Security News
MCP Community Begins Work on Official MCP Metaregistry
The MCP community is launching an official registry to standardize AI tool discovery and let agents dynamically find and install MCP servers.
By Sarah Gooding - May 09, 2025
🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
serverless-layers
Advanced tools
serverless-layers
[](http://www.serverless.com) [](https://github.com/agutoli/serverless-layers/issues) [
- It attaches automatically layers to the provider and for each function
- it will skip functions with no other layers as they will use the layer(s) we added to the provider
- It creates a new layer's version when
dependenciesis updated - If
dependenciesis not changed, it does not publish a new layer - It reduces drastically lambda size
- It reduces deployment time.
- You can share same layers (libraries) among all lambda functions
Options
Common requirements
- AWS only (sorry)
- Serverless >= 1.34.0 (layers support)
Install
npm install -D serverless-layers
or
serverless plugin install --name serverless-layers
Add the plugin to your serverless.yml file:
Single layer config
Example:
plugins:
- serverless-layers
custom:
serverless-layers:
functions: # optional
- my_func2
dependenciesPath: ./package.json
functions:
my_func1:
handler: handler.hello
my_func2:
handler: handler.hello
Multiple layers config
Example:
plugins:
- serverless-layers
custom:
serverless-layers:
# applies for all lambdas
- common:
dependenciesPath: ./my-folder/package.json
# apply for foo only
- foo:
functions:
- foo
dependenciesPath: my-folder/package-foo.json
- staticArn:
functions:
- foo
- bar
arn: arn:aws:lambda:us-east-1:<your_account>:layer:node-v13-11-0:5
functions:
foo:
handler: handler.hello
bar:
handler: handler.hello
| Option | Type | Default | Description |
|---|---|---|---|
| compileDir | string | .serverless | Compilation directory |
| layersDeploymentBucket | string | You can specify a bucket to upload lambda layers. Required if deploymentBucket is not defined. | |
| customInstallationCommand | string | It specify a custom command to install deps ex. MY_ENV=1 npm --proxy http://myproxy.com i -P | |
| customHash | string | Can specify custom string, that once changed will force a new build of the layer | |
| retainVersions | int | null | Number of layer versions to keep, the rest versions will be removed after deployments |
NodeJS
Requirements
- Node >= v6.10.3
- NPM >= 3.10.10
- A valid package.json file
Options
| Option | Type | Default | Description |
|---|---|---|---|
| packageManager | string | npm | Possible values: npm, yarn |
| packagePath | string | package.json | (DEPRECATED): Available for <= 1.5.0, for versions >= 2.x please use compatibleRuntimes |
| dependenciesPath | string | package.json | Note: >= 2.x versions. You can specify custom path for your package.json |
| compatibleRuntimes | array | ['nodejs'] | Possible values: nodejs, nodejs10.x, nodejs12.x |
| layerOptimization.cleanupPatterns | array | check | The pattern of files to cleanup in the layer artifact before uploading it. |
Ruby
Requirements
- Ruby >= 2.5
- A valid Gemfile file
Options
| Option | Type | Default | Description |
|---|---|---|---|
| packageManager | string | bundle | Possible values: bundle |
| dependenciesPath | string | Gemfile | Note: Available for >= 2.x versions. You can specify custom path for your requirements.txt |
| compatibleRuntimes | array | ['ruby'] | Possible values: ruby2.5, ruby2.7 |
| layerOptimization.cleanupPatterns | array | check | The pattern of files to cleanup in the layer artifact before uploading it. |
Python
Requirements
- Python >= 2.7
- A valid requirements.txt file
Options
| Option | Type | Default | Description |
|---|---|---|---|
| packageManager | string | pip | Possible values: pip |
| dependenciesPath | string | requirements.txt | Note: Available for >= 2.x versions. You can specify custom path for your requirements.txt |
| compatibleRuntimes | array | ['python'] | Possible values: python2.7, python3.x |
| layerOptimization.cleanupPatterns | array | check | The pattern of files to cleanup in the layer artifact before uploading it. |
Default Serverless Setup
This plugin will setup follow options automatically if not specified at serverless.yml.
| Option | Type | Default |
|---|---|---|
| package.individually | bool | false |
| package.patterns | array | ['node_modules/**'] |
| package.excludeDevDependencies | bool | false |
Mininal Policy permissions for CI/CD IAM users
serverless-layers-policy.json
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::examplebucket"
},
{
"Effect":"Allow",
"Action":[
"cloudformation:DescribeStacks"
],
"Resource": "*"
},
{
"Effect":"Allow",
"Action":[
"lambda:PublishLayerVersion"
],
"Resource": "*"
}
]
}
License
MIT
Contributors
Yes, thank you! This plugin is community-driven, most of its features are from different authors. Please update the docs and tests and add your name to the package.json file. We try to follow Airbnb's JavaScript Style Guide.
Made with contributors-img.
FAQs
[](http://www.serverless.com) [](https://github.com/agutoli/serverless-layers/issues) [
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Security News
Malicious npm Packages Use Telegram to Exfiltrate BullX Credentials
Socket uncovers an npm Trojan stealing crypto wallets and BullX credentials via obfuscated code and Telegram exfiltration.
By Kush Pandya - May 08, 2025
Research
Security News
Backdooring the IDE: Malicious npm Packages Hijack Cursor Editor on macOS
Malicious npm packages posing as developer tools target macOS Cursor IDE users, stealing credentials and modifying files to gain persistent backdoor access.
By Kirill Boychenko - May 07, 2025