Bump payloadcms group to 3.84.1, postcss, uuid, next, and axios

[dependabot]

Description

Combines five open dependency PRs (this one plus #1031, #1033, #1054, #1056) into a single shipping PR, in keeping with the rationale from #1021. Bumps the Payload group from 3.81.0 → 3.84.1 and reworks both project-maintained patches in the process.

Related Issues

Supersedes:

• Bump axios from 1.12.0 to 1.15.0 #1031 — axios 1.12.0 → 1.15.0
• Bump next from 15.4.11 to 15.5.15 #1033 — next 15.4.11 → 15.5.15
• Bump uuid from 11.1.0 to 14.0.0 #1054 — uuid 11.1.0 → 14.0.0
• Bump postcss from 8.5.3 to 8.5.10 #1056 — postcss 8.5.3 → 8.5.10

Key Changes

Payload CMS group 3.81.0 → 3.84.1 (17 packages)

Patch updates — both project-maintained patches in patches/ needed rework against 3.84.1:

• @payloadcms/plugin-mcp patch shrunk 116 → 37 lines. Per commit 0cd3054a (PR MCP Server #1022), the patch originally added instructions and authDepth support. In 3.84.1 instructions was upstreamed natively on MCPServerOptions, and the runtime already reads pluginOptions.authDepth ?? 1. Only the authDepth?: number type declaration is still needed locally.
• @payloadcms/storage-vercel-blob patch grew 155 → 184 lines and was reworked against the restructured 3.84.1 layout (handleUpload.js → uploadFile.js, new adapter.js indirection). Per PR Bump the payloadcms group to 3.81.0 #982, this patch exposes allowOverwrite because the Vercel Blob v2 SDK changed the default to false, breaking the seeding workflow. The upstream PR (payloadcms/payload#16078) was closed without merging on 2026-04-24, so we continue to maintain this locally.

Other dependency bumps

• postcss 8.5.3 → 8.5.14 — XSS fix for unescaped </style> in non-bundler cases
• uuid 11.1.0 → 14.0.0 — security fix (GHSA-w5hq-g745-h8pq) for out-of-bounds writes in v3()/v5()/v6() when given an invalid offset
• next 15.4.11 → 15.5.15 — CVE-2026-23869 and CVE-2026-29057 patches plus next/image LRU disk cache and pages-router Content-Length/ETag fix
• axios 1.14.0 → 1.15.0 — no_proxy hostname normalization SSRF fix and unrestricted cloud metadata exfiltration via header injection chain fix

Breaking-change review

uuid 11 → 14 spans three majors with breaking changes; verified each is satisfied by the current setup:

• v12 — drops Node 16, removes CommonJS, requires TS ≥ 5.2. Project uses Node 24.x (engines.node) and is "type": "module"; TS is 5.7.3.
• v13 — makes browser exports the default. Both consumers (src/scripts/sanitize-db.ts, src/collections/Users/components/inviteUserAction.ts) use named imports (import { v4 as uuid } from 'uuid') which are unaffected by which export is the default.
• v14 — drops Node 18, expects global crypto. Both satisfied by Node 24.x.

next 15.4 → 15.5 is a minor version with no documented breakages relevant to this app.

axios 1.14 → 1.15 and postcss 8.5.3 → 8.5.14 are patches/minor only.

The Payload 3.83 → 3.84 bump removed/renamed several public types (PluginMCPServerConfig → MCPPluginConfig) and restructured the storage-vercel-blob package — surfaced as TS errors when the existing patches silently failed to apply. Both patches were regenerated against the new layout (see "Patch updates" above) and pnpm tsc is clean.

Other change

Excluded .claude/worktrees/ from Jest's testPathIgnorePatterns so stale Claude worktree copies don't pollute test runs. Without this, jest picks up tests under .claude/worktrees/*/__tests__/ against parent-repo source paths and trips on transitive Payload module loading. Behavior is identical for non-worktree users.

How to test

• pnpm tsc — passes
• pnpm lint — passes (warnings only, unchanged baseline)
• pnpm test — all 40 suites / 376 tests pass locally
• Spot-check Payload admin loads and a few collections render
• Verify file uploads still work — important since @payloadcms/storage-vercel-blob 3.84.1 restructured the upload handler and the local allowOverwrite patch was reworked
• Verify pnpm seed:standalone completes (the allowOverwrite: true flag is what keeps seeding working)
• Verify a server-side page renders with the new Next 15.5 patch
• Verify MCP API key auth still works (uses local authDepth: 3 patch)

Screenshots / Demo video

N/A — dependency updates only

Migration Explanation

No database migrations needed. All changes are package version bumps and patch refresh.

Future enhancements / Questions

Not addressed in this PR (require dedicated upgrades per #1021):

• Next 16, Tailwind 4, ESLint 10, Sentry 10, TypeScript 6, Zod 4, Pino 10

If/when payloadcms/payload upstreams allowOverwrite and authDepth, the corresponding local patches can be dropped.

🤖 Generated with Claude Code

[github-actions]

Preview deployment: https://dependabotxnpmxandxyarnxpayload-6aaa8c0.preview.avy-fx.org