Disabling auto-updates

[Tsingis]

I want to use only npm managed version with package.json and package-lock.json.

I'm getting this in CI every serverless package and serverless deploy commands

Updating Serverless Framework...
✔ Installed Serverless Framework v4.31.2
Disable auto-updates by adding "frameworkVersion" to your serverless.yml (frameworkVersion: ~4.31.2)

Is there a way to toggle off this feature completely without specifying the version?

[sunnypatell]

@Tsingis short answer: there's no env var or config flag to disable auto-updates in v4 without frameworkVersion. the v3 SLS_DISABLE_AUTO_UPDATE env var was removed.

the reason your npm lockfile doesn't help: in v4, the npm serverless package is just a thin bootstrapper that downloads a Go binary to ~/.serverless/binaries/. that Go binary fetches versions.json from install.serverless.com every 24 hours and downloads the latest framework release to ~/.serverless/releases/<version>/. your package.json version only controls the bootstrapper, not the actual framework. this is tracked in #12886.

for CI, the cleanest workaround without touching serverless.yml is to keep the metadata timestamp fresh so the 24h check never triggers:

# before serverless commands in CI
METADATA="$HOME/.serverless/binaries/metadata.json"
if [ -f "$METADATA" ]; then
  python3 -c "
import json, datetime
m = json.load(open('$METADATA'))
m['updateLastChecked'] = datetime.datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%S.000Z')
json.dump(m, open('$METADATA', 'w'))
"
fi

this tricks the binary into thinking it just checked, skipping the network call entirely.

if you just want it pinned, the least-maintenance option in serverless.yml is a tilde range:

frameworkVersion: '~4.31'

this locks to 4.31.x and lets patch bumps through.

ref: issue #12886 (npm version ignored) | issue #12866 (update specs) | source: binary-installer/main.go

[Tsingis]

What if tools like dependabot or renovate update the npm version? Is there a good way to sync frameworkVersion then?``

[sunnypatell]

@Tsingis good question. a few options depending on your setup:

renovate has custom managers (formerly regexManagers) that can match patterns in any file. you can add something like this to your renovate.json:

{
  "customManagers": [
    {
      "customType": "regex",
      "fileMatch": ["serverless\\.yml$"],
      "matchStrings": ["frameworkVersion:\\s*['\"~^]*(?<currentValue>[0-9.]+)"],
      "depNameTemplate": "serverless",
      "datasourceTemplate": "npm"
    }
  ]
}

this tells renovate to find the version in frameworkVersion, treat it as the serverless npm package, and bump it alongside package.json. works well in practice.

dependabot doesn't support custom file patterns natively. your best bet there is a small github action that runs after dependabot PRs and patches serverless.yml to match. something like:

- run: |
    VER=$(node -p "require('./package.json').devDependencies.serverless")
    sed -i "s/frameworkVersion: .*/frameworkVersion: '~${VER}'/" serverless.yml

or if you don't need exact pinning, just set frameworkVersion: '4' in serverless.yml and let it float on all 4.x releases. then the bot bumps in package.json are irrelevant since frameworkVersion already allows the range. least maintenance by far.

[throrin19]

Is it not possible to just disable it if necessary? In our case, we are doing an npm CI and we want to ensure that everything runs in the desired versions and not have an uncontrolled update throughout.

Similarly, the auto update call requires an internet connection, which is not always possible.

Having to put the current full version in serverless.yml poses a problem for updating via renovate or other tools as well, because after updating package.json, we have to remember to duplicate it in our serverless.yml (the correct ts corresponding to this part).

In short, for many people, auto update is completely useless and should be completely disableable.

[sunnypatell]

@throrin19 yeah, the auto-update behavior in v4 is frustrating for CI. a few things that can help:

pin without duplication pain

you mentioned the renovate/package.json sync issue. the earlier thread above covers using renovate's customManagers to auto-bump frameworkVersion in serverless.yml when the npm package updates. that way you only manage it in one place (renovate handles the rest). a tilde range like ~4.31 in serverless.yml also reduces churn since it accepts patch bumps automatically.

skip the network call in CI

there's no SLS_DISABLE_AUTO_UPDATE env var in v4 (the v3 one was removed). but the update check is time-gated: the Go binary only phones home if 24h have passed since updateLastChecked in ~/.serverless/binaries/metadata.json. in CI you can bump that timestamp before running serverless commands to prevent the check entirely:

METADATA="$HOME/.serverless/binaries/metadata.json"
[ -f "$METADATA" ] && python3 -c "
import json, datetime
m = json.load(open('$METADATA'))
m['updateLastChecked'] = datetime.datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%S.000Z')
json.dump(m, open('$METADATA', 'w'))
"

for fully offline/air-gapped environments

if your CI runners have no internet at all, you'd need to pre-populate ~/.serverless/releases/<version>/ with the correct binary and set frameworkVersion to that exact version. the bootstrapper will skip the download if the release dir already exists for the pinned version.

related issues: #12866 (update specs) | #12692 (version pinning)