Bump serverless from 4.35.1 to 4.36.1

[dependabot]

Bumps serverless from 4.35.1 to 4.36.1.

Release notes

Sourced from serverless's releases.

4.36.1

Bug Fixes

• Fixed framework hang during TypeScript configuration loading. Services with multi-file TypeScript configurations (a serverless.ts that imports other .ts files via relative imports) could deadlock during command startup, most reliably reproduced in AWS CodeBuild. The framework now handles nested TypeScript imports without the deadlock. (#13574, #13581)

• Fixed esbuild version conflicts with the serverless-esbuild plugin. Projects that pinned an esbuild version different from the framework's hit Cannot start service: Host version "X.Y.Z" does not match binary version "A.B.C" errors when running commands like serverless invoke local. Each esbuild instance now resolves its own platform binary independently, so both versions can coexist in the same project. (#13580, #13581)

Maintenance

• Bumped the AWS SDK group with 30 updates (#13575)
• Upgraded protobufjs from 7.5.5 to 7.5.7 (#13573)
• Bumped langsmith across bedrock-agentcore JavaScript examples (#13579)

4.36.0

Features

• Faster, more reliable installs. The Serverless Framework installer no longer needs to download dependencies from the npm registry at install time — everything required is pulled in a single download. Fresh installs also use less disk space (~42 MB saved per framework version). Existing projects work without changes. (#13514)

  Note: Existing users on an older installer will automatically pick up this faster install path the next time they update or fetch a new framework version. To also get the disk-space savings, update the installer with serverless update, or reinstall the serverless npm package.

Bug Fixes

• Patched urllib3 decompression-bomb vulnerability in Python test fixtures. Bumped urllib3 from 2.6.3 to 2.7.0 across all Python lockfiles (poetry, pipenv, pip, uv variants) to resolve GHSA-mf9v-mfxr-j63j. Affects only the test-suite Python environments — no impact on user deployments. (#13568)

• Patched a net/http infinite-loop CVE in the installer runtime. Picks up the upstream fix for CVE-2026-33814 (HTTP/2 CONTINUATION-frame infinite loop when SETTINGS_MAX_FRAME_SIZE=0). All released installers are rebuilt against the patched toolchain. (#13560)

Maintenance

• Patched additional moderate-severity dependency vulnerabilities:
  • Upgraded hono 4.12.14 → 4.12.18, fast-uri 3.0.6 → 3.1.2, fast-xml-builder 1.1.5 → 1.2.0, ip-address 10.1.0 → 10.2.0, and express-rate-limit 8.3.1 → 8.5.1 (#13564)
  • Bumped fast-uri across all 13 bedrock-agentcore JavaScript examples (#13561)
  • Bumped fast-xml-builder (along with two transitives) across all 13 bedrock-agentcore JavaScript examples (#13559)
• Bumped the AWS SDK group with 31 updates from 3.1035.0 to 3.1041.0 (#13565)
• Upgraded mongodb from 7.1.1 to 7.2.0 — adds support for MongoDB's Intelligent Workload Management (#13553)
• Upgraded simple-git from 3.33.0 to 3.36.0 (#13555)
• Bumped the patch-updates group: @slack/web-api 7.15.1 → 7.15.2, fs-extra, and uuid (#13567)
• Bumped dev-dependencies group: eslint 10.2.1 → 10.3.0 and globals (#13566)
• Bumped Jackson Java dependencies in invoke-local runtime wrappers: jackson-core, jackson-databind, jackson-datatype-joda (#13548, #13549, #13550)
• Bumped aws-actions/configure-aws-credentials from v6.1.0 to v6.1.1 in CI workflows (#13563)
• Added toml v4+ to the Dependabot ignore list to preserve Node.js 18 support (#13562)

Commits

• 8eb17c5 chore: release 4.36.1 (#13585)
• 2ef7705 fix: externalize esbuild from the bundle (#13581)
• df606ca chore(deps): bump the aws-sdk group across 1 directory with 30 updates (#13575)
• b752a23 chore(deps): bump the npm_and_yarn group across 11 directories with 1 update ...
• 9e185a3 chore(deps): update protobufjs to 7.5.7 (#13573)
• 1e18918 chore: release 4.36.0 (#13571)
• 2294877 feat: eliminate runtime npm install from binary installer (#13514)
• 06f1b1b fix(deps): bump urllib3 to 2.7.0 to patch decompression-bomb vuln (#13568)
• b176ad0 chore(deps): bump aws-actions/configure-aws-credentials (#13563)
• b707be4 chore(deps): bump the patch-updates group across 1 directory with 3 updates (...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)