Skip to content

chore(deps): bump aws-sdk and serverless#1445

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/multi-0bff182f6c
Open

chore(deps): bump aws-sdk and serverless#1445
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/multi-0bff182f6c

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 9, 2026
edited
Loading

Removes aws-sdk. It's no longer used after updating ancestor dependency serverless. These dependencies need to be updated together.

Removes aws-sdk

Updates serverless from 3.40.0 to 4.33.3

Release notes

Sourced from serverless's releases.

4.33.3

Bug Fixes

Serverless Framework

  • Locked transitive dependencies in distributed packages to harden against supply chain attacks. Previously, the framework tarball and npm installer package shipped without a lockfile, allowing transitive dependencies to resolve fresh from the registry on each install. Both packages now include npm-shrinkwrap.json files that pin the entire dependency tree to exact versions. (#13453, #13458)

Maintenance

  • Upgraded lodash to v4.18.1 with security fixes for prototype pollution via _.unset/_.omit (GHSA-f23m-r3pf-42rh) and code injection via _.template imports (GHSA-r5fr-rjxr-66jc, CVE-2026-4800) (#13469)
  • Upgraded simple-git to v3.33.0 with enhanced input sanitization for git.clone/git.mirror and stricter git -c checks in the unsafe plugin (#13467)
  • Upgraded @​modelcontextprotocol/sdk to v1.28.0 (#13474)
  • Bumped the AWS SDK group with multiple updates (#13462, #13463, #13471, #13473)
  • Bumped the patch-updates group with 3 updates (#13464)
  • Bumped github.com/fatih/color to v1.19.0 in the binary installer (#13459)
  • Bumped actions/setup-go to v6.4.0 (#13460)

4.33.2

Bug Fixes

Serverless Framework

  • Pinned axios in the Framework runtime package. (#13453, #13454)

4.33.1

Bug Fixes

Serverless Framework

  • Hardened installer against supply chain attacks. Replaced axios, axios-proxy-builder, and tunnel with Node.js built-in fetch() and undici.ProxyAgent for binary downloads. Removed unused xml2js dependency. Pinned remaining dependencies to exact versions and added min-release-age=3 to .npmrc to prevent npm from resolving to very recently published packages. Proxy support now works correctly for both postInstall and run entry points. (#13450)

  • Fixed fast-xml-parser XML entity expansion vulnerability (GHSA-8gc5-j5rx-235r). Updated @aws-sdk/xml-builder to resolve fast-xml-parser from 5.4.1 to 5.5.8, patching a numeric entity expansion bypass that could circumvent all entity expansion limits. (#13412, #13421)

  • Fixed Jackson vulnerability in Java invoke-local runtime. Bumped jackson-core, jackson-databind, and jackson-datatype-joda from 2.21.0 to 2.21.1 to fix an allocation of resources without limits vulnerability. Also corrected jackson-annotations version from 2.21.0 to 2.21 to match Maven Central's new versioning scheme starting from Jackson 2.20. (#13379, #13382)

  • Patched vulnerable transitive dependencies. Refreshed lockfile resolutions across examples and the root workspace to fix express-rate-limit IPv4-mapped IPv6 bypass, fastify Content-Type validation bypass, and hono static file access and cookie injection vulnerabilities. (#13397)

Serverless Container Framework

  • Fixed zlib vulnerabilities in dev-mode-proxy container. Upgraded Alpine packages and bumped the base image from node:20-alpine to node:24-alpine to patch critical zlib out-of-bounds write (CVE-2026-22184) and medium-severity input validation (CVE-2026-27171) vulnerabilities. (#13395, #13396)

Maintenance

... (truncated)

Commits
  • d21bb09 chore: release 4.33.3 (#13472)
  • 987afbb chore(deps): bump the aws-sdk group with 30 updates (#13473)
  • 8e7b077 chore(deps): bump the aws-sdk group (#13471)
  • 362cc54 chore(deps): bump @​modelcontextprotocol/sdk from 1.27.1 to 1.28.0 (#13474)
  • ed88ace chore(dependabot): add ignore rule for get-stdin v10 (#13470)
  • 59450e5 chore(deps): bump simple-git from 3.32.3 to 3.33.0 (#13467)
  • 5b0bb24 chore(deps): bump lodash (#13468)
  • a2b5247 chore(deps): bump lodash from 4.17.23 to 4.18.1 (#13469)
  • 77d0b35 chore(deps): bump the aws-sdk group with 30 updates (#13463)
  • 79af334 chore(deps): bump @​aws-sdk/client-cloudfront-keyvaluestore from 3.1015.0 to 3...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for serverless since your current version.

Install script changes

This version modifies postinstall script that runs during installation. Review the package contents before updating.

@dependabot dependabot bot added auto Opened by an automated process dependencies Pull request that updates a dependency file javascript Pull requests that update JavaScript code labels Apr 9, 2026
@dependabot dependabot bot mentioned this pull request Apr 9, 2026
Closed
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-0bff182f6c branch from b48407a to 0de8736 Compare April 10, 2026 13:25
@dependabot dependabot bot requested a review from devpow112 as a code owner April 10, 2026 13:25
@dependabot
chore(deps): bump aws-sdk and serverless
f8f8da4 
Removes [aws-sdk](https://github.com/aws/aws-sdk-js). It's no longer used after updating ancestor dependency [serverless](https://github.com/serverless/serverless). These dependencies need to be updated together.


Removes `aws-sdk`

Updates `serverless` from 3.40.0 to 4.33.3
- [Release notes](https://github.com/serverless/serverless/releases)
- [Changelog](https://github.com/serverless/serverless/blob/main/RELEASE_PROCESS.md)
- [Commits](https://github.com/serverless/serverless/compare/v3.40.0...sf-core@4.33.3)

---
updated-dependencies:
- dependency-name: aws-sdk
  dependency-version: 
  dependency-type: indirect
- dependency-name: serverless
  dependency-version: 4.33.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-0bff182f6c branch from 0de8736 to f8f8da4 Compare April 10, 2026 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devpow112 devpow112 Awaiting requested review from devpow112 devpow112 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

auto Opened by an automated process dependencies Pull request that updates a dependency file javascript Pull requests that update JavaScript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants