Installations
npm install @payloadcms/plugin-seoScore
57.6
Supply Chain
49.6
Quality
98.2
Maintenance
100
Vulnerability
90.9
License
Developer
Developer Guide
BETA
Module System
ESM
Min. Node Version
Typescript Support
Yes
Node Version
22.6.0
NPM Version
10.8.2
Statistics
28,589 Stars
12,094 Commits
1,769 Forks
121 Watching
299 Branches
271 Contributors
Updated on 28 Nov 2024
Languages
TypeScript (93.83%)
SCSS (4.3%)
JavaScript (1.67%)
Dockerfile (0.14%)
CSS (0.04%)
Shell (0.02%)
Total Downloads
Cumulative downloads
Total Downloads
701,387
Last day
-22%
3,710
Compared to previous day
Last week
16.9%
22,496
Compared to previous week
Last month
41.5%
78,186
Compared to previous month
Last year
355.4%
570,244
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
2
Versions
Explore the Docs · Community Help · Roadmap · View G2 Reviews
[!IMPORTANT] 🎉 We've released 3.0! Star this repo or keep an eye on it to follow along.
Payload is the first-ever Next.js native CMS that can install directly in your existing /app folder. It's the start of a new era for headless CMS.
Benefits over a regular CMS
- Deploy anywhere, including serverless on Vercel for free
- Combine your front+backend in the same
/appfolder if you want - Don't sign up for yet another SaaS - Payload is open source
- Query your database in React Server Components
- Both admin and backend are 100% extensible
- No vendor lock-in
- Never touch ancient WP code again
- Build faster, never hit a roadblock
Quickstart
Before beginning to work with Payload, make sure you have all of the required software.
1pnpx create-payload-app@latest
If you're new to Payload, you should start with the website template (pnpx create-payload-app@latest -t website). It shows how to do everything - including custom Rich Text blocks, on-demand revalidation, live preview, and more. It comes with a frontend built with Tailwind all in one /app folder.
One-click templates
Jumpstart your next project by starting with a pre-made template. These are production-ready, end-to-end solutions designed to get you to market as fast as possible.
🌐 Website
Build any kind of website, blog, or portfolio from small to enterprise. Comes with a fully functional front-end built with RSCs and Tailwind.
We're constantly adding more templates to our Templates Directory. If you maintain your own template, consider adding the payload-template topic to your GitHub repository for others to find.
✨ Features
- Completely free and open-source
- Next.js native, built to run inside your
/appfolder - Use server components to extend Payload UI
- Query your database directly in server components, no need for REST / GraphQL
- Fully TypeScript with automatic types for your data
- Auth out of the box
- Versions and drafts
- Localization
- Block-based layout builder
- Customizable React admin
- Lexical rich text editor
- Conditional field logic
- Extremely granular Access Control
- Document and field-level hooks for every action Payload provides
- Intensely fast API
- Highly secure thanks to HTTP-only cookies, CSRF protection, and more
🗒️ Documentation
Check out the Payload website to find in-depth documentation for everything that Payload offers.
Migrating from v2 to v3? Check out the 3.0 Migration Guide on how to do it.
🙋 Contributing
If you want to add contributions to this repository, please follow the instructions in contributing.md.
📚 Examples
The Examples Directory is a great resource for learning how to setup Payload in a variety of different ways, but you can also find great examples in our blog and throughout our social media.
If you'd like to run the examples, you can either copy them to a folder outside this repo or run them directly by (1) navigating to the example's subfolder (cd examples/your-example-folder) and (2) using the --ignore-workspace flag to bypass workspace restrictions (e.g., pnpm --ignore-workspace install or pnpm --ignore-workspace dev).
You can see more examples at:
🔌 Plugins
Payload is highly extensible and allows you to install or distribute plugins that add or remove functionality. There are both officially-supported and community-supported plugins available. If you maintain your own plugin, consider adding the payload-plugin topic to your GitHub repository for others to find.
🚨 Need help?
There are lots of good conversations and resources in our Github Discussions board and our Discord Server. If you're struggling with something, chances are, someone's already solved what you're up against. :point_down:
⭐ Like what we're doing? Give us a star
👏 Thanks to all our contributors
No vulnerabilities found.
