HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

Payload CMS

>

Releases

>

3.45.0

3.45.0

Tag Name: v3.45.0

Release Date: 7/3/2025

View Release
Payload CMS LogoPayload CMS

Payload CMS is a modern, self-hosted headless content management system built with TypeScript, Node.js, and MongoDB. It's designed specifically for developers who want full control over their content management system while maintaining a powerful admin interface for content editors.

Open SourceDeveloper-FriendlyHeadless

TL;DR

Payload CMS v3.45.0 brings significant UI improvements with a redesigned Live Preview that now mounts directly to document root for a more seamless editing experience. This release also includes important security fixes for the multi-tenant plugin, database improvements for MongoDB and PostgreSQL, and numerous UI enhancements that improve form handling, autosave functionality, and bulk operations. Vector database capabilities have been expanded with support for half-precision, binary, and sparse vector column types in Drizzle.

Highlight of the Release

    • Redesigned Live Preview now mounts directly to document root for a more seamless editing experience
    • Added support for half-precision, binary, and sparse vector column types in Drizzle adapter
    • Fixed security vulnerabilities in multi-tenant plugin to prevent privilege escalation
    • Improved document drawer behavior to prevent unnecessary remounting on save
    • Enhanced MongoDB adapter with ability to disable fallback sort

Migration Guide

Upgrading from v3.44.0 to v3.45.0

This release doesn't contain breaking changes that require specific migration steps. However, there are a few changes to be aware of:

Live Preview Changes

If you've built custom implementations around the Live Preview feature, note that it now mounts to the document root (../:id) instead of a separate preview path (../:id/preview). The UI has also changed, with the "Live Preview" tab being replaced by a button next to document controls.

MongoDB Sorting Behavior

If your application relies on MongoDB's automatic fallback sort behavior, be aware that:

  • Fallback sort is no longer added to sorts on unique fields by default
  • You can now explicitly disable fallback sort by passing disableFallbackSort: true in the options

Multi-Tenant Security

If you're using the multi-tenant plugin, review your access control functions to ensure they properly restrict tenant access and super-admin role assignment as implemented in the example fixes.

Upgrade Recommendations

We recommend all users upgrade to v3.45.0, especially if you:

  • Use the Live Preview feature and want an improved editing experience
  • Work with the multi-tenant plugin (security fixes included)
  • Use MongoDB or PostgreSQL adapters and have experienced related issues
  • Work with vector databases and need support for additional column types
  • Have encountered any of the UI issues fixed in this release

The upgrade should be straightforward with minimal risk as there are no breaking changes. Simply update your Payload CMS dependency:

npm install payload@3.45.0
# or
yarn add payload@3.45.0
# or
pnpm add payload@3.45.0

After upgrading, test your application thoroughly, especially if you use the Live Preview feature or multi-tenant plugin, as these components have received significant changes.

Bug Fixes

Database Fixes

  • MongoDB:

    • Added ability to disable fallback sort with disableFallbackSort: true option
    • No longer adds fallback sort to sorts on unique fields by default
    • Fixed nested sorting by ID when the sort path contains a relationship

  • PostgreSQL:

    • Fixed joins with hasMany: true relationships nested to an array
    • Ensured updateOne does not create new documents when where query has no results

UI Improvements

  • Fixed autosave infinite loop within document drawer
  • Prevented document drawer from remounting on save, maintaining cursor focus
  • Fixed block rows unexpectedly collapsing and array rows not being collapsed on initialization
  • Fixed issue with saving nested rich text inside inline blocks
  • Ensured preview sizes button appears when image sizes are defined but adjustments are disabled
  • Fixed bulk upload redirecting to relationship documents when added
  • Fixed field bulk upload showing stale data
  • Added optional chaining when accessing rows in mergeServerFormState to prevent UI crashes

Security Fixes

  • Fixed multi-tenant plugin to check that requested tenant matches user tenant permissions
  • Restricted creation of super-admin users to existing super admins only
  • Disabled GraphQL introspection queries when disableIntrospectionInProduction is true
  • Improved email verification error handling

Import/Export Plugin Fixes

  • Added pre-scan step before streaming CSV export to ensure all columns are included
  • Updated preview table to include all selected columns regardless of populated data

New Features

Live Preview Improvements

The Live Preview feature has been completely redesigned to mount directly to the document root (../:id) instead of a separate preview path (../:id/preview). This is a significant UX improvement that allows users to:

  • Toggle between edit and preview modes without triggering the "Leave Without Saving" modal
  • Maintain form context when switching between modes
  • Set preferences to automatically enter live preview mode when opening documents

The UI has been updated to replace the "Live Preview" tab with a button placed next to document controls for easier access.

Enhanced Vector Database Support

The Drizzle adapter now supports additional vector column types:

  • halfvec: Half-precision vectors for more efficient storage
  • sparsevec: Sparse vectors for specialized embedding use cases
  • bit: Binary vectors

This enhancement is particularly valuable for applications working with embeddings exceeding 2000 dimensions on PostgreSQL using the pg-vector extension.

