Bump serverless from 4.34.0 to 4.35.0

[dependabot]

Bumps serverless from 4.34.0 to 4.35.0.

Release notes

Sourced from serverless's releases.

4.35.0

Features

• Added uv dependency-group and optional-dependency controls for Python packaging. Four new custom.pythonRequirements options let you control which extras and groups are included in the deployment package, mirroring the existing Poetry group support. --no-dev is always passed to keep dev dependencies out of Lambda packages by default; opt in via uvWithGroups: [dev] if needed. Read more in the docs. (#13499, #13500) — Thanks @​jax-b!

custom:
  pythonRequirements:
    uvOptionalDependencies: # → uv export --extra <name>
      - heavy
    uvWithGroups: # → uv export --group <name>
      - prod
    uvWithoutGroups: # → uv export --no-group <name>
      - test
    uvOnlyGroups: # → uv export --only-group <name>
      - lambda

Bug Fixes

• Fixed sls deploy --package failure with the esbuild builder. Esbuild zip artifacts are now written to .serverless/<name>.zip instead of .serverless/build/<name>.zip, matching the path that extended-validate.js reconstructs. The two-process sls package + sls deploy --package .serverless flow no longer fails with MISSING_ARTIFACT_FILE. The .serverless/build/ directory remains the staging area for intermediate build artifacts (compiled JS, package.json, lockfiles, node_modules) — only the final zip moves up. (#12964, #13507)

• Fixed duplicate PATH entries from the binary installer script. The installer used $(grep -q ...) command substitution to detect whether .serverless/bin was already in the shell config; because -q suppresses output, the substitution always returned an empty string and the condition was always true, so a new line was appended on every install. The script now checks the exit status directly and properly quotes $SHELL_CONFIG. (#13394, #13410) — Thanks @​gaurav0909-max!

Maintenance

• Patched moderate-severity security vulnerabilities:
  • Upgraded fast-xml-parser from 5.5.8 to 5.7.1 to patch GHSA-gh4j-gqv2-49f6 (XMLBuilder XML comment and CDATA injection via unescaped delimiters) (#13521)
  • Patched GHSA-w5hq-g745-h8pq (uuid v3/v5/v6 missing buffer bounds check) by bumping nested uuid versions and replacing dockerode 4.0.10 with 5.0.0, which drops the uuid dependency entirely (#13530)
  • Upgraded follow-redirects from 1.15.11 to 1.16.0, hono from 4.12.12 to 4.12.14, and protobufjs from 7.5.3 to 7.5.5 to pick up upstream vulnerability patches (#13516)
  • Upgraded fastify to 5.8.5 to patch GHSA-247c-9743-5963 (CVE-2026-33806) and bumped langsmith from 0.5.6 to 0.5.18 across the bedrock-agentcore JS examples (#13496, #13513)
• Bumped the AWS SDK group with 33 updates from 3.1017.0 to 3.1035.0 (#13526) and an additional 3 updates in packages/framework-dist (#13510)
• Upgraded https-proxy-agent from 7.0.6 to 8.0.0 (major version bump — CJS to ESM conversion only, no API or behavior changes; transparent for the workspace which is already ESM) (#13535)
• Upgraded undici from 6.24.1 to 6.25.0 in packages/util (#13536) and packages/sf-core-installer (#13519)
• Upgraded ws from 8.19.0 to 8.20.0 (#13537)
• Upgraded @slack/web-api from 7.14.1 to 7.15.1 (#13538)
• Upgraded @graphql-tools/merge from 9.1.7 to 9.1.9 and bumped grouped patch updates including adm-zip, eventsource-parser, and filesize (#13532)
• Upgraded pytest from 8.4.2 to 9.0.3 in the uv test fixtures (#13503)
• Upgraded golang.org/x/mod from 0.34.0 to 0.35.0 in binary-installer (#13518)

Commits

• 29ee176 chore: release 4.35.0 (#13540)
• 153dcc8 chore(deps): bump https-proxy-agent from 7.0.6 to 8.0.0 (#13535)
• b007932 chore(deps): bump undici from 6.24.1 to 6.25.0 (#13536)
• 21cb25d chore(deps): bump ws from 8.19.0 to 8.20.0 (#13537)
• 2cabfb0 chore(deps): bump @​slack/web-api from 7.14.1 to 7.15.1 (#13538)
• d97bb82 chore(deps): consolidate npm dependabot ecosystems (#13534)
• 1f9ca48 chore(deps): bump the aws-sdk group across 1 directory with 33 updates (#13526)
• d8db0b4 chore(deps): bump the aws-sdk group across 1 directory with 3 updates (#13510)
• 0c813f1 chore(deps): bump the patch-updates group across 1 directory with 4 updates (...
• 3c9933b chore(deps): bump undici in /packages/sf-core-installer (#13519)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)