Have feedback? Want to see something else featured? Reply to this email!

What’s up, everyone? Thanks for reading Next in Dev. In this issue, I'll write about the updates worth your time, like Payload 3.53–3.54 quality fixes and Railway’s free plan coming back.

Payload CMS

Payload had two releases in the past 2 weeks, versions 3.53 and 3.54. Over the past month, there haven't been a ton of new features, but bug fixes are still on the rise.

A new Icelandic translation has been added.

The import and export plugin got some love. A sort order control has been added, and when it's not set, groupBy is used as the sortBy option.

Parallel job queue tasks are now supported. Toast notifications can be configured.

Two bug fixes in version 3.53: the Docker base image was updated. And a bug fix that impacted me is labeled as a performance increase. There were cases when streamed files from s3 would timeout causing 500 errors from your s3 bucket. That's no longer an issue in 3.53.

Figma

Figma has added Unsplash stock images in Figma Buzz and now allows admins on Enterprise plans to require password protection for all published sites across their organization.

It's definitely more exciting to write about Payload CMS in this relationship.

Gif by magicedenofficial on Giphy

Next.js, Shadcn, and Vercel

I'm not going to write much about Next.js's canary branch. That is where all the action happens, but most people aren't using the canary branch unless they're already on the bleeding edge.

Gif by Prezibase on Giphy

What I will write about, though, is new major, minor, and patch releases that either release the features or backport bug fixes from the canary branch.

Version 15.5.1 fixed a few Turbopack and route handler issues. The lint rule noUnknownAtRules was changed to a warning. This is meant to help fix an issue with Tailwind.

Version 15.5.2 came out within the last two weeks. This simply removes the unknownatrules lint rule entirely and reverts an added param that was added to fonts to help with performance.

A lot is new with Shadcn. In August, shadcn CLI 3.0 and MCP server were released. You can now use namespaced registries (e.g. @registry/goose or @registry/egg ). This is a great way to keep your components organized for your internal organization and more. You can now search within registries before installing anything.

The MCP server is available for shadcn registries as well. Vercel really likes their MCP servers and buzzwords. But this should help speed you up when using your favorite AI crutch with shadcn.

For more information, check out their upgrade guide for their CLI.

This month, shadcn also released a registry index to keep track of open source registries you can install from.

Vercel's AI Gateway is now generally available. Go crazy.

You can now use Vercel's MCP on Raycast (I LOVE Raycast). This means that these services can now have access to your deployments and analyze build logs.

Three big vulnerabilities hit Vercel last week. First, there was the potential for non-Vercel deployments using Next.js Image Optimization to experience cache poisoning that caused sensitive image responses from API routes. This is resolved in versions 15.4.5 and 14.2.13.

The second is again for the Next.js Image Optimization. External image servers could serve responses that result in file downloads with attacker-defined filenames. This is also resolved in versions 15.4.5 and 14.2.13.

Lastly, Next's middleware experienced a vulnerability again. This time, the security issue isn't exploitable on Vercel, but self-hosted deployments should upgrade to 14.2.32 or 15.4.7 or ensure you're using middleware following official guidance. Use NextResponse.next({ request })to explicitly pass the request object.

Tailwind

Version 4.1.13 fixes transition behavior with visibility, drops some warnings from the browser build, and ignores .vercel folders by default. That last one mimics the behavior of Tailwind toward .next folders.

AI news

AI news was pretty quiet, though I did just see that Reddit is attempting to sue Anthropic for allegedly not paying to scrape MY data. Apparently, this is nearly 3-month-old news. Whoops. Sorry for the Guardian link, I was just trying to find a non-paywalled source.

OpenAI is working on GPT-6 now that the noise of GPT-5 has died down. Hopefully it'll actually be good.

Railway

Railway now lets you restore deleted volumes within 48-hours. Now you don't have to have a panic attack when you click the wrong button.

Railway has brought their free plan back. You now get a dollar of usage each month after your free trial expires. This isn't quite as generous as it used to be, but I'm not complaining.

Giphy

Use my affiliate code to sign up for Railway if you want.

What did I miss? There’s so much happening in modern web dev that I’m sure to have missed something. So, leave suggestions and your thoughts in the comments or reply to this email so I can be sure to address them and potentially add them in future videos.

Thanks for reading. See you in the next one.

Support this content

See all my tutorials and other content

Subscribe on YouTube

Spread the word about your favorite newsletter

Share the newsletter

Get early access to videos and more

Patreon
Short Ruby Newsletter

Short Ruby Newsletter

It is a Monday morning summary of the articles, discussions, and news from the Ruby community

© 2025 Next in Dev.

Privacy policy

Terms of use

Powered by beehiiv