Skip to content

chore(deps): bump aws-sdk and serverless#1438

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/multi-2b22a7f1ff
Open

chore(deps): bump aws-sdk and serverless#1438
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/multi-2b22a7f1ff

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 2, 2026
edited
Loading

Removes aws-sdk. It's no longer used after updating ancestor dependency serverless. These dependencies need to be updated together.

Removes aws-sdk

Updates serverless from 3.40.0 to 4.33.2

Release notes

Sourced from serverless's releases.

4.33.2

Bug Fixes

Serverless Framework

  • Pinned axios in the Framework runtime package. (#13453, #13454)

4.33.1

Bug Fixes

Serverless Framework

  • Hardened installer against supply chain attacks. Replaced axios, axios-proxy-builder, and tunnel with Node.js built-in fetch() and undici.ProxyAgent for binary downloads. Removed unused xml2js dependency. Pinned remaining dependencies to exact versions and added min-release-age=3 to .npmrc to prevent npm from resolving to very recently published packages. Proxy support now works correctly for both postInstall and run entry points. (#13450)

  • Fixed fast-xml-parser XML entity expansion vulnerability (GHSA-8gc5-j5rx-235r). Updated @aws-sdk/xml-builder to resolve fast-xml-parser from 5.4.1 to 5.5.8, patching a numeric entity expansion bypass that could circumvent all entity expansion limits. (#13412, #13421)

  • Fixed Jackson vulnerability in Java invoke-local runtime. Bumped jackson-core, jackson-databind, and jackson-datatype-joda from 2.21.0 to 2.21.1 to fix an allocation of resources without limits vulnerability. Also corrected jackson-annotations version from 2.21.0 to 2.21 to match Maven Central's new versioning scheme starting from Jackson 2.20. (#13379, #13382)

  • Patched vulnerable transitive dependencies. Refreshed lockfile resolutions across examples and the root workspace to fix express-rate-limit IPv4-mapped IPv6 bypass, fastify Content-Type validation bypass, and hono static file access and cookie injection vulnerabilities. (#13397)

Serverless Container Framework

  • Fixed zlib vulnerabilities in dev-mode-proxy container. Upgraded Alpine packages and bumped the base image from node:20-alpine to node:24-alpine to patch critical zlib out-of-bounds write (CVE-2026-22184) and medium-severity input validation (CVE-2026-27171) vulnerabilities. (#13395, #13396)

Maintenance

... (truncated)

Commits
  • 1927474 chore: release 4.33.2 (#13455)
  • ea2b1aa Pin axios in framework-dist runtime package (#13454)
  • 46a565e chore: release 4.33.1 (#13451)
  • b16cf3e fix(sf-core-installer): remove axios and harden dependencies against supply c...
  • 7e89a32 docs: remove misleading "Installing Serverless in an existing service" sectio...
  • 9f6d4a0 chore(deps): bump the aws-sdk group across 1 directory with 31 updates (#13446)
  • cf1da83 chore: update path-to-regexp (#13445)
  • 89b6e31 chore(deps): bump the npm_and_yarn group across 5 directories with 1 update (...
  • cf0f814 chore(deps-dev): bump brace-expansion from 1.1.12 to 1.1.13 (#13442)
  • e02d887 chore(deps-dev): bump lint-staged in the dev-dependencies group (#13428)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for serverless since your current version.

Install script changes

This version modifies postinstall script that runs during installation. Review the package contents before updating.

@dependabot dependabot bot added auto Opened by an automated process dependencies Pull request that updates a dependency file javascript Pull requests that update JavaScript code labels Apr 2, 2026
@dependabot dependabot bot requested a review from devpow112 as a code owner April 2, 2026 08:04
@dependabot dependabot bot added dependencies Pull request that updates a dependency file auto Opened by an automated process javascript Pull requests that update JavaScript code labels Apr 2, 2026
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-2b22a7f1ff branch 7 times, most recently from 06a763d to 8751f25 Compare April 3, 2026 14:06
@dependabot
chore(deps): bump aws-sdk and serverless
0e89f17 
Removes [aws-sdk](https://github.com/aws/aws-sdk-js). It's no longer used after updating ancestor dependency [serverless](https://github.com/serverless/serverless). These dependencies need to be updated together.


Removes `aws-sdk`

Updates `serverless` from 3.40.0 to 4.33.2
- [Release notes](https://github.com/serverless/serverless/releases)
- [Changelog](https://github.com/serverless/serverless/blob/main/RELEASE_PROCESS.md)
- [Commits](https://github.com/serverless/serverless/compare/v3.40.0...sf-core@4.33.2)

---
updated-dependencies:
- dependency-name: aws-sdk
  dependency-version: 
  dependency-type: indirect
- dependency-name: serverless
  dependency-version: 4.33.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-2b22a7f1ff branch from 8751f25 to 0e89f17 Compare April 3, 2026 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devpow112 devpow112 Awaiting requested review from devpow112 devpow112 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

auto Opened by an automated process dependencies Pull request that updates a dependency file javascript Pull requests that update JavaScript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants