You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Security Fixes
Update Go version to address CVE-2025-22871, related to net/http in the Golang stdlib: We’ve reviewed the recent CVE, which generally affects the Go standard library in web servers and web-related functionalities. Since the Serverless Framework is a CLI tool does not rely on running a web server or handling web requests, users are not affected by this vulnerability. The CLI uses a small amount of Go to handle updating to the version set in frameworkCore in serverless.yml. Our update process uses HTTPS with SSL/TLS to securely check for and install new versions, ensuring no risk of exploitation or malicious code injection. All dependencies have been audited, and no vulnerabilities were found. However, upgrading is always a best practice and, we recommend users upgrade to the latest version to ensure they’re on the most secure release. This can be done via the serverless upgrade command, which will update the installer.