Reason
30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: license.md:0
- Info: FSF or OSI recognized license: MIT License: license.md:0
Reason
no binaries found in the repo
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'
- Warn: branch 'main' does not require approvers
- Warn: codeowners review is not required on branch 'main'
- Info: status check found to merge onto on branch 'main'
- Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings
Reason
Found 8/30 approved changesets -- score normalized to 2
Reason
dependency not pinned by hash detected -- score normalized to 1
Details
- Info: Possibly incomplete results: error parsing shell code: invalid parameter name: .github/workflows/stale.yml:42
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/label-on-change.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/label-on-change.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/label-on-change.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/label-on-change.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/label-on-change.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/label-on-change.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/label-on-change.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/label-on-change.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/lock-issues.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/lock-issues.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:123: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:134: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:149: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:165: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:170: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:176: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:332: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:337: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:343: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:362: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:381: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:491: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:496: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:502: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:224: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:232: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:237: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:248: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:434: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:439: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:445: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:452: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:472: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-release.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/post-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/post-release.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/post-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-release.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/post-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-title.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/pr-title.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-title.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/pr-title.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-title.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/pr-title.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-title.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/pr-title.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-canary.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/release-canary.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/stale.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/triage.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/triage.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/triage.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/triage.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/triage.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/payloadcms/payload/triage.yml/main?enable=pin
- Warn: containerImage not pinned by hash: examples/form-builder/payload/Dockerfile:1
- Warn: containerImage not pinned by hash: examples/form-builder/payload/Dockerfile:3
- Warn: containerImage not pinned by hash: examples/form-builder/payload/Dockerfile:12
- Warn: containerImage not pinned by hash: templates/_template/Dockerfile:3
- Warn: containerImage not pinned by hash: templates/_template/Dockerfile:6
- Warn: containerImage not pinned by hash: templates/_template/Dockerfile:22
- Warn: containerImage not pinned by hash: templates/_template/Dockerfile:40
- Warn: containerImage not pinned by hash: templates/blank/Dockerfile:3
- Warn: containerImage not pinned by hash: templates/blank/Dockerfile:6
- Warn: containerImage not pinned by hash: templates/blank/Dockerfile:22
- Warn: containerImage not pinned by hash: templates/blank/Dockerfile:40
- Warn: containerImage not pinned by hash: templates/website/Dockerfile:1
- Warn: containerImage not pinned by hash: templates/website/Dockerfile:3
- Warn: containerImage not pinned by hash: templates/website/Dockerfile:12
- Warn: containerImage not pinned by hash: templates/with-payload-cloud/Dockerfile:3
- Warn: containerImage not pinned by hash: templates/with-payload-cloud/Dockerfile:6
- Warn: containerImage not pinned by hash: templates/with-payload-cloud/Dockerfile:22
- Warn: containerImage not pinned by hash: templates/with-payload-cloud/Dockerfile:40
- Warn: containerImage not pinned by hash: templates/with-postgres/Dockerfile:3
- Warn: containerImage not pinned by hash: templates/with-postgres/Dockerfile:6
- Warn: containerImage not pinned by hash: templates/with-postgres/Dockerfile:22
- Warn: containerImage not pinned by hash: templates/with-postgres/Dockerfile:40
- Warn: containerImage not pinned by hash: templates/with-vercel-mongodb/Dockerfile:3
- Warn: containerImage not pinned by hash: templates/with-vercel-mongodb/Dockerfile:6
- Warn: containerImage not pinned by hash: templates/with-vercel-mongodb/Dockerfile:22
- Warn: containerImage not pinned by hash: templates/with-vercel-mongodb/Dockerfile:40
- Warn: containerImage not pinned by hash: templates/with-vercel-postgres/Dockerfile:3
- Warn: containerImage not pinned by hash: templates/with-vercel-postgres/Dockerfile:6
- Warn: containerImage not pinned by hash: templates/with-vercel-postgres/Dockerfile:22
- Warn: containerImage not pinned by hash: templates/with-vercel-postgres/Dockerfile:40
- Warn: containerImage not pinned by hash: templates/with-vercel-website/Dockerfile:1
- Warn: containerImage not pinned by hash: templates/with-vercel-website/Dockerfile:3
- Warn: containerImage not pinned by hash: templates/with-vercel-website/Dockerfile:12
- Info: 0 out of 29 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 19 third-party GitHubAction dependencies pinned
- Info: 0 out of 33 containerImage dependencies pinned
- Info: 6 out of 6 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/main.yml:28
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/post-release.yml:45
- Warn: no topLevel permission defined: .github/workflows/label-on-change.yml:1
- Warn: no topLevel permission defined: .github/workflows/main.yml:1
- Warn: no topLevel permission defined: .github/workflows/post-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/release-canary.yml:1
- Warn: no topLevel permission defined: .github/workflows/stale.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/triage.yml:15
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 25 are checked with a SAST tool
Reason
40 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-7r3h-m5j6-3q42
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
- Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
- Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9
- Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-jgrx-mgxx-jf9v
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-6fc8-4gx4-v693
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-gp8f-8m3g-qvj9
- Warn: Project is vulnerable to: GHSA-fr5h-rqp8-mj6g
- Warn: Project is vulnerable to: GHSA-g77x-44xx-532m
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-vxvm-qww3-2fh7
- Warn: Project is vulnerable to: GHSA-9h6g-pr28-7cqp
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-54xq-cgqr-rpm3
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
- Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-7q7g-4xm8-89cq
Score
4.5
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More