chore: bump serverless from 3.40.0 to 4.33.3 in /examples/serverless-offline

[dependabot]

Bumps serverless from 3.40.0 to 4.33.3.

Release notes

Sourced from serverless's releases.

4.33.3

Bug Fixes

Serverless Framework

• Locked transitive dependencies in distributed packages to harden against supply chain attacks. Previously, the framework tarball and npm installer package shipped without a lockfile, allowing transitive dependencies to resolve fresh from the registry on each install. Both packages now include npm-shrinkwrap.json files that pin the entire dependency tree to exact versions. (#13453, #13458)

Maintenance

• Upgraded lodash to v4.18.1 with security fixes for prototype pollution via _.unset/_.omit (GHSA-f23m-r3pf-42rh) and code injection via _.template imports (GHSA-r5fr-rjxr-66jc, CVE-2026-4800) (#13469)
• Upgraded simple-git to v3.33.0 with enhanced input sanitization for git.clone/git.mirror and stricter git -c checks in the unsafe plugin (#13467)
• Upgraded @​modelcontextprotocol/sdk to v1.28.0 (#13474)
• Bumped the AWS SDK group with multiple updates (#13462, #13463, #13471, #13473)
• Bumped the patch-updates group with 3 updates (#13464)
• Bumped github.com/fatih/color to v1.19.0 in the binary installer (#13459)
• Bumped actions/setup-go to v6.4.0 (#13460)

4.33.2

Bug Fixes

Serverless Framework

• Pinned axios in the Framework runtime package. (#13453, #13454)

4.33.1

Bug Fixes

Serverless Framework

• Hardened installer against supply chain attacks. Replaced axios, axios-proxy-builder, and tunnel with Node.js built-in fetch() and undici.ProxyAgent for binary downloads. Removed unused xml2js dependency. Pinned remaining dependencies to exact versions and added min-release-age=3 to .npmrc to prevent npm from resolving to very recently published packages. Proxy support now works correctly for both postInstall and run entry points. (#13450)

• Fixed fast-xml-parser XML entity expansion vulnerability (GHSA-8gc5-j5rx-235r). Updated @aws-sdk/xml-builder to resolve fast-xml-parser from 5.4.1 to 5.5.8, patching a numeric entity expansion bypass that could circumvent all entity expansion limits. (#13412, #13421)

• Fixed Jackson vulnerability in Java invoke-local runtime. Bumped jackson-core, jackson-databind, and jackson-datatype-joda from 2.21.0 to 2.21.1 to fix an allocation of resources without limits vulnerability. Also corrected jackson-annotations version from 2.21.0 to 2.21 to match Maven Central's new versioning scheme starting from Jackson 2.20. (#13379, #13382)

• Patched vulnerable transitive dependencies. Refreshed lockfile resolutions across examples and the root workspace to fix express-rate-limit IPv4-mapped IPv6 bypass, fastify Content-Type validation bypass, and hono static file access and cookie injection vulnerabilities. (#13397)

Serverless Container Framework

• Fixed zlib vulnerabilities in dev-mode-proxy container. Upgraded Alpine packages and bumped the base image from node:20-alpine to node:24-alpine to patch critical zlib out-of-bounds write (CVE-2026-22184) and medium-severity input validation (CVE-2026-27171) vulnerabilities. (#13395, #13396)

Maintenance

• Updated multiple dependencies:
  • Bumped the AWS SDK group with 4 batch updates (#13387, #13405, #13414, #13446)
  • Updated the npm_and_yarn group across multiple directories (#13392, #13401, #13420, #13431, #13444)
  • Upgraded the dev-dependencies group (#13372, #13406, #13415, #13428, #13432, #13442)
  • Updated the patch-updates group (#13388, #13407, #13416, #13429)
  • Bumped the pip group across 14 directories (#13369)
  • Updated the uv group across 14 directories (#13435)

... (truncated)

Commits

• d21bb09 chore: release 4.33.3 (#13472)
• 987afbb chore(deps): bump the aws-sdk group with 30 updates (#13473)
• 8e7b077 chore(deps): bump the aws-sdk group (#13471)
• 362cc54 chore(deps): bump @​modelcontextprotocol/sdk from 1.27.1 to 1.28.0 (#13474)
• ed88ace chore(dependabot): add ignore rule for get-stdin v10 (#13470)
• 59450e5 chore(deps): bump simple-git from 3.32.3 to 3.33.0 (#13467)
• 5b0bb24 chore(deps): bump lodash (#13468)
• a2b5247 chore(deps): bump lodash from 4.17.23 to 4.18.1 (#13469)
• 77d0b35 chore(deps): bump the aws-sdk group with 30 updates (#13463)
• 79af334 chore(deps): bump @​aws-sdk/client-cloudfront-keyvaluestore from 3.1015.0 to 3...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for serverless since your current version.

Install script changes

This version modifies postinstall script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)