Sourced from serverless's releases.

4.33.2

Bug Fixes

Serverless Framework

• Pinned axios in the Framework runtime package. (#13453, #13454)

4.33.1

Bug Fixes

Serverless Framework

• Hardened installer against supply chain attacks. Replaced axios, axios-proxy-builder, and tunnel with Node.js built-in fetch() and undici.ProxyAgent for binary downloads. Removed unused xml2js dependency. Pinned remaining dependencies to exact versions and added min-release-age=3 to .npmrc to prevent npm from resolving to very recently published packages. Proxy support now works correctly for both postInstall and run entry points. (#13450)

• Fixed fast-xml-parser XML entity expansion vulnerability (GHSA-8gc5-j5rx-235r). Updated @aws-sdk/xml-builder to resolve fast-xml-parser from 5.4.1 to 5.5.8, patching a numeric entity expansion bypass that could circumvent all entity expansion limits. (#13412, #13421)

• Fixed Jackson vulnerability in Java invoke-local runtime. Bumped jackson-core, jackson-databind, and jackson-datatype-joda from 2.21.0 to 2.21.1 to fix an allocation of resources without limits vulnerability. Also corrected jackson-annotations version from 2.21.0 to 2.21 to match Maven Central's new versioning scheme starting from Jackson 2.20. (#13379, #13382)

• Patched vulnerable transitive dependencies. Refreshed lockfile resolutions across examples and the root workspace to fix express-rate-limit IPv4-mapped IPv6 bypass, fastify Content-Type validation bypass, and hono static file access and cookie injection vulnerabilities. (#13397)

Serverless Container Framework

• Fixed zlib vulnerabilities in dev-mode-proxy container. Upgraded Alpine packages and bumped the base image from node:20-alpine to node:24-alpine to patch critical zlib out-of-bounds write (CVE-2026-22184) and medium-severity input validation (CVE-2026-27171) vulnerabilities. (#13395, #13396)

Maintenance

• Updated multiple dependencies:
  • Bumped the AWS SDK group with 4 batch updates (#13387, #13405, #13414, #13446)
  • Updated the npm_and_yarn group across multiple directories (#13392, #13401, #13420, #13431, #13444)
  • Upgraded the dev-dependencies group (#13372, #13406, #13415, #13428, #13432, #13442)
  • Updated the patch-updates group (#13388, #13407, #13416, #13429)
  • Bumped the pip group across 14 directories (#13369)
  • Updated the uv group across 14 directories (#13435)
  • Updated actions/setup-node and actions/setup-go in the actions group (#13386, #13403)
  • Upgraded Go to 1.26.1 in binary installer (#13402)
  • Updated path-to-regexp (#13445)
  • Upgraded undici to 6.24.0 (#13411)
  • Upgraded simple-git from 3.30.0 to 3.32.3 (#13375, #13391, #13400)
  • Upgraded @​modelcontextprotocol/sdk to 1.27.0 (#13374)
  • Upgraded dotenv to 17.3.1 (#13376)
  • Upgraded graphql to 16.13.0 (#13389)
  • Upgraded strip-ansi to 7.2.0 (#13408)
  • Upgraded dockerode (#13429)
  • Upgraded flatted to 3.4.2 (#13419)
  • Upgraded picomatch to 2.3.2 (#13432)
  • Upgraded @​slack/web-api (#13373)
  • Updated various Maven plugins and Java dependencies (#13341, #13404, #13424, #13425, #13426)
  • Updated flask to 3.1.3 in pipenv test fixture (#13378)
  • Updated dependencies in examples (#13377, #13380)
• Removed misleading "Installing Serverless in an existing service" documentation section (#13449)

... (truncated)

• 1927474 chore: release 4.33.2 (#13455)
• ea2b1aa Pin axios in framework-dist runtime package (#13454)
• 46a565e chore: release 4.33.1 (#13451)
• b16cf3e fix(sf-core-installer): remove axios and harden dependencies against supply c...
• 7e89a32 docs: remove misleading "Installing Serverless in an existing service" sectio...
• 9f6d4a0 chore(deps): bump the aws-sdk group across 1 directory with 31 updates (#13446)
• cf1da83 chore: update path-to-regexp (#13445)
• 89b6e31 chore(deps): bump the npm_and_yarn group across 5 directories with 1 update (...
• cf0f814 chore(deps-dev): bump brace-expansion from 1.1.12 to 1.1.13 (#13442)
• e02d887 chore(deps-dev): bump lint-staged in the dev-dependencies group (#13428)
• Additional commits viewable in compare view

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for serverless since your current version.

This version modifies postinstall script that runs during installation. Review the package contents before updating.