Features

Serverless Framework

• Added AWS Bedrock AgentCore integration for deploying and managing AI agents. Define agents, tools, memory, browsers, and code interpreters via a new ai top-level block in serverless.yml. The Framework compiles agent resources to CloudFormation with least-privilege IAM roles, builds and uploads Docker images to ECR, and supports both JavaScript and Python runtimes. New CLI commands include sls invoke -a <agent> (with JSON and SSE streaming), sls logs -a <agent>, and sls dev mode for agents with hot-reload. Includes 20+ example agents covering LangGraph, MCP servers, browser automation, code interpreters, and more. Read more in the AI Agents documentation. (#13353)

functions:
  calculatorFunction:
    handler: handlers/calculator.handler

ai:
  tools:
    calculator:
      function: calculatorFunction
      toolSchema:
        - name: calculate
          inputSchema:
            type: object
            properties:
              expression:
                type: string
            required:
              - expression

  agents:
    assistant:
      memory:
        expiration: 30

# Deploy the agent
sls deploy

# Invoke with streaming
sls invoke -a assistant -d "What is 2+2?"

# Tail agent logs
sls logs -a assistant --tail

• Dev mode now matches the shim runtime to your local Node.js version. Previously, dev mode always used nodejs20.x for the remote shim regardless of your local Node.js version. The Framework now automatically selects the matching AWS Lambda runtime (e.g., local Node.js 22 -> nodejs22.x), and falls back to nodejs20.x with a warning when the local version isn't supported by Lambda. (#13355, #13362)

• Added JSDoc descriptions to the configuration schema for TypeScript type generation. All JSON Schema properties across 30+ config schema files now include description, @see, @example, @default, @deprecated, and @since annotations. This enables auto-generated TypeScript type definitions (via serverless/typescript) with rich inline documentation, hover tooltips, and link-to-docs support in IDEs. (#13345)

Bug Fixes

Serverless Framework

• Fixed Python packaging with uv failing when the root project is included in requirements. Without --no-emit-project, uv export included the root project as an editable dependency (-e .) in the generated requirements.txt, causing uv pip install to fail inside Docker containers where pyproject.toml is not present. The Framework now passes --no-emit-project to exclude it. Read more in the Python support guide. (#13346, #13348)

Maintenance

• Upgraded minimatch from 5.1.6/9.0.5 to 10.2.1 to resolve a high-severity ReDoS vulnerability (GHSA-3ppc-4f35-3m26) in production dependencies (#13363)
• Upgraded @aws-sdk/* from 3.982.0 to 3.993.0 (#13357)
• Upgraded ajv from 8.17.1 to 8.18.0 (#13352)
• Upgraded @slack/web-api from 7.13.0 to 7.14.0 (#13359)
• Upgraded is-wsl from 3.1.0 to 3.1.1 (#13358)
• Upgraded golang.org/x/mod from 0.32.0 to 0.33.0 in binary-installer (#13356)

Features

Serverless Framework

• Added support for .NET 10 runtime (dotnet10). (#13330, #13331) - Thanks @mungojam!

provider:
  name: aws
  runtime: dotnet10

• Added --on-exit=remove option for Dev Mode. When exiting serverless dev with Ctrl+C, this option prompts to remove the deployed service stack, streamlining teardown after development. (#13342, #13321)

serverless dev --on-exit=remove

• Added accessMode configuration for API Gateway custom domains. You can now set the API Gateway endpoint access mode to basic or strict for REST API domains managed through API Gateway V1. (#13329, #13332, #13343)

custom:
  domain:
    name: api.example.com
    apiType: rest
    securityPolicy: SecurityPolicy_TLS13_2025_EDGE
    accessMode: strict

Note
The accessMode setting requires an enhanced securityPolicy (e.g., SecurityPolicy_TLS13_2025_EDGE) and is only supported for REST API domains. HTTP API and WebSocket domains use API Gateway V2, which does not support this setting.

