chore(deps): bump tar and serverless

[dependabot]

Removes tar. It's no longer used after updating ancestor dependency serverless. These dependencies need to be updated together.

Removes tar

Updates serverless from 3.40.0 to 4.35.1

Release notes

Sourced from serverless's releases.

4.35.1

Bug Fixes

• AppSync: @canonical, @hidden, and @renamed now work on field definitions. The bundled Merged API directive stubs only declared the OBJECT location, so applying these directives to fields failed packaging with errors like Directive "@canonical" may not be used on FIELD_DEFINITION.. They're now declared as OBJECT | FIELD_DEFINITION to match AWS's documented surface. (#13533, #13542). Thanks @​PatrykMilewski!

type Query {
  getMessage(id: ID!): Message @renamed(to: "getChatMessage")
  internalField: String @hidden
}

• Python: lambda layer is now built for layer-only services. Services that declared custom.pythonRequirements.layer with no functions: block silently produced an empty CloudFormation stack. The runtime guard now also activates when pythonRequirements.layer is set and the provider runtime starts with python, restoring parity with the standalone serverless-python-requirements plugin. Heads up: services that previously hit this bug will now actually invoke pip on serverless package, so set pythonBin or use dockerizePip if the matching pythonX.Y binary isn't available locally. (#13541)

provider:
  runtime: python3.13
custom:
  pythonRequirements:
    layer: true

• Python: zip entry paths are now normalized to forward slashes on Windows. globSync was preserving Windows backslashes in ZIP archive entries, which broke the ZIP spec and caused import mismatches at runtime. Entries are now written with POSIX-style / separators on every platform, and ci-python.yml also runs Python tests on Windows when Python paths change. (#13307, #13383, #13546). Thanks @​Tsingis!

Maintenance

• Patched GHSA-w5hq-g745-h8pq (uuid v3/v5/v6 missing buffer bounds check) in the langgraph-* JavaScript example lockfiles under bedrock-agentcore/examples/javascript/ by bumping nested uuid from 13.0.0 to 13.0.2. Lockfile-only, and these examples aren't shipped in the published package. (#13545)
• Bumped axios from 1.15.0 to 1.15.2 (transitive, lockfile-only) for upstream security-hardening patches. (#13544)

4.35.0

Features

• Added uv dependency-group and optional-dependency controls for Python packaging. Four new custom.pythonRequirements options let you control which extras and groups are included in the deployment package, mirroring the existing Poetry group support. --no-dev is always passed to keep dev dependencies out of Lambda packages by default; opt in via uvWithGroups: [dev] if needed. Read more in the docs. (#13499, #13500) — Thanks @​jax-b!

custom:
  pythonRequirements:
    uvOptionalDependencies: # → uv export --extra <name>
      - heavy
    uvWithGroups: # → uv export --group <name>
      - prod
    uvWithoutGroups: # → uv export --no-group <name>
      - test
    uvOnlyGroups: # → uv export --only-group <name>
      - lambda

Bug Fixes

• Fixed sls deploy --package failure with the esbuild builder. Esbuild zip artifacts are now written to .serverless/<name>.zip instead of .serverless/build/<name>.zip, matching the path that extended-validate.js reconstructs. The two-process sls package + sls deploy --package .serverless flow no longer fails with MISSING_ARTIFACT_FILE. The .serverless/build/ directory remains the staging area for intermediate build artifacts (compiled JS, package.json, lockfiles, node_modules) — only the final zip moves up. (#12964, #13507)

... (truncated)

Commits

• e0d19d2 chore: release 4.35.1 (#13556)
• 2d2cff1 fix(python): use forward slashes in uv group test assertions (#13546)
• a668d73 chore(deps): patch uuid buffer-bounds vulnerability in bedrock-agentcore JS e...
• bfee234 fix(python): add zip path normalization test and Windows CI (#13383)
• df45e21 chore(deps): bump axios from 1.15.0 to 1.15.2 (#13544)
• c9dec98 fix(python): build lambda layer for layer-only services (#13541)
• 3d3b0c8 fix(appsync): allow @​canonical, @​hidden, @​renamed on FIELD_DEFINITION (#13542)
• 29ee176 chore: release 4.35.0 (#13540)
• 153dcc8 chore(deps): bump https-proxy-agent from 7.0.6 to 8.0.0 (#13535)
• b007932 chore(deps): bump undici from 6.24.1 to 6.25.0 (#13536)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for serverless since your current version.

Install script changes

This version modifies postinstall script that runs during installation. Review the package contents before updating.

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
serverless	[>= 4.a, < 5]

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.