Download Latest Version 4.36.1 source code.tar.gz (2.3 MB)
Email in envelope

Get an email when there's a new version of Serverless Framework

Home / sf-core@4.36.0
Name Modified Size InfoDownloads / Week
Parent folder
4.36.0 source code.tar.gz 2026-05-12 2.3 MB
0
4.36.0 source code.zip 2026-05-12 3.6 MB
0
README.md 2026-05-12 2.6 kB
0
Totals: 3 Items   5.9 MB 0

Features

  • Faster, more reliable installs. The Serverless Framework installer no longer needs to download dependencies from the npm registry at install time — everything required is pulled in a single download. Fresh installs also use less disk space (~42 MB saved per framework version). Existing projects work without changes. (#13514)

Note: Existing users on an older installer will automatically pick up this faster install path the next time they update or fetch a new framework version. To also get the disk-space savings, update the installer with serverless update, or reinstall the serverless npm package.

Bug Fixes

  • Patched urllib3 decompression-bomb vulnerability in Python test fixtures. Bumped urllib3 from 2.6.3 to 2.7.0 across all Python lockfiles (poetry, pipenv, pip, uv variants) to resolve GHSA-mf9v-mfxr-j63j. Affects only the test-suite Python environments — no impact on user deployments. (#13568)

  • Patched a net/http infinite-loop CVE in the installer runtime. Picks up the upstream fix for CVE-2026-33814 (HTTP/2 CONTINUATION-frame infinite loop when SETTINGS_MAX_FRAME_SIZE=0). All released installers are rebuilt against the patched toolchain. (#13560)

Maintenance

  • Patched additional moderate-severity dependency vulnerabilities:
  • Upgraded hono 4.12.14 → 4.12.18, fast-uri 3.0.6 → 3.1.2, fast-xml-builder 1.1.5 → 1.2.0, ip-address 10.1.0 → 10.2.0, and express-rate-limit 8.3.1 → 8.5.1 (#13564)
  • Bumped fast-uri across all 13 bedrock-agentcore JavaScript examples (#13561)
  • Bumped fast-xml-builder (along with two transitives) across all 13 bedrock-agentcore JavaScript examples (#13559)
  • Bumped the AWS SDK group with 31 updates from 3.1035.0 to 3.1041.0 (#13565)
  • Upgraded mongodb from 7.1.1 to 7.2.0 — adds support for MongoDB's Intelligent Workload Management (#13553)
  • Upgraded simple-git from 3.33.0 to 3.36.0 (#13555)
  • Bumped the patch-updates group: @slack/web-api 7.15.1 → 7.15.2, fs-extra, and uuid (#13567)
  • Bumped dev-dependencies group: eslint 10.2.1 → 10.3.0 and globals (#13566)
  • Bumped Jackson Java dependencies in invoke-local runtime wrappers: jackson-core, jackson-databind, jackson-datatype-joda (#13548, [#13549], [#13550])
  • Bumped aws-actions/configure-aws-credentials from v6.1.0 to v6.1.1 in CI workflows (#13563)
  • Added toml v4+ to the Dependabot ignore list to preserve Node.js 18 support (#13562)
Source: README.md, updated 2026-05-12