Security Updates

Multi-Tenant Plugin Security

Two important security vulnerabilities were fixed in the multi-tenant plugin:

  1. Tenant Access Control: The plugin now properly checks that any tenant specified in a create request matches a tenant the user has admin access to. Previously, while the admin panel UI restricted tenant selection, it was possible to bypass this by making direct API requests with a different tenant, allowing users to create documents under tenants they shouldn't have access to.

  2. Super Admin Role Protection: The create access control on the users collection now prevents unauthorized creation of super-admin users. Previously, any authenticated user could create a new user and assign them the super-admin role, even if they didn't have that role themselves, allowing privilege escalation.

GraphQL Security

  • Fixed an issue where GraphQL introspection queries were still allowed when disableIntrospectionInProduction was set to true, which could potentially expose schema information in production environments.

Performance Improvements

Form Handling Performance

The release includes several improvements to form handling that enhance performance:

  • Document drawers no longer remount on save operations, which significantly improves the editing experience by maintaining cursor focus and form state
  • Fixed autosave infinite loop issues that could cause excessive re-renders
  • Optimized handling of nested rich text fields inside inline blocks

Database Query Optimization

  • MongoDB adapter now allows disabling fallback sort, which can improve query performance in certain scenarios
  • Fixed PostgreSQL joins with hasMany: true relationships nested to arrays, improving query efficiency
  • Pre-scanning columns before streaming CSV exports reduces memory usage during large exports

Impact Summary

Payload CMS v3.45.0 delivers a significant enhancement to the content editing experience through its redesigned Live Preview feature, which now integrates more seamlessly with the document editing workflow. This change alone represents a major UX improvement that will benefit content creators daily.

The release also addresses important security vulnerabilities in the multi-tenant plugin that could have allowed privilege escalation and unauthorized tenant access. These fixes are critical for organizations using multi-tenant setups.

For developers working with vector databases, the addition of half-precision, binary, and sparse vector column types in the Drizzle adapter expands capabilities for applications using embeddings and AI features.

The numerous UI fixes improve stability and usability across the platform, particularly for nested fields, autosave functionality, and bulk operations. Database adapter improvements for both MongoDB and PostgreSQL resolve specific edge cases that could cause unexpected behavior.

Overall, this release balances new features with important security fixes and quality-of-life improvements that enhance Payload's reliability and user experience.

Full Release Notes

v3.45.0 (2025-07-03)

🚀 Features

  • mount live preview to document root (#12860) (f2213e5)
  • drizzle: support half-precision, binary, and sparse vectors column types (#12491) (583a733)

🐛 Bug Fixes

  • disable graphql introspection queries when disableIntrospectionInProduction is true (#12982) (a9580e0)
  • strict custom view paths (#12968) (cfc7adc)
  • appropriately throw unverified email error (#12933) (9f60306)
  • db-mongodb: nested sorting by ID (#13016) (81532cb)
  • db-mongodb: add ability to disable fallback sort and no longer adds a fallback for unique fields (#12961) (c902f14)
  • db-postgres: joins with hasMany: true relationships nested to an array (#12980) (0e8ac0b)
  • drizzle: ensure updateOne does not create new document if where query has no results (#12991) (fafaa04)
  • examples: only allow super admins to create users with super admin role (#13015) (6e5ddc8)
  • examples: checks requested tenant matches user tenant permissions (#13012) (5002953)
  • plugin-import-export: pre-scan columns before streaming CSV export (#13009) (34c3a51)
  • plugin-import-export: preview table to include all selected columns regardless of populated data (#12985) (335af1b)
  • plugin-multi-tenant: unnecessary modal appearing (#12854) (16f5538)
  • templates: wrong link in demo content (custom components) (#13024) (f70c6fe)
  • ui: save nested richtext inside inlineBlock (#12773) (babcd59)
  • ui: autosave infinite loop within document drawer (#13007) (b40c581)
  • ui: field bulk upload showing stale data (#13006) (9ba740e)
  • ui: prevent document drawer from remounting on save (#13005) (c80b6e9)
  • ui: bulk upload redirecting to relationship documents when added (#13001) (a9ad7c7)
  • ui: skip disabled fields when adding OR filter conditions in list view (#13004) (7a40a9f)
  • ui: render preview sizes button when adjustments are disabled but image sizes are defined (#12999) (b1ae749)
  • ui: block rows unexpectedly collapse and array rows not collapsed on init (#12987) (3f30a2e)
  • ui: prevent error if rows is undefined in mergeServerFormState (#12962) (6f6d305)

🎨 Styles

  • richtext-lexical: ensure error state is shown at small-break (#12827) (ac19b78)

🧪 Tests

📝 Templates

⚙️ CI

  • template errors not being caught due. fix: error due to updated generated-types User type (#12973) (4458f74)

🏡 Chores

🤝 Contributors

Statistics:

File Changed300
Line Additions4,299
Line Deletions2,140
Line Changes6,439
Total Commits31

User Affected:

  • Improved Live Preview experience with direct mounting to document root
  • Fixed issues with autosave in document drawers
  • Better handling of nested rich text fields
  • Fixed UI issues with block rows and array fields

Contributors:

paulpopusjessrynkarjacobsfletchakhrarovsaidJarrodMFleschAlessioGrr1tsuuPatrikKozakGermanJabloblanksedenolfe