Does anyone know if there’s another release of Serverless v3 coming?
It’s been a pretty long time since 3.39.0 dropped and it’s now so out of date I am getting Security alerts…
What specifically is out of date in it ?
Version 3 is also totally EOL in 3 months ( Upgrading to v4 - Serverless Framework - Upgrading to v4 ) and they’ve already refused to release an update to v3 for newer Python runtime values, preferring to hold it back to v4 only ( Provider runtime python3.12 is missing · Issue #12325 · serverless/serverless · GitHub ), so I think the chances of a release for something that’s only a niggle is very low.
This is the issue:
serverless@3.39.0 requires fast-xml-parser@4.2.5 via a transitive dependency on @aws-sdk/core@3.616.0
Which leaves me vulnerable to CVE-2024-41818.
Appreciate that we need to update to version 4, but that’s a non-trivial exercise (esbuild seems to break lots of things) and I was led to believe that version 3 was going to get Security fixes all through 2024.
Near as I can see in serverless/package.json at v3.39.0 · serverless/serverless · GitHub all the AWS deps start with a hat, so should upgrade when AWS release a fix.
That’s not happening ?
But seems aws-sdk/core isn’t listed ? How are you replicating this ?
It looks like AWS released the fix some time ago:
I think it’s these dependencies that cause@aws-sdk/core to be required:
dependencies:
"@aws-sdk/client-api-gateway" "^3.588.0"
"@aws-sdk/client-cognito-identity-provider" "^3.588.0"
"@aws-sdk/client-eventbridge" "^3.588.0"
"@aws-sdk/client-iam" "^3.588.0"
"@aws-sdk/client-lambda" "^3.588.0"
"@aws-sdk/client-s3" "^3.588.0"
I see the hats, though weirdly it won’t go up past version 3.616.0 for any of them. Not sure if that means the problem is on my side, but I can see it does this for all 3 of my serverless v3 repos.
If I do npm i serverless@3 in a fresh folder, then npm ll -a includes
├─┬ @aws-sdk/client-api-gateway@3.637.0
│ ├─┬ @aws-sdk/middleware-sdk-api-gateway@3.620.0
which is later than what you are seeing, and from what you say should have the fixed version.
I’m on Linux (Ubuntu 24.10 LTS); with Node v18.
What else is different at your side ?
1 Like
Thanks Tom, really appreciate your help.
So what I think is going on here is that the AWS SDK versions are stuck on what they were when I upgraded to Serverless 3.39.0 and probably I need to force them to update somehow (maybe delete and recreate the yarn.lock file?)
I believe that there probably should still be a Security update to Serverless v3, as those minimum versions of the SDK packages are too low. However, I won’t hold my breath.
We don’t use Yarn, but first step I would do is delete package-lock.json and node_modules, and re-run npm i.
Hi Tom, when you wrote “EOL” does it mean no more support/enhancement/updates or it means the other way around, like removing/deleting/terminating the version?
I understand the Serverless team’s position to mean no further updates, even for security as well as no support.