value is undefined or null (#14385) (09a6140)
• richtext-lexical: prevent TS CodeBlocks from sharing Monaco model (useId) (#14351) (5caebd1)
• storage-*: update the client cache to use a map instead with cache keys per bucket config (#14267) (38f2e1f)
• ui: where builder crashing with invalid queries (#14342) (6c83046)

🛠 Refactors

• deprecate job queue depth property (#14402) (1341f69)
• ui: simplify ConfigProvider, improve useControllableState types and defaultValue fallback (#14409) (255320e)

⚙️ CI

• add claude as valid scope (560f2f3)

🤝 Contributors

• Dan Ribbens (@ DanRibbens)
• Alessio Gravili (@ AlessioGr)
• Paul (@ paulpopus)
• Elliot DeNolf (@ denolfe)
• Sasha (@ r1tsuu)
• Patrik (@ PatrikKozak)
• Ossaid Qadri (@ imossaidqadri)
• Philipp Schneider (@ philipp-tailor)
• Kholiavko Roman (@ kholiavko-roman)
• Jacob Fletcher (@ jacobsfletch)
• Séalan Cronin (@ sealan)
• Jarrod Flesch (@ JarrodMFlesch)
• Justus Blönnigen (@ technicaldirector)

3.62.0-internal.ec3a6fa - 2025-10-30

3.62.0-internal.7fb5145 - 2025-10-29

3.62.0-internal.54b5b1d - 2025-10-29

3.62.0-internal.327a84a - 2025-10-29

3.62.0-internal.1e0c0f4 - 2025-10-29

3.62.0-internal.0e1f2fb - 2025-10-29

3.62.0-canary.6 - 2025-10-30

3.62.0-canary.5 - 2025-10-29

3.62.0-canary.4 - 2025-10-28

3.62.0-canary.3 - 2025-10-27

3.62.0-canary.2 - 2025-10-26

3.62.0-canary.1 - 2025-10-25

3.62.0-canary.0 - 2025-10-24

3.61.1 - 2025-10-24

v3.61.1 (2025-10-24)

🐛 Bug Fixes

• ui: ask before closing doc drawer with edits (#14324) (c1d017a)
• filteredLocales in the client config are stale (#14326) (5a37909)
• db-*: querying joins with $exists on mongodb and improve performance when querying multiple times on postgres (#14315) (1f166ba)
• db-postgres: regression in migrations in the _rels table (#14341) (a2b1c9b)
• plugin-search: add locale to key in syncedDocsSet (#14289) (c29e1f0)
• ui: account for array values in transformWhereToNaturalLanguage (#14339) (f2cabe7)
• ui: preview button not responding to conditional URL (#14277) (ad0e7b2)
• ui: use depth: 0 for publish specific locale request (#14313) (b68715e)

📚 Documentation

• various grammar and typo fixes (#14170) (c96d50d)
• adds example for name or label on groups field (#14323) (6d88f7d)

🤝 Contributors

• Jarrod Flesch (@ JarrodMFlesch)
• Boyan Bratvanov (@ bratvanov)
• Sasha (@ r1tsuu)
• Sean Zubrickas (@ zubricks)
• Said Akhrarov (@ akhrarovsaid)
• Paul (@ paulpopus)

3.61.0 - 2025-10-23

v3.61.0 (2025-10-23)

🚀 Features

• @ payloadcms/plugin-mcp Released (BETA) - New plugin that enables Payload to function as an MCP server, allowing AI models to interact with your collections through a standardized protocol. The plugin provides built-in tools for CRUD operations on collections and supports custom tools. #13674
  • MCP Documentation
  • GitHub Discussion for feedback

🐛 Bug Fixes

• user updatedAt modified during session operations (#14269) (a1671ec)
• document header text clipping (#14291) (db973e9)
• typescript requires fields when draft: true despite passing draft: true (#14271) (1016cd0)
• blocks access control not respecting update access whether on collection or on a per field basis (#14226) (88cb687)
• allow slugField to accept localized argument and fixed slug generation with custom field names (#14234) (2ced43d)
• db-postgres: limit index and foreign key names length (#14236) (a63b4d9)
• drizzle: folders with trash enabled don't display documents in polymorphic joins (#14223) (6d3aaaf)
• plugin-form-builder: display full textarea content in form submissions (#14161) (24dad01)
• plugin-multi-tenant: block references issue (#14320) (4f8b7d2)
• plugin-search: exclude skipped drafts in reindex handler (#14224) (0dc782c)
• richtext-lexical: ensure block node form displays up-to-date value when editor remounts (#14295) (f8e6b65)
• richtext-lexical: node replacements ignored for block, inline block, upload, unknown and relationship nodes (#14249) (1561853)
• richtext-lexical, ui: ui errors with Slash Menu in Lexical and SearchBar component in RTL (#14231) (fed3bba)
• ui: document locked modal blocks interaction after clicking Go Back (#14287) (5782a41)
• ui: change password button being hidden and unlock button being shown incorrectly on account page (#14220) (bcb4d8e)

