chore(deps): bump aws-sdk and serverless

[dependabot]

Removes aws-sdk. It's no longer used after updating ancestor dependency serverless. These dependencies need to be updated together.

Removes aws-sdk

Updates serverless from 3.40.0 to 4.36.1

Release notes

Sourced from serverless's releases.

4.36.1

Bug Fixes

• Fixed framework hang during TypeScript configuration loading. Services with multi-file TypeScript configurations (a serverless.ts that imports other .ts files via relative imports) could deadlock during command startup, most reliably reproduced in AWS CodeBuild. The framework now handles nested TypeScript imports without the deadlock. (#13574, #13581)

• Fixed esbuild version conflicts with the serverless-esbuild plugin. Projects that pinned an esbuild version different from the framework's hit Cannot start service: Host version "X.Y.Z" does not match binary version "A.B.C" errors when running commands like serverless invoke local. Each esbuild instance now resolves its own platform binary independently, so both versions can coexist in the same project. (#13580, #13581)

Maintenance

• Bumped the AWS SDK group with 30 updates (#13575)
• Upgraded protobufjs from 7.5.5 to 7.5.7 (#13573)
• Bumped langsmith across bedrock-agentcore JavaScript examples (#13579)

4.36.0

Features

• Faster, more reliable installs. The Serverless Framework installer no longer needs to download dependencies from the npm registry at install time — everything required is pulled in a single download. Fresh installs also use less disk space (~42 MB saved per framework version). Existing projects work without changes. (#13514)

  Note: Existing users on an older installer will automatically pick up this faster install path the next time they update or fetch a new framework version. To also get the disk-space savings, update the installer with serverless update, or reinstall the serverless npm package.

Bug Fixes

• Patched urllib3 decompression-bomb vulnerability in Python test fixtures. Bumped urllib3 from 2.6.3 to 2.7.0 across all Python lockfiles (poetry, pipenv, pip, uv variants) to resolve GHSA-mf9v-mfxr-j63j. Affects only the test-suite Python environments — no impact on user deployments. (#13568)

• Patched a net/http infinite-loop CVE in the installer runtime. Picks up the upstream fix for CVE-2026-33814 (HTTP/2 CONTINUATION-frame infinite loop when SETTINGS_MAX_FRAME_SIZE=0). All released installers are rebuilt against the patched toolchain. (#13560)

Maintenance

• Patched additional moderate-severity dependency vulnerabilities:
  • Upgraded hono 4.12.14 → 4.12.18, fast-uri 3.0.6 → 3.1.2, fast-xml-builder 1.1.5 → 1.2.0, ip-address 10.1.0 → 10.2.0, and express-rate-limit 8.3.1 → 8.5.1 (#13564)
  • Bumped fast-uri across all 13 bedrock-agentcore JavaScript examples (#13561)
  • Bumped fast-xml-builder (along with two transitives) across all 13 bedrock-agentcore JavaScript examples (#13559)
• Bumped the AWS SDK group with 31 updates from 3.1035.0 to 3.1041.0 (#13565)
• Upgraded mongodb from 7.1.1 to 7.2.0 — adds support for MongoDB's Intelligent Workload Management (#13553)
• Upgraded simple-git from 3.33.0 to 3.36.0 (#13555)
• Bumped the patch-updates group: @slack/web-api 7.15.1 → 7.15.2, fs-extra, and uuid (#13567)
• Bumped dev-dependencies group: eslint 10.2.1 → 10.3.0 and globals (#13566)
• Bumped Jackson Java dependencies in invoke-local runtime wrappers: jackson-core, jackson-databind, jackson-datatype-joda (#13548, #13549, #13550)
• Bumped aws-actions/configure-aws-credentials from v6.1.0 to v6.1.1 in CI workflows (#13563)
• Added toml v4+ to the Dependabot ignore list to preserve Node.js 18 support (#13562)

4.35.1

Bug Fixes

• AppSync: @canonical, @hidden, and @renamed now work on field definitions. The bundled Merged API directive stubs only declared the OBJECT location, so applying these directives to fields failed packaging with errors like Directive "@canonical" may not be used on FIELD_DEFINITION.. They're now declared as OBJECT | FIELD_DEFINITION to match AWS's documented surface. (#13533, #13542). Thanks @​PatrykMilewski!

type Query {
  getMessage(id: ID!): Message @renamed(to: "getChatMessage")
  internalField: String @hidden
</tr></table> 

... (truncated)

Commits

• 8eb17c5 chore: release 4.36.1 (#13585)
• 2ef7705 fix: externalize esbuild from the bundle (#13581)
• df606ca chore(deps): bump the aws-sdk group across 1 directory with 30 updates (#13575)
• b752a23 chore(deps): bump the npm_and_yarn group across 11 directories with 1 update ...
• 9e185a3 chore(deps): update protobufjs to 7.5.7 (#13573)
• 1e18918 chore: release 4.36.0 (#13571)
• 2294877 feat: eliminate runtime npm install from binary installer (#13514)
• 06f1b1b fix(deps): bump urllib3 to 2.7.0 to patch decompression-bomb vuln (#13568)
• b176ad0 chore(deps): bump aws-actions/configure-aws-credentials (#13563)
• b707be4 chore(deps): bump the patch-updates group across 1 directory with 3 updates (...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for serverless since your current version.

Install script changes

This version modifies postinstall script that runs during installation. Review the package contents before updating.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.