A small Payload breaking change and absurd deals

Payload CMS had a busy week. They released new versions 3.68.3, 3.68.4, and 3.68.5. I think this is the first time I've seen them patch so many times in one minor release.

The Payload team bumped the minimum Next version to 15.4.9 in version 3.68.3. They did this to address the Next.js vulnerability from last week. You should actually update to Next.js version 15.4.10, but Payload CMS doesn't dictate your version of Next.js. Upgrade today if you haven't.

Version 3.68.4 fixes the Next.js version and bumps the minimum to 15.4.10. This is a breaking change, so if you update to 3.68.4 without updating your Next.js version, your app won't work.

A bug fix in version 3.68.4 broke route matching. The team fixed this in version 3.68.5 by removing the server URL from route matching.

I did something a little different for this week's message and talked about how I feel about AI. In general, I see it as a net positive, but there's just something I can't shake about it.

The Next.js team released Next 16.1.0. This version focuses on making your local development much faster by stabilizing Turbopack, which lets your server restart nearly instantly. It also introduces a new experimental "Bundle Analyzer" that helps you find large, bloated files so you can keep your website lean and fast. They also added a new command that simplifies how you debug code using the `--inspect` command. Lastly, they fixed a long-standing headache with managing hidden dependencies in your project. There are a lot of changes in this release, so be sure to read the change log to make sure I didn't miss anything important for your project.

Other than those updates, the Next.js team patched their recent security vulnerability.

Shadcn released a new CLI command `npx shadcn create`. The goal of this new command is to make websites look less like each other. The maintainers of shadcn released 5 new styles to help you theme your applications. This new command also gives you the option between Radix or Base UI as the starting component library. I'm excited for websites to start looking more unique and less like a Tailwind generator. We'll see how quickly that takes shape, though.

OpenAI released a new image creation tool. It doesn't surprise me if you didn't hear about this. It kind of feels like old news with Google's nano banana taking center stage in the image generation space.

Anyway, the new image creation tool allegedly lets you make specific edits, such as changing a person's outfit. You're also able to fix text on signs or other media when AI generates hieroglyphs as it so often does.

This still matters, though, as it's an advancement in AI technology. And we're all stuck with it. We devs can use the new GPT Image 1.5 API to build apps that let users edit or generate custom images instantly. It's also possible now to create more accurate website, banner, or social media asset mockups. I guess that's helpful.

OpenAI also released GPT-5.2-Codex. They claim this is their smartest tool yet for writing and fixing code. It appears they forgot to include their competitors in their benchmarks, so it's not easy to tell how it compares to other models. My guess is it's not great.

Regardless, the context windows are longer for GPT-5.2-Codex, which means the model can more easily read and debug larger code bases. It should understand images and designs, so it can quickly build prototypes based on mockups.

In other OpenAI news, they're in talks with Amazon to get on Amazon's Trainium chips. In exchange, Amazon will invest over $10 billion in OpenAI. This is an absurd amount of money. Honestly, these numbers are starting to lose meaning.

Google is winning the AI race right now because it owns its own infrastructure. It seems OpenAI is trying to speed up their way into the hardware battle with this deal. The deal could reduce the cost of running AI, which may reduce API prices. The deal isn't final, though.

Last thing on OpenAI. Developers can now submit their own apps to be listed inside ChatGPT. These can't currently be monetized natively in the ChatGPT interface, but I expect them to implement that quickly. This has the potential to become a nice revenue generator if you can get in front of a large audience. In general, though, it's meant to be a convenient way for developers to interact with their tools in a chat interface in natural language.

Anthropic updated its user safety rules. This move seeks to protect people during sensitive conversations about mental health and more. Claude will now guide users to real doctors instead of acting like a therapist. I love this change. As models continue to be our biggest hype-robots, we need safeguards to come into play when agreeing with a person is the last thing they need.

One of those safeguards is that Claude can end a conversation if a user is being harmful or abusive. I think we all need to take a page out of Claude's book there.

These changes help us create software that stays helpful without crossing dangerous lines.

I keep hearing about Cursor migrating from their CMS into raw code and markdown. I'll take a moment here to say that I think that's great for Lee and his team. But we should remember that the Cursor team are expert engineers. Handing the keys over to Susan from accounting to make changes to a production website through an LLM sounds like a risk to me. I'll continue building with my CMSes instead of battling git history when someone breaks my website after hours.

Railway added audit logs to their core offering. This new feature allows teams with compliance requirements to have an audit trail built in as users make changes. This allows security and compliance teams as well as auditors to have a clear trail of who did what when and where. This is simply a way for the Railway team to continue providing enterprise-level support for organizations that need it.

The Railway team upgraded the local dev experience with their CLI tools. Using `railway dev`, you're now able to develop locally with the exact same set up as your project or template. This new CLI command generates certificates with pretty local domains that are easy to read, rewrites your variables, and starts your services on command. You'll need to have Docker installed and running locally for this to work. Buckets and Railway Functions don't work yet, and Windows isn't fully supported.

Railway updated a few things on their canvas, as well.

First, you can add Buckets from anywhere you create a new project. This wasn't released until Buckets became available to everyone.

You can also duplicate services in groups now. Before this change, the process would create the service outside of the group. With the new functionality, everything stays neat and organized in the same group you're working in.

On the topic of groups, you can now use groups in the template composer. For those creating templates, you can use groups to keep your template organized and easy to use.

Railway cleaned up how they interact with GitHub PRs. Instead of creating a separate GitHub deployment for each service, Railway creates only one deployment per PR environment. This keeps things much cleaner and easier to trace if issues arise. This is a breaking change, so if you're using the `serviceID` in a workflow, you'll need to update that.

Use my affiliate code to sign up for Railway if you want.