⚡ Performance

• richtext-lexical: decrease size of field schema, minor perf optimizations (#14248) (e25ce1c)
• richtext-lexical: do not return i18n from editor adapter (#14228) (54224c3)

🛠 Refactors

• richtext-lexical: ensure classNames of all nodes can be customized (#14294) (e1ef1d2)

📚 Documentation

• improve slate to lexical migration docs (#14309) (6838c56)
• db indexes - code example missing const (#14171) (3b37f4a)
• add explanation about re-renders in useFormFields (#14288) (8cdb5dc)
• add jsdocs to RichText adapter (#14246) (8b0ac01)
• clarify admin.timezones list configuration with example (#14238) (de5f3db)
• fix link to slug-overrides in text.mdx (#14211) (8136a84)
• add mention of the useUploadHandlers error and steps to remedy it with a mention to monorepos (#14233) (8663024)

🔨 Build

• add plugin-mcp to publishList (#14319) (894cf0c)
• add README sync for top-level -> packages/payload (#14316) (2aba827)

🏡 Chores

• extract snapshot logic, correct types in version ops (#14290) (c2dcd12)
• bump pino to v9.14.0 and pino-pretty (#14283) (b252658)
• refresh CLAUDE.md (#14268) (05a869d)
• cleanup, short-circuit .split calls (#14245) (d57be12)

🤝 Contributors

• Jarrod Flesch (@ JarrodMFlesch)
• Elliot DeNolf (@ denolfe)
• Kendell (@ kendelljoseph)
• Alessio Gravili (@ AlessioGr)
• Patrik (@ PatrikKozak)
• Boyan Bratvanov (@ bratvanov)
• Paul (@ paulpopus)
• German Jablonski (@ GermanJablo)
• Bogdan Covrig (@ bogdaaamn)
• Romain Pironneau (@ romainpi)
• Sasha (@ r1tsuu)
• Ahmed Abdellahi Abdat (@ ahmed-abdat)
• Said Akhrarov (@ akhrarovsaid)

3.61.0-internal.dd40839 - 2025-10-22

3.61.0-internal.c47b5e9 - 2025-10-23

3.61.0-internal.c252d14 - 2025-10-22

3.61.0-internal.7d69f4e - 2025-10-23

3.61.0-internal.1898a30 - 2025-10-24

3.61.0-internal.5662539 - 2025-10-29

3.61.0-canary.6 - 2025-10-23

3.61.0-canary.5 - 2025-10-22

3.61.0-canary.4 - 2025-10-21

3.61.0-canary.3 - 2025-10-20

3.61.0-canary.2 - 2025-10-19

3.61.0-canary.1 - 2025-10-18

3.61.0-canary.0 - 2025-10-17

3.60.0 - 2025-10-16

v3.60.0 (2025-10-16)

🚀 Features

• accept multiple locales in fallbackLocale (#13822) (623a1b8)
• adds settingsMenu to admin navigation sidebar (#14139) (ee8b3cf)
• plugin-multi-tenant: allow collection access to be overridden via callback (#14127) (c40eec2)
• plugin-multi-tenant: allow hasMany on tenant field overrides (#14120) (fb93cd1)
• plugin-multi-tenant: user collection access overrides (#14119) (38b7a60)
• richtext-lexical: add collection filtering to UploadFeature, refactor relationship hooks (#14111) (6defba9)
• richtext-lexical: client-side block markdown shortcuts, code block (#13813) (07a1eff)

Localization

• Multiple fallback locales - fallbackLocale now accepts an array of locales for queries and locale configs. Payload will check each locale in order until finding a value, eliminating the need for manual fallback handling. #13822

  / Local API **/
  await payload.findByID({
  id,
  collection,
  locale: 'en',
  fallbackLocale: ['fr', 'es'],
  })

  /** REST API **/
  await fetch(<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">baseURL</span><span class="pl-kos">}</span></span>/api/<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">collectionSlug</span><span class="pl-kos">}</span></span>?locale=en&amp;fallbackLocale[]=fr&amp;fallbackLocale[]=es)

  /** GraphQL **/
  await restClient.GRAPHQL_POST({
  body,
  query: { locale: 'en', fallbackLocale: ['fr', 'es']},
  })

  /** Locale Configs **/
  locales: [
  {
  code: 'en',
  label: 'English',
  fallbackLocale: ['fr', 'es'],
  },
  ]

Admin UI

• Settings menu in navigation - New admin.components.settingsMenu config option adds a gear icon above the logout button. Click to open a popup menu with custom admin-level utilities and actions that don't fit into collection or global navigation. #14139

  

Multi-Tenant Plugin

• Collection access overrides - New accessResultOverride callback allows modifying multi-tenant access control results per operation (read, create, update, delete, readVersions, unlock). Enables custom logic like allowing shared content across tenants. #14127

  multiTenantPlugin<ConfigType>({
    collections: {
      posts: {
        accessResultOverride: async ({ accessResult, accessKey, req }) => {
          // here is where you can change the access result or return something entirely different
          if (accessKey === 'read') {
            return {
              or: [
                {
                  isShared: