serverless/serverless sf-core@4.35.0

4.35.0

on GitHub

Features

• Added uv dependency-group and optional-dependency controls for Python packaging. Four new custom.pythonRequirements options let you control which extras and groups are included in the deployment package, mirroring the existing Poetry group support. --no-dev is always passed to keep dev dependencies out of Lambda packages by default; opt in via uvWithGroups: [dev] if needed. Read more in the docs. (#13499, #13500) — Thanks @jax-b!

custom:
  pythonRequirements:
    uvOptionalDependencies: # → uv export --extra <name>
      - heavy
    uvWithGroups: # → uv export --group <name>
      - prod
    uvWithoutGroups: # → uv export --no-group <name>
      - test
    uvOnlyGroups: # → uv export --only-group <name>
      - lambda

Bug Fixes

• Fixed sls deploy --package failure with the esbuild builder. Esbuild zip artifacts are now written to .serverless/<name>.zip instead of .serverless/build/<name>.zip, matching the path that extended-validate.js reconstructs. The two-process sls package + sls deploy --package .serverless flow no longer fails with MISSING_ARTIFACT_FILE. The .serverless/build/ directory remains the staging area for intermediate build artifacts (compiled JS, package.json, lockfiles, node_modules) — only the final zip moves up. (#12964, #13507)

• Fixed duplicate PATH entries from the binary installer script. The installer used $(grep -q ...) command substitution to detect whether .serverless/bin was already in the shell config; because -q suppresses output, the substitution always returned an empty string and the condition was always true, so a new line was appended on every install. The script now checks the exit status directly and properly quotes $SHELL_CONFIG. (#13394, #13410) — Thanks @gaurav0909-max!

Maintenance

• Patched moderate-severity security vulnerabilities:
  • Upgraded fast-xml-parser from 5.5.8 to 5.7.1 to patch GHSA-gh4j-gqv2-49f6 (XMLBuilder XML comment and CDATA injection via unescaped delimiters) (#13521)
  • Patched GHSA-w5hq-g745-h8pq (uuid v3/v5/v6 missing buffer bounds check) by bumping nested uuid versions and replacing dockerode 4.0.10 with 5.0.0, which drops the uuid dependency entirely (#13530)
  • Upgraded follow-redirects from 1.15.11 to 1.16.0, hono from 4.12.12 to 4.12.14, and protobufjs from 7.5.3 to 7.5.5 to pick up upstream vulnerability patches (#13516)
  • Upgraded fastify to 5.8.5 to patch GHSA-247c-9743-5963 (CVE-2026-33806) and bumped langsmith from 0.5.6 to 0.5.18 across the bedrock-agentcore JS examples (#13496, #13513)
• Bumped the AWS SDK group with 33 updates from 3.1017.0 to 3.1035.0 (#13526) and an additional 3 updates in packages/framework-dist (#13510)
• Upgraded https-proxy-agent from 7.0.6 to 8.0.0 (major version bump — CJS to ESM conversion only, no API or behavior changes; transparent for the workspace which is already ESM) (#13535)
• Upgraded undici from 6.24.1 to 6.25.0 in packages/util (#13536) and packages/sf-core-installer (#13519)
• Upgraded ws from 8.19.0 to 8.20.0 (#13537)
• Upgraded @slack/web-api from 7.14.1 to 7.15.1 (#13538)
• Upgraded @graphql-tools/merge from 9.1.7 to 9.1.9 and bumped grouped patch updates including adm-zip, eventsource-parser, and filesize (#13532)
• Upgraded pytest from 8.4.2 to 9.0.3 in the uv test fixtures (#13503)
• Upgraded golang.org/x/mod from 0.34.0 to 0.35.0 in binary-installer (#13518)