Sourced from serverless's releases.

4.35.1

Bug Fixes

• AppSync: @canonical, @hidden, and @renamed now work on field definitions. The bundled Merged API directive stubs only declared the OBJECT location, so applying these directives to fields failed packaging with errors like Directive "@canonical" may not be used on FIELD_DEFINITION.. They're now declared as OBJECT | FIELD_DEFINITION to match AWS's documented surface. (#13533, #13542). Thanks @​PatrykMilewski!

type Query {
  getMessage(id: ID!): Message @renamed(to: "getChatMessage")
  internalField: String @hidden
}

• Python: lambda layer is now built for layer-only services. Services that declared custom.pythonRequirements.layer with no functions: block silently produced an empty CloudFormation stack. The runtime guard now also activates when pythonRequirements.layer is set and the provider runtime starts with python, restoring parity with the standalone serverless-python-requirements plugin. Heads up: services that previously hit this bug will now actually invoke pip on serverless package, so set pythonBin or use dockerizePip if the matching pythonX.Y binary isn't available locally. (#13541)

provider:
  runtime: python3.13
custom:
  pythonRequirements:
    layer: true

• Python: zip entry paths are now normalized to forward slashes on Windows. globSync was preserving Windows backslashes in ZIP archive entries, which broke the ZIP spec and caused import mismatches at runtime. Entries are now written with POSIX-style / separators on every platform, and ci-python.yml also runs Python tests on Windows when Python paths change. (#13307, #13383, #13546). Thanks @​Tsingis!

Maintenance

• Patched GHSA-w5hq-g745-h8pq (uuid v3/v5/v6 missing buffer bounds check) in the langgraph-* JavaScript example lockfiles under bedrock-agentcore/examples/javascript/ by bumping nested uuid from 13.0.0 to 13.0.2. Lockfile-only, and these examples aren't shipped in the published package. (#13545)
• Bumped axios from 1.15.0 to 1.15.2 (transitive, lockfile-only) for upstream security-hardening patches. (#13544)

4.35.0

Features

• Added uv dependency-group and optional-dependency controls for Python packaging. Four new custom.pythonRequirements options let you control which extras and groups are included in the deployment package, mirroring the existing Poetry group support. --no-dev is always passed to keep dev dependencies out of Lambda packages by default; opt in via uvWithGroups: [dev] if needed. Read more in the docs. (#13499, #13500) — Thanks @​jax-b!

custom:
  pythonRequirements:
    uvOptionalDependencies: # → uv export --extra <name>
      - heavy
    uvWithGroups: # → uv export --group <name>
      - prod
    uvWithoutGroups: # → uv export --no-group <name>
      - test
    uvOnlyGroups: # → uv export --only-group <name>
      - lambda

Bug Fixes

• Fixed sls deploy --package failure with the esbuild builder. Esbuild zip artifacts are now written to .serverless/<name>.zip instead of .serverless/build/<name>.zip, matching the path that extended-validate.js reconstructs. The two-process sls package + sls deploy --package .serverless flow no longer fails with MISSING_ARTIFACT_FILE. The .serverless/build/ directory remains the staging area for intermediate build artifacts (compiled JS, package.json, lockfiles, node_modules) — only the final zip moves up. (#12964, #13507)

... (truncated)

• e0d19d2 chore: release 4.35.1 (#13556)
• 2d2cff1 fix(python): use forward slashes in uv group test assertions (#13546)
• a668d73 chore(deps): patch uuid buffer-bounds vulnerability in bedrock-agentcore JS e...
• bfee234 fix(python): add zip path normalization test and Windows CI (#13383)
• df45e21 chore(deps): bump axios from 1.15.0 to 1.15.2 (#13544)
• c9dec98 fix(python): build lambda layer for layer-only services (#13541)
• 3d3b0c8 fix(appsync): allow @​canonical, @​hidden, @​renamed on FIELD_DEFINITION (#13542)
• 29ee176 chore: release 4.35.0 (#13540)
• 153dcc8 chore(deps): bump https-proxy-agent from 7.0.6 to 8.0.0 (#13535)
• b007932 chore(deps): bump undici from 6.24.1 to 6.25.0 (#13536)
• Additional commits viewable in compare view

This version was pushed to npm by GitHub Actions, a new releaser for serverless since your current version.

This version modifies postinstall script that runs during installation. Review the package contents before updating.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.