Download Latest Version 4.33.2 source code.tar.gz (2.2 MB)
Email in envelope

Get an email when there's a new version of Serverless Framework

Home / sf-core@4.33.1
Name Modified Size InfoDownloads / Week
Parent folder
4.33.1 source code.tar.gz 2026-03-31 2.2 MB
0
4.33.1 source code.zip 2026-03-31 3.5 MB
0
README.md 2026-03-31 3.3 kB
0
Totals: 3 Items   5.7 MB 0

Bug Fixes

Serverless Framework

  • Hardened installer against supply chain attacks. Replaced axios, axios-proxy-builder, and tunnel with Node.js built-in fetch() and undici.ProxyAgent for binary downloads. Removed unused xml2js dependency. Pinned remaining dependencies to exact versions and added min-release-age=3 to .npmrc to prevent npm from resolving to very recently published packages. Proxy support now works correctly for both postInstall and run entry points. (#13450)

  • Fixed fast-xml-parser XML entity expansion vulnerability (GHSA-8gc5-j5rx-235r). Updated @aws-sdk/xml-builder to resolve fast-xml-parser from 5.4.1 to 5.5.8, patching a numeric entity expansion bypass that could circumvent all entity expansion limits. (#13412, [#13421])

  • Fixed Jackson vulnerability in Java invoke-local runtime. Bumped jackson-core, jackson-databind, and jackson-datatype-joda from 2.21.0 to 2.21.1 to fix an allocation of resources without limits vulnerability. Also corrected jackson-annotations version from 2.21.0 to 2.21 to match Maven Central's new versioning scheme starting from Jackson 2.20. (#13379, [#13382])

  • Patched vulnerable transitive dependencies. Refreshed lockfile resolutions across examples and the root workspace to fix express-rate-limit IPv4-mapped IPv6 bypass, fastify Content-Type validation bypass, and hono static file access and cookie injection vulnerabilities. (#13397)

Serverless Container Framework

  • Fixed zlib vulnerabilities in dev-mode-proxy container. Upgraded Alpine packages and bumped the base image from node:20-alpine to node:24-alpine to patch critical zlib out-of-bounds write (CVE-2026-22184) and medium-severity input validation (CVE-2026-27171) vulnerabilities. (#13395, [#13396])

Maintenance

  • Updated multiple dependencies:
  • Bumped the AWS SDK group with 4 batch updates (#13387, [#13405], [#13414], [#13446])
  • Updated the npm_and_yarn group across multiple directories (#13392, [#13401], [#13420], [#13431], [#13444])
  • Upgraded the dev-dependencies group (#13372, [#13406], [#13415], [#13428], [#13432], [#13442])
  • Updated the patch-updates group (#13388, [#13407], [#13416], [#13429])
  • Bumped the pip group across 14 directories (#13369)
  • Updated the uv group across 14 directories (#13435)
  • Updated actions/setup-node and actions/setup-go in the actions group (#13386, [#13403])
  • Upgraded Go to 1.26.1 in binary installer (#13402)
  • Updated path-to-regexp (#13445)
  • Upgraded undici to 6.24.0 (#13411)
  • Upgraded simple-git from 3.30.0 to 3.32.3 (#13375, [#13391], [#13400])
  • Upgraded @modelcontextprotocol/sdk to 1.27.0 (#13374)
  • Upgraded dotenv to 17.3.1 (#13376)
  • Upgraded graphql to 16.13.0 (#13389)
  • Upgraded strip-ansi to 7.2.0 (#13408)
  • Upgraded dockerode (#13429)
  • Upgraded flatted to 3.4.2 (#13419)
  • Upgraded picomatch to 2.3.2 (#13432)
  • Upgraded @slack/web-api (#13373)
  • Updated various Maven plugins and Java dependencies (#13341, [#13404], [#13424], [#13425], [#13426])
  • Updated flask to 3.1.3 in pipenv test fixture (#13378)
  • Updated dependencies in examples (#13377, [#13380])
  • Removed misleading "Installing Serverless in an existing service" documentation section (#13449)
Source: README.md, updated 2026-03-31