Update payloadcms monorepo to v3.69.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@payloadcms/db-mongodb (source)	3.68.2 -> 3.69.0
@payloadcms/db-postgres (source)	3.68.2 -> 3.69.0
@payloadcms/db-sqlite (source)	3.68.2 -> 3.69.0
@payloadcms/email-nodemailer (source)	3.68.2 -> 3.69.0
@payloadcms/next (source)	3.68.2 -> 3.69.0
@payloadcms/richtext-lexical (source)	3.68.2 -> 3.69.0
@payloadcms/storage-s3 (source)	3.68.2 -> 3.69.0
@payloadcms/ui (source)	3.68.2 -> 3.69.0
payload (source)	3.68.2 -> 3.69.0

---

Release Notes

payloadcms/payload (@​payloadcms/db-mongodb)

v3.69.0

Compare Source

🚀 Features

• modular dashboards - widgets (#​13683) (f111624)
• adds cursor rules and AGENTS.md to templates (#​14889) (19fcf99)

---

Modular Dashboards with Widgets

Introduces customizable admin dashboards with draggable, resizable widgets. Build personalized dashboard layouts with full keyboard accessibility for reordering and resizing. Future updates will add widget fields (props) for configurable widgets and dashboard presets for sharing layouts. #​13683

Screen.Recording.2025-11-28.at.17.13.14.mov

See the RFC discussion for background and roadmap.

AI Development Resources (templates)

All templates now ship with AGENTS.md and .cursor/rules/ directory for improved AI-assisted development with tools like Copilot and Cursor. #​14889

See more about AGENTS.md

🐛 Bug Fixes

• basePath not working properly with admin routes (#​14967) (fa6b503)
• get field by path for blocks (#​14984) (519a3c6)
• improves upload security for PDFs and SVGs (#​14929) (61298c6)
• missing range headers (#​14887) (ec7c192)
• next: status component incorrectly shows as published status on new documents saved as drafts when readVersions permissions are false (#​14950) (394c024)
• plugin-mcp: adds collection and strategy to user (#​14981) (042d7eb)
• plugin-multi-tenant: relationTo arrays inflating filterOptions where query size (#​14944) (98b6791)
• richtext-lexical: blocksFeature with relationship exposes other tenants (#​14985) (3025377)
• storage-s3: encode filename in generated URL (#​14438) (86855e1)
• ui: use portals for popup to prevent clipping, improve keyboard navigation (#​14910) (af09932)

🛠 Refactors

• replace deprecated url.parse api usage (#​14980) (446cbb1)

📚 Documentation

• fix duplicate anchor links (#​14976) (4c91d04)
• update screenshot for fields/rich-text (#​14979) (2117dbf)

🧪 Tests

• migrate to vitest (#​14337) (4e45432)
• move mongodb to different port to avoid port conflicts (#​14993) (b4abd04)
• improve database test setup (#​14982) (e3c512a)
• multi-tenant login tiles (#​14940) (47f63fa)

🏡 Chores

• storage-s3: add int tests for filename encoding (#​14970) (ef710e3)

🤝 Contributors

• Sasha (@​r1tsuu)
• Alessio Gravili (@​AlessioGr)
• Sean Zubrickas (@​zubricks)
• Jarrod Flesch (@​JarrodMFlesch)
• German Jablonski (@​GermanJablo)
• Kendell (@​kendelljoseph)
• Jake (@​jacobsfletch)
• Jessica Rynkar (@​jessrynkar)
• Paul (@​paulpopus)
• Jens Becker (@​jhb-dev)
• Patrik (@​PatrikKozak)

v3.68.5

Compare Source

🐛 Bug Fixes

• next: omit server url from route matching (#​14919) (38c2f89)

🛠 Refactors

• add relative flag to formatAdminURL util (#​14925) (4f12bee)

🤝 Contributors

• Jake (@​jacobsfletch)

v3.68.4

Compare Source

🐛 Bug Fixes

• previousValue from hooks should be populated within lexical blocks (#​14856) (bb1501e)
• deps: enforce Next.js 15.4.10 (#​14908) (7c675fa)
• next: properly construct local req url (#​14907) (471cd1b)
• ui: show localized locale name for publish specific locale button (#​14906) (848ea65)
• ui: relationship add button unsafe permissions property access (#​14903) (127e41a)

📚 Documentation

• remove unused variable from custom field label translation (#​14911) (77f96a4)
• update collection access control reference link on collection config page (#​14905) (3a1eb77)

⚠️ BREAKING CHANGES

• deps: enforce Next.js 15.4.10 (#​14908) (7c675fa)

  Address
  CVE-2025-67779.

🤝 Contributors

• Jake (@​jacobsfletch)
• Riley Langbein (@​rilrom)
• Jeffery To (@​jefferyto)
• Aaron Claes (@​AaronClaes)
• kat (@​puzzlesremixed)
• Jessica Rynkar (@​jessrynkar)

v3.68.3

Compare Source

⚠️ Security Issue

• deps: bump minimum next version to 15.4.9 (#​14898) (2ba4ee0)

A high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183) affect React 19 and frameworks that use it, like Next.js.

Full details here: https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183#how-to-upgrade-and-protect-your-next.js-app

While this is not a Payload vulnerability, it may affect any Payload project running on the affected versions of Next.js. Payload does not install any of these dependencies directly, it simply enforces their versions through its peer dependencies, which will only warn you of the version incompatibilities.

You will need to upgrade React and Next.js yourself in your own apps to the patched versions listed below in order to receive these updates.

Resolution

You are strongly encouraged to upgrade your own apps to the nearest patched versions of Next.js and deploy immediately.

Quick steps:

If using pnpm as your package manager, here's a one-liner:

pnpm add [email protected]

For a full breakdown of the vulnerable packages and their patched releases, see https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183#how-to-upgrade-and-protect-your-next.js-app.

🐛 Bug Fixes

• passes serverURL through to all formatAdminURL calls (#​14869) (b82356b)

🤝 Contributors

• Jake (@​jacobsfletch)
• Jarrod Flesch (@​JarrodMFlesch)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.