Serverless Framework Files

Features

• New serverless diff command for previewing changes against the deployed stack. Packages the service locally and renders a structured diff — resources, IAM grants, security groups, parameters, outputs — against the CloudFormation stack currently in AWS. A Function Code section reports per-function code changes by comparing local zip hashes against each Lambda's CodeSha256. Especially useful in CI and PR-review workflows. --json emits a machine-readable summary; --package <path> reuses an existing artifact directory to skip the auto-package step. Docs. (#13602)

bash serverless diff serverless diff --json serverless diff --package .serverless

• TypeScript files supported in ${file()} variable references. The ${file(...)} variable resolver now loads .ts, .mts, and .cts modules in addition to JavaScript, with no separate build step required. All export shapes — default object, async default function, named export, named-export function with property selector, and injected resolveVariable / resolveConfigurationProperty callbacks — behave identically across JavaScript and TypeScript sources. Docs. (#13590)

ts // scripts/secrets.ts export const getSecrets = async () => ({ apiKey: process.env.API_KEY })

yaml custom: secrets: ${file(./scripts/secrets.ts):getSecrets}

• Custom .env file locations and explicit opt-out via useDotenv. Previously a boolean. Now accepts a path or array of paths to load additional .env files alongside the local .env / .env.${stage} already loaded automatically — useful for monorepos sharing variables across services. useDotenv: false is now honored as the documented opt-out. Debug logging at core:resolver:env surfaces which files loaded and which keys came from each (visible with SLS_DEBUG=*; keys only, never values). Docs. Closes [#10641]. (#13597)

yaml useDotenv: ../shared # load files from a sibling directory # useDotenv: # …or a list — earlier entries win # - ./overrides.env # - ../ # useDotenv: false # disable all .env loading

• CloudWatch Logs Infrequent Access log class. Opt-in logs.logGroupClass: infrequent_access at provider or function level provisions an Infrequent Access log group alongside the standard one, wires Lambda's LoggingConfig.LogGroup to write to it, and applies DeletionPolicy: Retain so its history survives stack updates and removals. The standard sibling is always created so pre-existing logs at the default path are preserved during migration. Services that do not opt in produce an identical CloudFormation template. Docs. Closes [#12278]. (#13601)

```yaml provider: logs: lambda: logGroupClass: infrequent_access # service-wide default

functions: realTimeReports: handler: handler.reports logs: logGroupClass: standard # override per function ```

Note: AWS does not allow the class of an existing log group to be changed in place. serverless logs -f <function> cannot read Infrequent Access groups — use CloudWatch Logs Insights instead. Once an IA log group has been retained out of the stack, re-enabling infrequent_access later for the same function will fail with ResourceAlreadyExistsException unless the orphaned group is first deleted or imported back into the stack.

• Cognito User Pool PreTokenGeneration V2_0 and V3_0 triggers. New opt-in lambdaVersion property on the cognitoUserPool event for the PreTokenGeneration trigger. Accepted values: V1_0 (ID token customization — historic behavior), V2_0 (ID and access token customization), and V3_0 (V2 capabilities plus machine-to-machine client-credentials grants). When omitted, the emitted CloudFormation is byte-identical to before; existing services see no template diff on upgrade. Docs. Closes [#12336]. (#13588)

```yaml functions: preTokenGeneration: handler: preToken.handler events:

    - cognitoUserPool:
        pool: MyUserPool
        trigger: PreTokenGeneration
        lambdaVersion: V2_0

```

Note: V2_0 and V3_0 require the Cognito Essentials or Plus feature plan.

• Opt-in Lambda recursive loop detection via recursiveLoop. Maps 1:1 to the AWS Lambda function property of the same name. Accepts allow or terminate (default; case-insensitive). By default AWS terminates a function that invokes itself in a loop — set recursiveLoop: allow for designs that intentionally rely on this pattern. Docs. Closes [#12938]. (#13583)

yaml functions: hello: handler: handler.hello recursiveLoop: allow

• ECR image retention via provider.ecr.maxImages. Services that deploy Lambda from container images can now bound how much their ECR repository grows. When set, the framework attaches a lifecycle policy that expires the oldest untagged image versions beyond the configured count. Currently-tagged digests are unconditionally safe — only superseded versions can ever be expired. Default behavior (maxImages unset) is unchanged. Docs. Closes [#12279]. (#13584)

yaml provider: ecr: scanOnPush: true maxImages: 10

• Reconcile command works against large organizations. serverless reconcile previously failed with a Request Entity Too Large error against organizations with thousands of instances (e.g. 5000+). Reconciliation now batches the request and parallelizes CloudFormation stack fetching while respecting API rate limits. Docs. (#13596)

Bug Fixes

• Durable Lambda functions can now be invoked through event sources that wire an unqualified ARN. AWS rejects unqualified invocations of durable functions with InvalidParameterValueException: You cannot invoke a durable function using an unqualified ARN. The framework now publishes a stable alias and points event sources at it. Closes [#13587]. (#13589)

• MCP SSE server now binds to loopback only. The MCP server's SSE transport was binding to all network interfaces; it now binds to 127.0.0.1 only and installs Host-header validation. Default port (3001) is unchanged. (#13595)

Maintenance

• Bumped the AWS SDK group across one directory with 34 updates (#13605)
• Upgraded @smithy/util-retry (#13607)
• Upgraded qs (#13604)
• Upgraded protobufjs (#13594)
• Upgraded golang.org/x/mod dependency (#13598)
• Bumped the uv group across 5 directories (#13593)
• Upgraded brace-expansion and ws (#13591)