Skip to content

Bump protobufjs and serverless#299

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-0063c9e937
Open

Bump protobufjs and serverless#299
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-0063c9e937

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 12, 2026

Removes protobufjs. It's no longer used after updating ancestor dependency serverless. These dependencies need to be updated together.

Removes protobufjs

Updates serverless from 2.72.3 to 4.36.0

Release notes

Sourced from serverless's releases.

4.36.0

Features

  • Faster, more reliable installs. The Serverless Framework installer no longer needs to download dependencies from the npm registry at install time — everything required is pulled in a single download. Fresh installs also use less disk space (~42 MB saved per framework version). Existing projects work without changes. (#13514)

    Note: Existing users on an older installer will automatically pick up this faster install path the next time they update or fetch a new framework version. To also get the disk-space savings, update the installer with serverless update, or reinstall the serverless npm package.

Bug Fixes

  • Patched urllib3 decompression-bomb vulnerability in Python test fixtures. Bumped urllib3 from 2.6.3 to 2.7.0 across all Python lockfiles (poetry, pipenv, pip, uv variants) to resolve GHSA-mf9v-mfxr-j63j. Affects only the test-suite Python environments — no impact on user deployments. (#13568)

  • Patched a net/http infinite-loop CVE in the installer runtime. Picks up the upstream fix for CVE-2026-33814 (HTTP/2 CONTINUATION-frame infinite loop when SETTINGS_MAX_FRAME_SIZE=0). All released installers are rebuilt against the patched toolchain. (#13560)

Maintenance

  • Patched additional moderate-severity dependency vulnerabilities:
    • Upgraded hono 4.12.14 → 4.12.18, fast-uri 3.0.6 → 3.1.2, fast-xml-builder 1.1.5 → 1.2.0, ip-address 10.1.0 → 10.2.0, and express-rate-limit 8.3.1 → 8.5.1 (#13564)
    • Bumped fast-uri across all 13 bedrock-agentcore JavaScript examples (#13561)
    • Bumped fast-xml-builder (along with two transitives) across all 13 bedrock-agentcore JavaScript examples (#13559)
  • Bumped the AWS SDK group with 31 updates from 3.1035.0 to 3.1041.0 (#13565)
  • Upgraded mongodb from 7.1.1 to 7.2.0 — adds support for MongoDB's Intelligent Workload Management (#13553)
  • Upgraded simple-git from 3.33.0 to 3.36.0 (#13555)
  • Bumped the patch-updates group: @slack/web-api 7.15.1 → 7.15.2, fs-extra, and uuid (#13567)
  • Bumped dev-dependencies group: eslint 10.2.1 → 10.3.0 and globals (#13566)
  • Bumped Jackson Java dependencies in invoke-local runtime wrappers: jackson-core, jackson-databind, jackson-datatype-joda (#13548, #13549, #13550)
  • Bumped aws-actions/configure-aws-credentials from v6.1.0 to v6.1.1 in CI workflows (#13563)
  • Added toml v4+ to the Dependabot ignore list to preserve Node.js 18 support (#13562)

4.35.1

Bug Fixes

  • AppSync: @canonical, @hidden, and @renamed now work on field definitions. The bundled Merged API directive stubs only declared the OBJECT location, so applying these directives to fields failed packaging with errors like Directive "@canonical" may not be used on FIELD_DEFINITION.. They're now declared as OBJECT | FIELD_DEFINITION to match AWS's documented surface. (#13533, #13542). Thanks @​PatrykMilewski!
type Query {
  getMessage(id: ID!): Message @renamed(to: "getChatMessage")
  internalField: String @hidden
}
  • Python: lambda layer is now built for layer-only services. Services that declared custom.pythonRequirements.layer with no functions: block silently produced an empty CloudFormation stack. The runtime guard now also activates when pythonRequirements.layer is set and the provider runtime starts with python, restoring parity with the standalone serverless-python-requirements plugin. Heads up: services that previously hit this bug will now actually invoke pip on serverless package, so set pythonBin or use dockerizePip if the matching pythonX.Y binary isn't available locally. (#13541)
provider:
  runtime: python3.13
custom:
  pythonRequirements:
    layer: true

... (truncated)

Commits
  • 1e18918 chore: release 4.36.0 (#13571)
  • 2294877 feat: eliminate runtime npm install from binary installer (#13514)
  • 06f1b1b fix(deps): bump urllib3 to 2.7.0 to patch decompression-bomb vuln (#13568)
  • b176ad0 chore(deps): bump aws-actions/configure-aws-credentials (#13563)
  • b707be4 chore(deps): bump the patch-updates group across 1 directory with 3 updates (...
  • cac53ae chore(deps-dev): bump the dev-dependencies group across 1 directory with 2 up...
  • 16ff2dd chore(deps): bump the aws-sdk group across 2 directories with 31 updates (#13...
  • e4999c3 chore(deps): patch hono, fast-uri, fast-xml-builder, ip-address vulns (#13564)
  • 4d58824 chore(deps): bump mongodb from 7.1.1 to 7.2.0 (#13553)
  • 45c72aa chore(deps): ignore toml v4+ in Dependabot to preserve Node.js 18 support (#1...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for serverless since your current version.

Install script changes

This version modifies postinstall script that runs during installation. Review the package contents before updating.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump protobufjs and serverless
d18ab3c 
Removes [protobufjs](https://github.com/protobufjs/protobuf.js). It's no longer used after updating ancestor dependency [serverless](https://github.com/serverless/serverless). These dependencies need to be updated together.


Removes `protobufjs`

Updates `serverless` from 2.72.3 to 4.36.0
- [Release notes](https://github.com/serverless/serverless/releases)
- [Changelog](https://github.com/serverless/serverless/blob/main/RELEASE_PROCESS.md)
- [Commits](https://github.com/serverless/serverless/compare/v2.72.3...sf-core@4.36.0)

---
updated-dependencies:
- dependency-name: protobufjs
  dependency-version: 
  dependency-type: indirect
- dependency-name: serverless
  dependency-version: 4.36.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 12, 2026
@dependabot dependabot Bot mentioned this pull request May 12, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants