Latest Release: 3.47.0

TL;DR

Payload CMS v3.47.0 introduces significant enhancements including copy-paste functionality for complex fields, improved security with file MIME type validation and email content sanitization, better UX with redirects for non-existent documents, and API key visibility toggle. Performance improvements for PostgreSQL and numerous bug fixes across authentication, UI components, and the import-export plugin make this a well-rounded release focused on developer experience and security.

Highlight of the Release

• Copy-paste functionality for complex fields like Arrays and Blocks
• Enhanced security with file MIME type validation and email content sanitization
• Improved UX with redirects for non-existent documents and API key visibility toggle
• Performance optimization for PostgreSQL database operations
• Better export functionality in the import-export plugin

Migration Guide

Using the New Email Sanitization Function

If you're using email templates that insert user data directly, update your code to use the new sanitization function:

import { sanitizeUserDataForEmail } from 'payload/shared';

// Before
const emailHTML = `<p>Hello ${user.name}!</p>`;

// After
const sanitizedUser = sanitizeUserDataForEmail(user);
const emailHTML = `<p>Hello ${sanitizedUser.name}!</p>`;

API Key Compatibility

No action is required for the API key algorithm compatibility fix. The system now automatically supports both sha1 (from older versions) and sha256 lookups.

PostgreSQL Performance Optimization

The PostgreSQL performance optimization is applied automatically when using payload.db.updateOne with simple data. No changes to your code are required to benefit from this improvement.

Upgrade Recommendations

This release contains important security fixes and performance improvements, making it a recommended upgrade for all Payload CMS users. The changes are mostly non-breaking and should be safe to apply to existing projects.

Priority: Medium-High

Who should upgrade immediately:

• Users with public-facing applications that allow file uploads (for the MIME type validation)
• Users sending emails with user data (for the email sanitization function)
• PostgreSQL users who would benefit from the performance improvements
• Anyone experiencing the specific UI issues that were fixed

Testing recommendations:

• Test file uploads to ensure the stricter MIME type validation doesn't affect your legitimate use cases
• If you're using custom email templates, test them with the new sanitization function
• Verify that any complex copy-paste operations with Arrays and Blocks work as expected in your admin UI

Bug Fixes

Authentication and Security

• Fixed API key algorithm compatibility to ensure lookups work with both sha1 (from prior versions) and sha256
• Corrected login attempt reset logic that previously wasn't properly resetting after successful logins
• Ensured SSRF checks are performed within the dispatcher for better security
• Fixed login operation to properly return collection and _strategy properties

UI Improvements

• Prevented UI crashes when relationship fields are assigned as useAsTitle
• Ensured schedule publishing time picker only allows future dates
• Fixed alignment of clear and dropdown indicator buttons in select-based fields
• Improved handling of hidden fields to ensure default values aren't shown when values are hidden
• Fixed monomorphic joins tables to properly fetch draft documents
• Ensured form state handler throws proper errors instead of returning null for unauthorized requests

Import-Export Plugin

• Fixed synchronization between field select dropdown and form value
• Improved flattening logic for polymorphic relationships in CSV exports
• Enhanced the selectionToUse field to dynamically show valid export options
• Synchronized export field selection with list view columns from query

Next.js Integration

• Prevented Live Preview URL functions from firing unnecessarily
• Added helpful redirects from /collections and /globals paths to the admin root

New Features

Copy-Paste for Complex Fields

Now you can copy and paste complex fields like Arrays and Blocks, making content creation and editing much more efficient. This feature supports copying entire fields or individual rows within Arrays and Blocks.

API Key Visibility Toggle

A new visibility toggle for API keys improves security by allowing users to hide sensitive information when viewing API key fields.

Enhanced /me REST API Operation

The /me endpoint now supports additional parameters including joins, select, populate, depth, and draft, providing more flexibility and optimization options when retrieving the current user's data.

Redirects for Non-existent Documents

Instead of showing a 404 page when accessing a non-existent document, the admin UI now redirects users to the collection's list view with an error banner, improving the overall user experience.

Email Content Sanitization

A new sanitizeUserDataForEmail function helps prevent HTML injection in email templates by sanitizing user data before it's inserted into email content.

Modified Headers in Storage Adapters

Storage adapters now support the modifyResponseHeaders option, allowing developers to customize response headers for uploaded files across all supported storage providers.

Security Updates

MIME Type Validation

Enhanced file upload security by implementing MIME type validation based on the actual file buffer data rather than just relying on file extensions. This prevents attackers from bypassing file type restrictions by simply renaming files (e.g., renaming a JPEG to .pdf when only PDFs are allowed).

Email Content Sanitization

Added a new sanitizeUserDataForEmail function to prevent potential HTML injection vulnerabilities in email templates. This function sanitizes user data before it's inserted into email content, preventing executable code or other malicious content from being included in emails.

SSRF Protection

Improved Server-Side Request Forgery (SSRF) protection by ensuring checks are performed within the dispatcher rather than before calling the fetch function. This provides more comprehensive protection against SSRF attacks.

Performance Improvements

PostgreSQL Performance Optimization

The db.updateOne operation has been simplified to use a single database call when the passed data doesn't include nested fields. This optimization applies when the data doesn't contain:

• Arrays or Blocks
• Localized Fields
• hasMany: true text/select/number/relationship fields
• Relationship fields with relationTo as an array

This change significantly improves performance by avoiding unnecessary rewriting of arrays, blocks, and localized tables when no changes were made to them.

Export Processing Feedback

Added a delayed toast message to indicate when an export is being processed, providing better feedback during longer export operations. The download button is also now disabled unless the export form has been modified, preventing unnecessary export operations.

Impact Summary

Payload CMS v3.47.0 delivers a balanced mix of new features, security enhancements, and quality-of-life improvements that benefit both developers and content editors. The addition of copy-paste functionality for complex fields addresses a long-standing user request and significantly improves the content editing workflow. Security is strengthened through proper MIME type validation and email content sanitization, while PostgreSQL users will appreciate the performance optimization for database operations.

The UI experience sees numerous improvements, from better handling of non-existent documents to enhanced field interactions and visibility controls for sensitive information. The import-export plugin receives several fixes that make it more reliable and intuitive to use.

Overall, this release demonstrates Payload's commitment to security, performance, and user experience, making it a worthwhile upgrade for most users. The non-breaking nature of the changes means that upgrading should be straightforward for most projects.

Full Release Notes