Skip to content

Bump uuid, serverless, serverless-offline and wait-on in /examples/serverless-framework#888

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/examples/serverless-framework/multi-79a00e07a2
Open

Bump uuid, serverless, serverless-offline and wait-on in /examples/serverless-framework#888
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/examples/serverless-framework/multi-79a00e07a2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 22, 2026

Removes uuid. It's no longer used after updating ancestor dependencies uuid, serverless, serverless-offline and wait-on. These dependencies need to be updated together.

Removes uuid

Updates serverless from 1.83.3 to 4.36.1

Release notes

Sourced from serverless's releases.

4.36.1

Bug Fixes

  • Fixed framework hang during TypeScript configuration loading. Services with multi-file TypeScript configurations (a serverless.ts that imports other .ts files via relative imports) could deadlock during command startup, most reliably reproduced in AWS CodeBuild. The framework now handles nested TypeScript imports without the deadlock. (#13574, #13581)

  • Fixed esbuild version conflicts with the serverless-esbuild plugin. Projects that pinned an esbuild version different from the framework's hit Cannot start service: Host version "X.Y.Z" does not match binary version "A.B.C" errors when running commands like serverless invoke local. Each esbuild instance now resolves its own platform binary independently, so both versions can coexist in the same project. (#13580, #13581)

Maintenance

  • Bumped the AWS SDK group with 30 updates (#13575)
  • Upgraded protobufjs from 7.5.5 to 7.5.7 (#13573)
  • Bumped langsmith across bedrock-agentcore JavaScript examples (#13579)

4.36.0

Features

  • Faster, more reliable installs. The Serverless Framework installer no longer needs to download dependencies from the npm registry at install time — everything required is pulled in a single download. Fresh installs also use less disk space (~42 MB saved per framework version). Existing projects work without changes. (#13514)

    Note: Existing users on an older installer will automatically pick up this faster install path the next time they update or fetch a new framework version. To also get the disk-space savings, update the installer with serverless update, or reinstall the serverless npm package.

Bug Fixes

  • Patched urllib3 decompression-bomb vulnerability in Python test fixtures. Bumped urllib3 from 2.6.3 to 2.7.0 across all Python lockfiles (poetry, pipenv, pip, uv variants) to resolve GHSA-mf9v-mfxr-j63j. Affects only the test-suite Python environments — no impact on user deployments. (#13568)

  • Patched a net/http infinite-loop CVE in the installer runtime. Picks up the upstream fix for CVE-2026-33814 (HTTP/2 CONTINUATION-frame infinite loop when SETTINGS_MAX_FRAME_SIZE=0). All released installers are rebuilt against the patched toolchain. (#13560)

Maintenance

  • Patched additional moderate-severity dependency vulnerabilities:
    • Upgraded hono 4.12.14 → 4.12.18, fast-uri 3.0.6 → 3.1.2, fast-xml-builder 1.1.5 → 1.2.0, ip-address 10.1.0 → 10.2.0, and express-rate-limit 8.3.1 → 8.5.1 (#13564)
    • Bumped fast-uri across all 13 bedrock-agentcore JavaScript examples (#13561)
    • Bumped fast-xml-builder (along with two transitives) across all 13 bedrock-agentcore JavaScript examples (#13559)
  • Bumped the AWS SDK group with 31 updates from 3.1035.0 to 3.1041.0 (#13565)
  • Upgraded mongodb from 7.1.1 to 7.2.0 — adds support for MongoDB's Intelligent Workload Management (#13553)
  • Upgraded simple-git from 3.33.0 to 3.36.0 (#13555)
  • Bumped the patch-updates group: @slack/web-api 7.15.1 → 7.15.2, fs-extra, and uuid (#13567)
  • Bumped dev-dependencies group: eslint 10.2.1 → 10.3.0 and globals (#13566)
  • Bumped Jackson Java dependencies in invoke-local runtime wrappers: jackson-core, jackson-databind, jackson-datatype-joda (#13548, #13549, #13550)
  • Bumped aws-actions/configure-aws-credentials from v6.1.0 to v6.1.1 in CI workflows (#13563)
  • Added toml v4+ to the Dependabot ignore list to preserve Node.js 18 support (#13562)

4.35.1

Bug Fixes

  • AppSync: @canonical, @hidden, and @renamed now work on field definitions. The bundled Merged API directive stubs only declared the OBJECT location, so applying these directives to fields failed packaging with errors like Directive "@canonical" may not be used on FIELD_DEFINITION.. They're now declared as OBJECT | FIELD_DEFINITION to match AWS's documented surface. (#13533, #13542). Thanks @​PatrykMilewski!
type Query {
  getMessage(id: ID!): Message @renamed(to: "getChatMessage")
  internalField: String @hidden
</tr></table>

... (truncated)

Commits
  • 8eb17c5 chore: release 4.36.1 (#13585)
  • 2ef7705 fix: externalize esbuild from the bundle (#13581)
  • df606ca chore(deps): bump the aws-sdk group across 1 directory with 30 updates (#13575)
  • b752a23 chore(deps): bump the npm_and_yarn group across 11 directories with 1 update ...
  • 9e185a3 chore(deps): update protobufjs to 7.5.7 (#13573)
  • 1e18918 chore: release 4.36.0 (#13571)
  • 2294877 feat: eliminate runtime npm install from binary installer (#13514)
  • 06f1b1b fix(deps): bump urllib3 to 2.7.0 to patch decompression-bomb vuln (#13568)
  • b176ad0 chore(deps): bump aws-actions/configure-aws-credentials (#13563)
  • b707be4 chore(deps): bump the patch-updates group across 1 directory with 3 updates (...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for serverless since your current version.

Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.


Updates serverless-offline from 7.1.0 to 14.6.0

Release notes

Sourced from serverless-offline's releases.

v14.6.0

What's Changed

New Contributors

Full Changelog: dherault/serverless-offline@v14.5.0...v14.6.0

v14.5.0

Features

Maintenance Updates

New Contributors

Full Changelog: dherault/serverless-offline@v14.4.0...v14.5.0

v14.4.0

Features

Bug Fixes

  • update jsonpath-plus to close vulnerability (#1835) (903340a)

New Contributors

Full Changelog: dherault/serverless-offline@v14.3.4...v14.4.0

... (truncated)

Changelog

Sourced from serverless-offline's changelog.

14.6.0 (2026-05-11)

14.5.0 (2026-02-24)

Features

  • Add support for Node.js 24.x in Docker environment (d170c44)
  • Drop Node.js 14/16/18 support and fix test authentication (672c85a)
  • Support CloudFormation Join & Sub function in environment variable (#1842) (d785b78)

14.4.0 (2024-12-09)

Features

Bug Fixes

  • update jsonpath-plus to close vulnerability (#1835) (903340a)

14.3.4 (2024-11-06)

Maintenance Updates

  • Removed sponsor logging

14.3.3 (2024-10-17)

Bug Fixes

14.3.2 (2024-08-30)

Maintenance Updates

  • Updated the v14 release to use the latest npm tag for better alignment with current package.

14.3.1 (2024-08-30)

Bug Fixes

... (truncated)

Commits
  • b93ebb5 Edit changelog
  • 38e0122 v14.6.0
  • bc58df8 Merge pull request #1889 from dherault/update-deps
  • c1a428f Run prettier
  • 51006bb Update dependencies
  • 607743d Merge pull request #1772 from apokryfos/issue-1771
  • 7b23f31 Merge pull request #1884 from robertmaier/feature/bump-aws-sdk-client-lambda
  • b21993c Merge branch 'master' into issue-1771
  • 0b5dd93 Merge branch 'master' into feature/bump-aws-sdk-client-lambda
  • e2264b8 Merge pull request #1878 from naomichi-y/feature/add-ruby3.4-support
  • Additional commits viewable in compare view

Updates wait-on from 3.3.0 to 9.0.10

Release notes

Sourced from wait-on's releases.

v9.0.10

Cleaned up unnecessary files from npm published package, added code coverage

Removed:

  • .fastembed_cache
  • .github
  • .nyc_output
  • coverage
  • .editorconfig
  • .nycrc.json
  • .prettierrc.js
  • eslint.config.mjs

Increased code coverage

Thanks @​aarongoldenthal

v9.0.6

Update minor deps for security vulnerabilities

  • axios
    • follow-redirects
  • joi

v9.0.5

Update minor dependencies and npm audit fixes

v9.0.4

Updated patch dependencies including axios and lodash

v9.0.3

Update to jsdoc. Thanks @​westonruter

Minor dependencies updated: eslint, mocha, axios

v9.0.2

Replaced unmaintained expect-legacy package with chai. Thanks @​bdkopen

v9.0.1

Update minor deps:

  • axios
  • eslint

v9.0.0

Updating major version to align with removal of unspported versions of Node.js

wait-on will continue to support the active and maintained releases listed at https://nodejs.org/en/about/previous-releases which currently is 20, 22, 24.

There are no other breaking changes other than changing the versions of Node.js that are supported.

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump uuid, serverless, serverless-offline and wait-on
b45623c 
Removes [uuid](https://github.com/uuidjs/uuid). It's no longer used after updating ancestor dependencies [uuid](https://github.com/uuidjs/uuid), [serverless](https://github.com/serverless/serverless), [serverless-offline](https://github.com/dherault/serverless-offline) and [wait-on](https://github.com/jeffbski/wait-on). These dependencies need to be updated together.


Removes `uuid`

Updates `serverless` from 1.83.3 to 4.36.1
- [Release notes](https://github.com/serverless/serverless/releases)
- [Changelog](https://github.com/serverless/serverless/blob/main/RELEASE_PROCESS.md)
- [Commits](https://github.com/serverless/serverless/compare/v1.83.3...sf-core@4.36.1)

Updates `serverless-offline` from 7.1.0 to 14.6.0
- [Release notes](https://github.com/dherault/serverless-offline/releases)
- [Changelog](https://github.com/dherault/serverless-offline/blob/master/CHANGELOG.md)
- [Commits](dherault/serverless-offline@v7.1.0...v14.6.0)

Updates `wait-on` from 3.3.0 to 9.0.10
- [Release notes](https://github.com/jeffbski/wait-on/releases)
- [Commits](jeffbski/wait-on@v3.3.0...v9.0.10)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version:
  dependency-type: indirect
- dependency-name: serverless
  dependency-version: 4.36.1
  dependency-type: direct:development
- dependency-name: serverless-offline
  dependency-version: 14.6.0
  dependency-type: direct:development
- dependency-name: wait-on
  dependency-version: 9.0.10
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants