chore(cms): upgrade Payload to 3.85.0 and refresh pnpm overrides

[jhb-dev]

Bump all @payloadcms/* packages and payload to 3.85.0 in cms and web,
and update the jhb.software Payload plugins (alt-text 0.7.0, chat-agent
beta.8).

Drop the now-redundant mongoose, uuid and devalue overrides — each
resolves to a patched version naturally after the upgrade. Add a qs
override (>=6.15.2) to patch the DoS in qs.stringify (GHSA-q8mj-m7cp-5q26)
pulled in transitively via @payloadcms/plugin-mcp's express dependency.
pnpm audit is now clean.

https://claude.ai/code/session_01NUyeK8Wy1MdhyTbFqvtZJj

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
website	Ignored		May 30, 2026 8:26pm
website-cms	Ignored		May 30, 2026 8:26pm

[claude]

Code Review

Overview

This PR upgrades all @payloadcms/* packages from 3.84.1 → 3.85.0, bumps two first-party JHB plugins (alt-text 0.6→0.7, chat-agent beta.6→beta.8), and cleans up three pnpm overrides that are now redundant after the upgrade. A new qs@<6.15.2 override is added to patch a DoS vulnerability (GHSA-q8mj-m7cp-5q26) pulled in transitively via @payloadcms/plugin-mcp's express dependency.

The change is mechanically clean and internally consistent — all Payload packages are pinned to the same exact version across both workspaces, and the lockfile matches.

---

Security

• qs DoS patch (GHSA-q8mj-m7cp-5q26) — correctly addressed via the new override. Good catch.
• @smithy/core@3.24.1 deprecation — the lockfile now shows a deprecation warning on this transitive dep ("Deprecated due to bug in browser bundling instructions"). Not actionable in this PR but worth tracking as a follow-up.

---

Potential Issues

1. Node.js engine requirement bump for JHB plugins

payload-alt-text-plugin 0.7.0 and payload-chat-agent beta.8 now declare engines: { node: '>=22.12.0' }, up from the previous ^18.20.2 || >=20.9.0. If CI or production runs Node 20.x, pnpm will warn (or fail with engine-strict) and the packages may behave unexpectedly at runtime. Worth confirming the deployment environment is already on Node 22.

2. MongoDB driver downgrade: v7 → v6

After removing the mongoose@<8.22.1 override, the lockfile resolves:

• mongodb: 7.2.0 → 6.20.0
• mongoose: 9.6.2 → 8.22.1
• bson: 7.2.0 → 6.10.4

This is Payload 3.85.0's actual peer-dep resolution and is presumably tested by the Payload team, but it's worth double-checking against the MongoDB Atlas cluster's supported driver version range. Going from the mongodb driver v7 to v6 is a meaningful downgrade if Atlas features requiring v7+ are in use.

3. Dual @payloadcms/translations versions

@jhb.software/payload-admin-search@0.3.0 and @jhb.software/payload-content-translator-plugin@0.2.0 still peer-dep on ^3.84.1, so the lockfile installs both 3.84.1 and 3.85.0. This is benign for a translations-only package (no singletons), but it means those two plugins won't automatically pick up any translations fixes in 3.85.0 until they publish a new release with an updated peer dep range.

---

Summary

The upgrade is straightforward and the security fix is a good reason to land it promptly. The main thing to verify before merging is that the Node.js runtime is ≥ 22.12.0 in all environments, since the JHB plugin engine requirement now enforces that. The MongoDB driver downgrade is worth a quick sanity-check against Atlas compatibility, but is likely fine.

[github-actions]

Preview Deployment

Project	URL
CMS	https://website-4iijccwnl-jhb-software.vercel.app
Web	https://website-o0fx7y2m7-jhb-software.vercel.app

The Web preview uses the CMS preview URL for content fetching.