Bug Fixes

Serverless Framework

• Fixed Dev Mode connection breakage from large MQTT payloads. Requests or responses exceeding AWS IoT Core's 128 KB MQTT payload limit would silently break the connection, leaving the CLI in a zombie state where it appeared connected but all subsequent invocations failed. The Framework now checks payload sizes proactively and returns clear error messages instead of breaking the connection. (#13313)
• Fixed S3 upload failure when deploying symlinked artifacts. AWS SDK v3 uses lstatSync to determine file size for multipart uploads, which returns the symlink size instead of the target file size. This caused "Expected N part(s) but uploaded M part(s)" errors when plugins like serverless-python-requirements cache artifacts as symlinks. The Framework now passes an explicit ContentLength to S3. (#13317)

Maintenance

• Upgraded AWS SDK v3 from 3.968.0 to 3.982.0 (#13303, #13314, #13334)
• Upgraded @modelcontextprotocol/sdk from 1.25.3 to 1.26.0 — security fix for cross-client response data leak (#13323)
• Upgraded mongodb from 7.0.0 to 7.1.0 (#13337)
• Upgraded jackson-core, jackson-databind, jackson-annotations, and jackson-datatype-joda to 2.21.0 in Java invoke-local wrapper (#13340)
• Upgraded fast-xml-parser to 5.3.4 (#13311)
• Upgraded esbuild from 0.27.2 to 0.27.3 (#13336)
• Upgraded axios from 1.13.3 to 1.13.5 (#13319, #13336)
• Upgraded zod from 4.3.5 to 4.3.6 (#13305)
• Upgraded semver from 7.7.3 to 7.7.4 (#13336)
• Upgraded dotenv from 17.2.3 to 17.2.4 (#13336)
• Upgraded prettier from 3.8.0 to 3.8.1 (#13304)
• Upgraded globals from 17.0.0 to 17.3.0 (#13318, #13335)
• Upgraded aws-actions/configure-aws-credentials from 5.1.1 to 6.0.0 (#13333)
• Upgraded actions/checkout from 6.0.1 to 6.0.2, actions/setup-python from 6.1.0 to 6.2.0 (#13302)
• Pinned @axiomhq/js below v1.4.0 to maintain Node.js 18 compatibility (#13324)

Bug Fixes

Serverless Container Framework

• Fixed Zod validation error when deploying Fargate containers. Resolved a TypeError: Cannot read properties of undefined (reading '_zod') that occurred when deploying container services with [email protected] deployment type. The error was caused by an incomplete Zod v4 migration where z.record() required two arguments instead of one. (#13297, #13298)

Features

Serverless Framework

• Added custom User-Agent header for AWS SDK requests. The framework now includes serverless-framework/<version> in the User-Agent header for all AWS SDK v3 API calls, improving request identification and diagnostics. (#13279, #13245)

Bug Fixes

Serverless Framework

• Fixed Lambda destinations error with per-function IAM roles. Resolved a TypeError that occurred when using Lambda destinations (onSuccess/onFailure) while provider.iam.role.mode: perFunction was enabled. The framework now correctly applies the required destination permissions to each function's individual IAM role. (#13293, #13292)
• Fixed custom domain security policy validation. Improved support for enhanced AWS security policies, specifically enabling TLS 1.3 policies like SecurityPolicy_TLS13_2025_EDGE. Legacy shorthand values (tls_1_0, tls_1_2) remain supported, while invalid tls_1_3 was removed. (#13294, #13290)
• Fixed file watching issues on macOS. Enabled polling mode in chokidar to prevent EMFILE: too many open files errors encountered on large projects after the recent chokidar v4 upgrade. (#13281, #13268)

Maintenance

• Updated multiple dependencies:
  • Upgraded eslint to v9 (#13258)
  • Bumped the AWS SDK group with 31 updates (#13287)
  • Upgraded lodash to v4.17.23 (#13288, #13289)
  • Updated the uv package group with 2 updates (#13277)
  • Updated actions/setup-node in the actions group (#13286)
  • Upgraded zod to v4 (#13274)

Features

Serverless Framework

• Integrated serverless-prune-plugin functionality. Lambda version and layer pruning is now built directly into the Serverless Framework. Use the sls prune command to manually remove old function versions, or enable automatic pruning after deployments via the custom.prune configuration. Read more in our docs. (#13244)

  Thanks to @claygregory for creating the original plugin and to all contributors!

  custom:
    prune:
      automatic: true
      number: 3           # Keep 3 most recent versions
      includeLayers: true # Also prune layer versions

  # Manual pruning
  sls prune -n 3

• Added support for AWS Asia Pacific (Taipei) region ap-east-2. (#13260, #13257)

  provider:
    name: aws
    region: ap-east-2

Bug Fixes

Serverless Framework

• Fixed esbuild sourcemap configuration error. Setting build.esbuild.sourcemap.setNodeOptions: false no longer throws "sourcemap" must be a string or a boolean. The framework now correctly defaults to sourcemap: true when only setNodeOptions is specified. (#13246)

