Skip to content

Bump serverless from 4.33.3 to 4.35.0 in /serverless#416

Merged
Tsingis merged 1 commit intomainfrom
dependabot/npm_and_yarn/serverless/serverless-4.35.0
May 1, 2026
Merged

Bump serverless from 4.33.3 to 4.35.0 in /serverless#416
Tsingis merged 1 commit intomainfrom
dependabot/npm_and_yarn/serverless/serverless-4.35.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 1, 2026

Bumps serverless from 4.33.3 to 4.35.0.

Release notes

Sourced from serverless's releases.

4.35.0

Features

  • Added uv dependency-group and optional-dependency controls for Python packaging. Four new custom.pythonRequirements options let you control which extras and groups are included in the deployment package, mirroring the existing Poetry group support. --no-dev is always passed to keep dev dependencies out of Lambda packages by default; opt in via uvWithGroups: [dev] if needed. Read more in the docs. (#13499, #13500) — Thanks @​jax-b!
custom:
  pythonRequirements:
    uvOptionalDependencies: # → uv export --extra <name>
      - heavy
    uvWithGroups: # → uv export --group <name>
      - prod
    uvWithoutGroups: # → uv export --no-group <name>
      - test
    uvOnlyGroups: # → uv export --only-group <name>
      - lambda

Bug Fixes

  • Fixed sls deploy --package failure with the esbuild builder. Esbuild zip artifacts are now written to .serverless/<name>.zip instead of .serverless/build/<name>.zip, matching the path that extended-validate.js reconstructs. The two-process sls package + sls deploy --package .serverless flow no longer fails with MISSING_ARTIFACT_FILE. The .serverless/build/ directory remains the staging area for intermediate build artifacts (compiled JS, package.json, lockfiles, node_modules) — only the final zip moves up. (#12964, #13507)

  • Fixed duplicate PATH entries from the binary installer script. The installer used $(grep -q ...) command substitution to detect whether .serverless/bin was already in the shell config; because -q suppresses output, the substitution always returned an empty string and the condition was always true, so a new line was appended on every install. The script now checks the exit status directly and properly quotes $SHELL_CONFIG. (#13394, #13410) — Thanks @​gaurav0909-max!

Maintenance

  • Patched moderate-severity security vulnerabilities:
    • Upgraded fast-xml-parser from 5.5.8 to 5.7.1 to patch GHSA-gh4j-gqv2-49f6 (XMLBuilder XML comment and CDATA injection via unescaped delimiters) (#13521)
    • Patched GHSA-w5hq-g745-h8pq (uuid v3/v5/v6 missing buffer bounds check) by bumping nested uuid versions and replacing dockerode 4.0.10 with 5.0.0, which drops the uuid dependency entirely (#13530)
    • Upgraded follow-redirects from 1.15.11 to 1.16.0, hono from 4.12.12 to 4.12.14, and protobufjs from 7.5.3 to 7.5.5 to pick up upstream vulnerability patches (#13516)
    • Upgraded fastify to 5.8.5 to patch GHSA-247c-9743-5963 (CVE-2026-33806) and bumped langsmith from 0.5.6 to 0.5.18 across the bedrock-agentcore JS examples (#13496, #13513)
  • Bumped the AWS SDK group with 33 updates from 3.1017.0 to 3.1035.0 (#13526) and an additional 3 updates in packages/framework-dist (#13510)
  • Upgraded https-proxy-agent from 7.0.6 to 8.0.0 (major version bump — CJS to ESM conversion only, no API or behavior changes; transparent for the workspace which is already ESM) (#13535)
  • Upgraded undici from 6.24.1 to 6.25.0 in packages/util (#13536) and packages/sf-core-installer (#13519)
  • Upgraded ws from 8.19.0 to 8.20.0 (#13537)
  • Upgraded @slack/web-api from 7.14.1 to 7.15.1 (#13538)
  • Upgraded @graphql-tools/merge from 9.1.7 to 9.1.9 and bumped grouped patch updates including adm-zip, eventsource-parser, and filesize (#13532)
  • Upgraded pytest from 8.4.2 to 9.0.3 in the uv test fixtures (#13503)
  • Upgraded golang.org/x/mod from 0.34.0 to 0.35.0 in binary-installer (#13518)

4.34.0

Features

Serverless Framework

  • Added S3 Files support for Lambda file system configuration. Lambda functions can now mount Amazon S3 Files in addition to EFS via fileSystemConfig. The file system type is auto-detected from literal ARNs; for CloudFormation references, specify type: s3files explicitly. The framework automatically generates the correct IAM permissions (s3files:ClientMount/s3files:ClientWrite) and validates VPC configuration. Fully backward compatible — existing EFS configurations work unchanged. Read more in the docs. (#13493)
</tr></table>

... (truncated)

Commits
  • 29ee176 chore: release 4.35.0 (#13540)
  • 153dcc8 chore(deps): bump https-proxy-agent from 7.0.6 to 8.0.0 (#13535)
  • b007932 chore(deps): bump undici from 6.24.1 to 6.25.0 (#13536)
  • 21cb25d chore(deps): bump ws from 8.19.0 to 8.20.0 (#13537)
  • 2cabfb0 chore(deps): bump @​slack/web-api from 7.14.1 to 7.15.1 (#13538)
  • d97bb82 chore(deps): consolidate npm dependabot ecosystems (#13534)
  • 1f9ca48 chore(deps): bump the aws-sdk group across 1 directory with 33 updates (#13526)
  • d8db0b4 chore(deps): bump the aws-sdk group across 1 directory with 3 updates (#13510)
  • 0c813f1 chore(deps): bump the patch-updates group across 1 directory with 4 updates (...
  • 3c9933b chore(deps): bump undici in /packages/sf-core-installer (#13519)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump serverless from 4.33.3 to 4.35.0 in /serverless
7b01b80 
Bumps [serverless](https://github.com/serverless/serverless) from 4.33.3 to 4.35.0.
- [Release notes](https://github.com/serverless/serverless/releases)
- [Changelog](https://github.com/serverless/serverless/blob/main/RELEASE_PROCESS.md)
- [Commits](https://github.com/serverless/serverless/compare/sf-core@4.33.3...sf-core@4.35.0)

---
updated-dependencies:
- dependency-name: serverless
  dependency-version: 4.35.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 1, 2026
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 1, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Tsingis Tsingis merged commit ea56fca into main May 1, 2026
3 of 4 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/serverless/serverless-4.35.0 branch May 1, 2026 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Tsingis