Bump payload from 2.0.14 to 3.33.0

[dependabot]

Bumps payload from 2.0.14 to 3.33.0.

Release notes

Sourced from payload's releases.

v3.33.0

v3.33.0 (2025-04-04)

🚀 Features

• drizzle: export buildQuery and parseParams (#11935) (f34eb22)
• graphql: improve non-nullability in query result types (#11952) (018bdad)
• next: improved lexical richText diffing in version view (#11760) (d29bdfc)
• storage-uploadthing: configurable upload router input config (#11954) (f9c73ad)
• ui: use drag overlay in orderable table (#11959) (816fb28)

🐛 Bug Fixes

• postgres null value breaks orderable hook (#11997) (9adbbde)
• allow custom password field when using disableLocalStrategy: true (#11893) (8ad22eb)
• ValidationError error message when label is a function (#11904) (dc793d1)
• do not append doc input for scheduled publish job if it's enabled only for globals (#11892) (760cfad)
• db-mongodb: querying relationships with where clause as an object with several conditions (#11953) (857e984)
• db-postgres: deleteOne fails when the where query does not resolve to any document (#11632) (4ebd3ce)
• db-postgres: down migration fails because migrationTableExists doesn't check in the current transaction (#11910) (f310c90)
• graphql: respect draft: true when querying joins (#11869) (e5690fc)
• storage-uploadthing: pass clientUploads.routerInputConfig to the handler (#11962) (8e93ad8)
• ui: optimistic rows disappear while form state requests are pending (#11961) (8880d70)

⚡ Performance

• ui: significantly optimize form state component rendering, up to 96% smaller and 75% faster (#11946) (e87521a)

📚 Documentation

• fix invalid markdown (#11996) (f7ed8e9)
• add missing comma (#11976) (e6aad5a)
• fix variable names for lexical markdown conversion (#11963) (06d937e)

📝 Templates

• set packageManager pnpm version for vercel templates (#11992) (b76844d)

🏡 Chores

• fix flake (fae113b)
• plugin-cloud-storage: enable TypeScript strict (#11850) (d47b753)
• plugin-form-builder: enable TypeScript strict (#11929) (a58ff57)
• plugin-nested-docs: enable TypeScript strict (#11930) (fd42ad5)
• plugin-redirects: enable TypeScript strict (#11931) (6c735ef)
• richtext-lexical: add DebugJsxConverterFeature (#10856) (308cb64)

🤝 Contributors

... (truncated)

Commits

• 36e7c59 chore(release): v3.33.0 [skip ci]
• 9adbbde fix: postgres null value breaks orderable hook (#11997)
• 8ad22eb fix: allow custom password field when using disableLocalStrategy: true (#...
• e87521a perf(ui): significantly optimize form state component rendering, up to 96% sm...
• dc793d1 fix: ValidationError error message when label is a function (#11904)
• 760cfad fix: do not append doc input for scheduled publish job if it's enabled only...
• d29bdfc feat(next): improved lexical richText diffing in version view (#11760)
• 4ac6d21 chore(release): v3.32.0 [skip ci]
• d963e6a feat: orderable collections (#11452)
• 968a066 fix: typescriptSchema override required to false (#11941)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Updated and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/payload@2.0.14 ➜ 3.33.0	eval, unsafe	0	5.88 MB	elliotpayload

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Network access	npm/payload@3.33.0	Module: http-status Location: Package overview	package.json	🚫
Filesystem access	npm/payload@3.33.0	Module: fs/promises Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: ROOT_DIR Location: Package overview	package.json	🚫
Filesystem access	npm/payload@3.33.0	Module: fs Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: PAYLOAD_CI_DEPENDENCY_CHECKER Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: NEXT_BASE_PATH Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: NEXT_PUBLIC_PAYLOAD_COMPATIBILITY_allowLocalizedWithinLocalized Location: Package overview	package.json	🚫
Uses eval	npm/payload@3.33.0	Eval Type: eval Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: PAYLOAD_DO_NOT_SANITIZE_LOCALIZED_PROPERTY Location: Package overview	package.json	🚫
Shell access	npm/payload@3.33.0	Module: child_process Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: PAYLOAD_DISABLE_DEPENDENCY_CHECKER Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: NEXT_PHASE Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: VERCEL Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: DISABLE_PAYLOAD_HMR Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: PORT Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: __NEXT_ASSET_PREFIX Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: PAYLOAD_HMR_URL_OVERRIDE Location: Package overview	package.json	🚫
Debug access	npm/payload@3.33.0	Module: module Location: Package overview	package.json	🚫
Environment variable access	npm/payload@3.33.0	Env Vars: PAYLOAD_TELEMETRY_DEBUG Location: Package overview	package.json	🚫

View full report↗︎

Next steps

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

What is filesystem access?

Accesses the file system, and could potentially read sensitive data.

If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

What is environment variable access?

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

What is dynamic code execution?

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What is debug access?

Uses debug, reflection and dynamic code execution features.

Removing the use of debug will reduce the risk of any reflection and dynamic code execution.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/payload@3.33.0

[dependabot]

Superseded by #184.