• Fixed AppSync schema empty on Windows. Resolved an issue where .graphql schema files using glob patterns (e.g., Schema/*.graphql) were not found on Windows due to path separator incompatibility with globby. (#13242, #13240)

• Fixed Windows CI/CD intermittent failures. Resolved EPERM: operation not permitted, rename errors on Windows by using the system temp directory for AJV cache and adding retry logic with exponential backoff for file operations. (#13243, #13264)

Maintenance

• Updated multiple dependencies:
  • Upgraded dotenv to v17.2.3 (#13259)
  • Upgraded chokidar to v4.0.3 (#13251)
  • Upgraded jest to v30.2.0 (#13250)
  • Upgraded globby to v14 (#13236)
  • Upgraded hono to v4.11.4 (#13247)
  • Upgraded luxon from v2.5.2 to v3.7.2 (#13235)
  • Upgraded terminal-link to v4.0.0 (#13232)
  • Upgraded ajv-formats to v3 (#13230)
  • Upgraded ws from v7.5.10 to v8.19.0 (#13226)
  • Upgraded express from v4 to v5 in @serverless/mcp (#13231)
  • Upgraded undici to v6.23.0 (#13252)
  • Upgraded @graphql-tools/merge from v8.4.2 to v9.1.7 (#13263)
  • Bumped AWS SDK group with 31 updates (#13253)

Features

• Serverless Framework

  • Added native AWS AppSync support directly in the Serverless Framework. This integration brings the functionality of the popular serverless-appsync-plugin into core, providing first-class support for deploying GraphQL APIs with AWS AppSync. Read more in our docs. (#13217)

    appSync:
      name: my-api
      schema: schema.graphql
      authentication:
        type: API_KEY
      dataSources:
        myTable:
          type: AMAZON_DYNAMODB
          config:
            tableName: !Ref MyTable
      resolvers:
        Query.getUser:
          dataSource: myTable

  • Added sls login aws sso command to authenticate with AWS using IAM Identity Center (SSO). Read more in our docs. (#13221)

    sls login aws sso --sso-session my-session

  • Added support for Ruby 3.4 runtime (ruby3.4). (#13215) - Thanks @dakatsuka!

Bug Fixes

• Serverless Framework

  • Fixed custom domain deployment failing when using --aws-profile credentials by migrating the domain plugin to AWS SDK v3 (#13109, #13178).
  • Fixed sls deploy failing with "Cannot find 'serverless-compose.yml|yaml'" for deeply nested service paths when using the esbuild plugin (#13201).
  • Fixed stale code deployment when using uv as the Python package installer by auto-reinstalling local packages based on their pyproject.toml name (#13169).
  • Fixed unhelpful "Stack with id does not exist" error when stack creation fails due to invalid Fn::ImportValue references. The framework now properly detects and reports the underlying CloudFormation error. Also fixed serverless deploy --verbose hanging when disableRollback: true is set (#13181).
  • Fixed regression in TypeScript type definitions where Resources only accepted Fn::Transform keys instead of arbitrary resource names (#13183).

• Serverless Container Framework

  • Fixed handling of multiple DNS validation records for ACM certificates in multi-domain configurations (#13206).

Maintenance

• Updated multiple dependencies including AWS SDK packages and upgraded @modelcontextprotocol/sdk to v1.25.2 which includes a security fix (#13216, CVE-2026-0621).

Bux Fixes

• Serverless MCP
  • Added validation for docs path in docs tool

Maintenance

• Updated multiple dependencies

Bux Fixes

• Serverless MCP
  • Added validation for workspaceDir in theproject-finder tool

Maintenance

• Updated multiple dependencies

Features

• Serverless Framework
  • Added sls login aws command. Learn more in the docs.

Bux Fixes

• Serverless Framework
  • Avoid adding unnecessary duplicate managed policies for durable functions

Maintenance

• Serverless Framework
  • Updated Java local invoke bridge dependencies

Features

• Serverless Framework
  • Added support for AWS Lambda Managed Instances. Learn more in the docs.
  • Added support for AWS Lambda durable functions. Learn more in the docs. (#13180)

Maintenance

• Upgrade aws-sdk-js-v3 to 3.943.0