Skip to content

Bump serverless from 3.40.0 to 4.39.0#5

Closed
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/serverless-4.39.0
Closed

Bump serverless from 3.40.0 to 4.39.0#5
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/serverless-4.39.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 11, 2026

Copy link
Copy Markdown

Bumps serverless from 3.40.0 to 4.39.0.

Release notes

Sourced from serverless's releases.

4.39.0

Features

  • Sandboxes — AWS Lambda MicroVMs. First-class support for Firecracker-isolated, snapshot-booted virtual machines that you define declaratively and run on demand, with the serverless operational model (no clusters, pay per run). Define a sandbox from a local Dockerfile directory or a prebuilt s3:// zip, and configure memory, environment, lifecycle hooks, tags, and VPC egress. deploy/remove build and tear down the image and supporting resources; IAM build/execution roles are generated for you, and observability — CloudWatch logs, metric filters, alarms, and a dashboard — is enabled by default and fully customizable.

    sandboxes:
      echo:
        artifact: ./app # local directory that contains a Dockerfile
    serverless invoke --sandbox echo          # run it (with --method / --port)
    serverless logs --sandbox echo            # fetch logs
    serverless dev --sandbox echo             # local dev loop with hot reload

    Local development. serverless dev --sandbox <name> builds and runs the sandbox container on your machine and hot-reloads it as you edit — no deploy needed to iterate. Requests are relayed to the locally running container, so you get the full run/inspect loop against your real sandbox definition before anything ships to AWS.

    See the Sandboxes guide for the full configuration reference, and the serverless/examples sandboxes directory for deploy-ready examples (minimal, complete, and a self-hosted environment for Claude Managed Agent). (#13663)

  • serverless agent commands for AI coding agents. A new command namespace purpose-built for agents (Claude Code, Codex, Cursor) working with a Serverless service. (#13673)

    • serverless agent skills install installs the bundled Agent Skills into the service directory (.claude/skills/, .agents/skills/, or both — auto-detected), teaching agents how to work with the service. Idempotent, auto-refreshing when a newer CLI bundles newer skills, and ejectable per-skill.
    • serverless agent inspect returns the live AWS configuration of a deployed service's resources in a single call — a categorized inventory by default, or expanded raw AWS responses filtered by category (--functions, --api, --iam, --sandboxes, --all, …) or by AWS service. Deterministic, pipe-safe JSON/YAML output, so an agent gets the whole logical-to-physical picture without issuing dozens of aws describe-* calls itself.
    serverless agent skills install
    serverless agent inspect --functions --api

    See the Agent Skills guide for how skills are discovered, updated, and ejected, and the agent inspect reference for its full category and AWS-service filtering options.

Maintenance

  • Runtime dependency bumps: @aws-sdk/util-arn-parser (#13680), a batch of 11 patch-level updates (#13677), and other routine bumps (#13666).
  • Development and CI tooling: dev-dependency group updates (#13676), lint-staged 16 → 17 (#13678), and GitHub Actions bumps (#13667); constrained https-proxy-agent to a range that keeps Node 18 support (#13686).

4.38.1

Maintenance

  • Upgraded undici to 6.27.0, clearing security advisories reported against earlier versions of the bundled HTTP client: a Set-Cookie SameSite attribute downgrade (GHSA-g8m3-5g58-fq7m), HTTP header injection via Set-Cookie percent-decoding (GHSA-p88m-4jfj-68fv), and a WebSocket client denial-of-service (GHSA-vxpw-j846-p89q). (#13657)

4.38.0

Features

  • Ruby 4.0 runtime support. Functions can now target the ruby4.0 Lambda runtime. (#13613)

    provider:

... (truncated)

Commits
  • 79b5cbb chore: release 4.39.0 (#13693)
  • 421f7af feat(sandboxes): summarize sandbox config in the analysis event (#13692)
  • 6db7ff1 chore(deps): bump archiver from 7.0.1 to 8.0.0 (#13690)
  • 3397042 chore(deps): bump @​slack/web-api from 7.15.2 to 7.18.0 (#13689)
  • 950ff75 chore(deps): bump mongodb from 7.2.0 to 7.4.0 (#13691)
  • 475a746 chore(deps): bump date-fns from 4.1.0 to 4.4.0 (#13688)
  • c28d78a chore(deps-dev): bump lint-staged (#13687)
  • b81ed32 fix(agent): inspect returns a graceful not-deployed result for a missing stac...
  • bde0dda chore(deps): ignore https-proxy-agent >=9 (drops Node 18 support) (#13686)
  • 862501f chore(deps-dev): bump lint-staged from 16.4.0 to 17.0.7 (#13678)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for serverless since your current version.

Install script changes

This version modifies postinstall script that runs during installation. Review the package contents before updating.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

luhenry and others added 2 commits July 11, 2026 21:47
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Bumps [serverless](https://github.com/serverless/serverless) from 3.40.0 to 4.39.0.
- [Release notes](https://github.com/serverless/serverless/releases)
- [Changelog](https://github.com/serverless/serverless/blob/main/RELEASE_PROCESS.md)
- [Commits](https://github.com/serverless/serverless/compare/v3.40.0...sf-core@4.39.0)

---
updated-dependencies:
- dependency-name: serverless
  dependency-version: 4.39.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 11, 2026
@luhenry luhenry closed this Jul 11, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 11, 2026

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/serverless-4.39.0 branch July 11, 2026 20:05
@luhenry

luhenry commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

@dependabot recreate

@dependabot @github

dependabot Bot commented on behalf of github Jul 11, 2026

Copy link
Copy Markdown
Author

Looks like this PR is closed. If the branch still exists, you can re-open the PR and then use @dependabot rebase or @dependabot recreate. If the branch was deleted, Dependabot will create a new PR on the next scheduled run, or you can trigger an update from the Dependency graph page.

@luhenry

luhenry commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

https://github.com/dependabot recreate

@dependabot @github

dependabot Bot commented on behalf of github Jul 11, 2026

Copy link
Copy Markdown
Author

Looks like this PR is closed. If the branch still exists, you can re-open the PR and then use @dependabot rebase or @dependabot recreate. If the branch was deleted, Dependabot will create a new PR on the next scheduled run, or you can trigger an update from the Dependency graph page.

@luhenry luhenry restored the dependabot/npm_and_yarn/serverless-4.39.0 branch July 11, 2026 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant