<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Jason St-Cyr</title>
    <description>The latest articles on DEV Community by Jason St-Cyr (@jasonstcyr).</description>
    <link>https://dev.to/jasonstcyr</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F183204%2Fa798216f-9f66-40cd-9bed-b5193e9afe08.jpg</url>
      <title>DEV Community: Jason St-Cyr</title>
      <link>https://dev.to/jasonstcyr</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/jasonstcyr"/>
    <language>en</language>
    <item>
      <title>RHEL 10 support now available in Puppet SCE for Linux</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Thu, 18 Jun 2026 16:16:41 +0000</pubDate>
      <link>https://dev.to/puppet/rhel-10-support-now-available-in-puppet-sce-for-linux-4opi</link>
      <guid>https://dev.to/puppet/rhel-10-support-now-available-in-puppet-sce-for-linux-4opi</guid>
      <description>&lt;p&gt;Version 2.7.0 of Security Compliance Enforcement (SCE) for Linux is now &lt;a href="https://forge.puppet.com/modules/puppetlabs/sce_linux/readme" rel="noopener noreferrer"&gt;available for download from the Forge&lt;/a&gt;!&lt;/p&gt;

&lt;h2&gt;
  
  
  Support for the RHEL 10 family
&lt;/h2&gt;

&lt;p&gt;This release adds Red Hat Enterprise Linux (RHEL) 10 CIS benchmarks (v1.0.1, Server Levels 1 and 2). Teams adopting RHEL 10 or a compatible platform can bring those systems into compliance using the same trusted standards already in place across earlier RHEL versions.&lt;/p&gt;

&lt;h2&gt;
  
  
  Other improvements
&lt;/h2&gt;

&lt;p&gt;Some other issues were also addressed, including logging issues with the rsyslog configuration file and intrusion detection on RHEL 9.&lt;/p&gt;

&lt;p&gt;For all the details, make sure to read the &lt;a href="https://help.puppet.com/sce/current/linux/scel_relnotes_270.htm" rel="noopener noreferrer"&gt;full release notes&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://forge.puppet.com/modules/puppetlabs/sce_linux/readme" class="crayons-btn crayons-btn--primary" rel="noopener noreferrer"&gt;SCE Module on Puppet Forge&lt;/a&gt;
&lt;/p&gt;

</description>
      <category>puppet</category>
      <category>security</category>
      <category>devops</category>
    </item>
    <item>
      <title>Security Compliance Management 3.8.0 Is Now Available</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Tue, 16 Jun 2026 13:31:38 +0000</pubDate>
      <link>https://dev.to/puppet/security-compliance-management-380-is-now-available-1o26</link>
      <guid>https://dev.to/puppet/security-compliance-management-380-is-now-available-1o26</guid>
      <description>&lt;p&gt;Security Compliance Management (SCM) 3.8.0 is here, with updates focused on keeping compliance scans running reliably with less manual intervention and &lt;strong&gt;an important license update&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;This release introduces automatic cleanup for stuck scans, improved control over scan behavior with configurable timeouts, extended CIS-CAT® Pro Assessor license support, and updated benchmark content. It also includes important security fixes across core components.&lt;/p&gt;

&lt;p&gt;⚠️ We recommend upgrading to SCM 3.8.0 before &lt;strong&gt;June 21, 2026&lt;/strong&gt; to avoid disruption, as the CIS-CAT Pro Assessor license included in SCM 3.7.1 expires on that date.&lt;/p&gt;




&lt;h2&gt;
  
  
  What’s changing in SCM 3.8.0
&lt;/h2&gt;

&lt;h3&gt;
  
  
  CIS-CAT Pro Assessor licensing and version
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;SCM 3.8.0 now contains CIS-CAT Pro Assessor v4.63.0&lt;/li&gt;
&lt;li&gt;The bundled &lt;strong&gt;CIS-CAT® Pro Assessor license&lt;/strong&gt; is now valid for &lt;strong&gt;one year&lt;/strong&gt;

&lt;ul&gt;
&lt;li&gt;The license shipped with SCM 3.8.0 is valid until &lt;strong&gt;June 2027&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;The license included in &lt;strong&gt;SCM 3.7.1 expires on June 21, 2026&lt;/strong&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You can now also update the license without upgrading SCM:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;New &lt;code&gt;license_path&lt;/code&gt; parameter

&lt;ul&gt;
&lt;li&gt;Allows updating the CIS-CAT Pro Assessor license independently
&lt;/li&gt;
&lt;li&gt;Documentation: &lt;a href="https://help.puppet.com/scm/current/Content/UserGuide/SCM/update_assessor_license.htm" rel="noopener noreferrer"&gt;https://help.puppet.com/scm/current/Content/UserGuide/SCM/update_assessor_license.htm&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  Scan management, configuration, and reliability
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Added a &lt;strong&gt;background scan sweeper&lt;/strong&gt; to detect and cancel scans stuck in a "running" state&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Fixed a race condition where timed-out Puppet Enterprise job status polls could leave scans permanently stuck&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;New &lt;code&gt;assessor_scan_timeout&lt;/code&gt; option controls task timeout for &lt;strong&gt;Windows Server 2022 domain controllers&lt;/strong&gt; (Note: this isn't set by default)&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Increased default &lt;strong&gt;Max GraphQL requests limit&lt;/strong&gt; to &lt;strong&gt;300 requests&lt;/strong&gt;&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Benchmark coverage updates
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;New benchmarks added for Amazon Linux 2023 STIG, Microsoft Windows 11 STIG, Oracle Linux 9 STIG, RHEL 10 STIG, and SUSE 16&lt;/li&gt;
&lt;li&gt;Updated benchmarks for: Amazon Linux 2, macOS, Debian, Windows, and Ubuntu (see the release notes for specific benchmark updates)&lt;/li&gt;
&lt;li&gt;Removed benchmarks for:

&lt;ul&gt;
&lt;li&gt;Azure Compute Windows Server 2019 v1.0.1
&lt;/li&gt;
&lt;li&gt;Azure Compute Windows Server 2022 v1.0.0
&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Security fixes
&lt;/h2&gt;

&lt;p&gt;This release includes updates to address 40 vulnerabilities across several components. The following components were updated to address the vulnerabilities:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Gorm.io&lt;/li&gt;
&lt;li&gt;Keycloak&lt;/li&gt;
&lt;li&gt;netty-codec&lt;/li&gt;
&lt;li&gt;netty-codec-http&lt;/li&gt;
&lt;li&gt;netty-codec-http2&lt;/li&gt;
&lt;li&gt;netty-codec-haproxy&lt;/li&gt;
&lt;li&gt;netty-handler&lt;/li&gt;
&lt;li&gt;Protobuf&lt;/li&gt;
&lt;li&gt;react-router&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Refer to the full release notes for the complete list of CVEs.&lt;/p&gt;




&lt;h2&gt;
  
  
  Upgrade guidance
&lt;/h2&gt;

&lt;p&gt;To avoid scan interruptions, upgrade to &lt;strong&gt;SCM 3.8.0 before June 21, 2026&lt;/strong&gt;. This ensures continued use of the CIS-CAT Pro Assessor, access to updated benchmark content, improved security posture, and improvements in scan processing.&lt;/p&gt;




&lt;h2&gt;
  
  
  Learn more
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Full release notes:
&lt;a href="https://help.puppet.com/scm/current/Content/UserGuide/SCM/Release_notes/release_notes.htm#SecurityComplianceManagement380" rel="noopener noreferrer"&gt;https://help.puppet.com/scm/current/Content/UserGuide/SCM/Release_notes/release_notes.htm#SecurityComplianceManagement380&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you have questions or need assistance upgrading, reach out to Puppet Support.&lt;/p&gt;

&lt;h2&gt;
  
  
  🤖 AI Disclosure
&lt;/h2&gt;

&lt;p&gt;This article was written and reviewed by the author, with the help of AI to assist in pulling together the details from multiple sources and general brand voice alignment.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How did I do that?&lt;/strong&gt; For this particular article, I provided Microsoft 365 Copilot with the original release notes, my previous release announcement for 3.7.0, our company brand voice guidelines, and the official product release announcement that went out to customers. The LLM can then pull together the list of things that were updated and create a skeleton of an article. I then rewrite the content as needed to meet with my own tone of voice and get rid of the over-list-based approach that LLMs often take. It's also important to actually check back against the original release notes because sometimes the LLM will change certain words or remove words that change the meaning of what was in the release. I hope this helps if you are also writing with LLMs!&lt;/p&gt;

</description>
      <category>puppet</category>
      <category>security</category>
      <category>devops</category>
      <category>infrastructureascode</category>
    </item>
    <item>
      <title>Remediating 18 OpenSSL CVEs at Scale with Puppet</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Mon, 15 Jun 2026 14:10:21 +0000</pubDate>
      <link>https://dev.to/puppet/remediating-18-openssl-cves-at-scale-with-puppet-1abo</link>
      <guid>https://dev.to/puppet/remediating-18-openssl-cves-at-scale-with-puppet-1abo</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;&lt;em&gt;Written by &lt;a href="https://www.puppet.com/author/paul-reed" rel="noopener noreferrer"&gt;Paul Reed&lt;/a&gt;.&lt;/em&gt;&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The June 2026 OpenSSL advisory is a big one. &lt;a href="https://www.puppet.com/blog/openssl-cve-2026-45447-patching" rel="noopener noreferrer"&gt;18 vulnerabilities, one rated high severity&lt;/a&gt; with remote code execution potential, and a disclosure credited in part to &lt;a href="https://red.anthropic.com/2026/mythos-preview/" rel="noopener noreferrer"&gt;Anthropic's Mythos model&lt;/a&gt; working alongside researcher Alex Gaynor. Six of those CVEs trace back to that collaboration.&lt;/p&gt;

&lt;p&gt;When an advisory like the OpenSSL one lands, the first question is always the same: where are we exposed? If you run Puppet, you can answer that question across the entire fleet right now, patch it through one mechanism that handles every platform for you, and have it stay patched without anyone watching afterwards. The rest of this article is how.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Vulnerability: What CVE-2026-45447 Actually Does
&lt;/h2&gt;

&lt;p&gt;CVE-2026-45447 is a heap use-after-free in &lt;code&gt;PKCS7_verify()&lt;/code&gt;. The bug fires when OpenSSL processes a PKCS#7 or S/MIME signed message where the &lt;code&gt;SignedData.digestAlgorithms&lt;/code&gt; field is an empty ASN.1 SET.&lt;/p&gt;

&lt;p&gt;When OpenSSL encounters this condition, OpenSSL frees a &lt;code&gt;BIO&lt;/code&gt; object that was passed in by the calling application and is still expected to be valid. The calling application then uses the freed pointer. Depending on heap layout, that results in heap corruption, a process crash, or with a controlled heap grooming primitive, code execution.&lt;/p&gt;

&lt;p&gt;Affected ranges:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  OpenSSL 3.0.x through 3.3.x (patch to 3.5.1)&lt;/li&gt;
&lt;li&gt;  OpenSSL 1.1.1x (patch to corresponding 1.1.1 update)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The other 17 CVEs in the advisory cover authentication bypass via forged certificates (moderate, roughly a 1-in-256 success rate), ciphertext forgery, private key recovery, root CA replacement, and several DoS vectors. None are trivial in regulated environments.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 1: Query Your Actual Exposure
&lt;/h2&gt;

&lt;p&gt;Knowing where you're exposed is where Puppet earns its keep on day zero. There's no scanner to stand up and no spreadsheet to chase round the teams. The data is already sitting in PuppetDB.&lt;/p&gt;

&lt;p&gt;Package inventory is fed by Puppet's resource abstraction layer, the same machinery behind &lt;code&gt;puppet resource package&lt;/code&gt;. It enumerates every package provider Puppet Enterprise supports. This means package inventory sees well beyond the system package manager: OS packages across apt, dnf/yum and zypper, and language managers like gem and pip alongside them. One query, every node:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;puppet query &lt;span class="s1"&gt;'package_inventory[certname, package_name, version, provider] {
  package_name ~ "(?i)openssl$|libssl$|libcrypto$"
  and
  version ~ "^(3\\.[0-3]\\.|1\\.[0-1]\\.)"
}'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Run the query against a live environment to review the results. On one fleet:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  system libraries across multiple providers (&lt;code&gt;libopenssl3&lt;/code&gt;/&lt;code&gt;libopenssl1_1&lt;/code&gt; via zypper, &lt;code&gt;openssl&lt;/code&gt; and &lt;code&gt;openssl-libs&lt;/code&gt; via dnf/yum, &lt;code&gt;openssl&lt;/code&gt; via apt)&lt;/li&gt;
&lt;li&gt;  the Ruby &lt;code&gt;openssl&lt;/code&gt; gem at several versions&lt;/li&gt;
&lt;li&gt;  &lt;code&gt;openssl&lt;/code&gt; via &lt;code&gt;puppet_gem&lt;/code&gt; on every agent node, because Puppet's own Ruby ships it&lt;/li&gt;
&lt;li&gt;  &lt;code&gt;pyOpenSSL&lt;/code&gt; and &lt;code&gt;python3-openssl&lt;/code&gt; via pip and the OS package manager&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Most tools miss the bulk of that, because they only ever look at the system package manager. Here, anything a package manager put on the box is in scope, system libraries and language bindings together.&lt;/p&gt;

&lt;p&gt;Scope the query to an environment by filtering against the inventory endpoint:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;puppet query &lt;span class="s1"&gt;'package_inventory[certname, package_name, version, provider] {
  package_name ~ "(?i)openssl$|libssl$|libcrypto$"
  and
  version ~ "^(3\\.[0-3]\\.|1\\.[0-1]\\.)"
  and
  certname in inventory[certname] { environment = "production" }
}'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Step 2: Patch It (recommended for the actual remediation)
&lt;/h2&gt;

&lt;p&gt;You don't hand-write a &lt;code&gt;package&lt;/code&gt; resource per platform, and you shouldn't. The package name varies (&lt;code&gt;openssl-libs&lt;/code&gt; on RHEL, &lt;code&gt;libssl3&lt;/code&gt; on Debian, &lt;code&gt;libopenssl3&lt;/code&gt; on SUSE), the versions differ again, and the &lt;code&gt;openssl&lt;/code&gt; CLI isn't even the vulnerable piece, the runtime library is. Let the tooling that already models your estate carry that.&lt;/p&gt;

&lt;p&gt;Use the patching framework: &lt;code&gt;pe_patch&lt;/code&gt; on Puppet Enterprise, &lt;code&gt;os_patching&lt;/code&gt; for open source and Bolt. Classify the class and each node reports its pending updates, including which are security updates. You patch through the PE console or a task, scoped to security updates only if you want the change tight.&lt;/p&gt;

&lt;p&gt;The OS package manager applies the vendor's security update, so the correct library package and version are chosen per platform without you encoding any of it. Reboots, update ordering, and patch and blackout windows are the framework's job. A box that can't be touched in business hours is a blackout window in config, not a workaround.&lt;/p&gt;

&lt;p&gt;The exposure query doubles as your target list. The orchestrator takes PQL directly with &lt;code&gt;-q&lt;/code&gt;, so there's no glue script to write. You hand the orchestrator the query and let it resolve the nodes:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;puppet task run pe_patch::patch_server &lt;span class="nt"&gt;-q&lt;/span&gt; &lt;span class="s1"&gt;'package_inventory[certname]{
  package_name ~ "(?i)openssl$|libssl$|libcrypto$"
  and version ~ "^(3\\.[0-3]\\.|1\\.[0-1]\\.)"
}'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That's &lt;code&gt;pe_patch::patch_server&lt;/code&gt; on Puppet Enterprise, &lt;code&gt;os_patching::patch_server&lt;/code&gt; for open source and Bolt. The orchestration runs the task against exactly the nodes the query returned and nothing else. Add &lt;code&gt;security_only=true&lt;/code&gt; to keep the run tight, so a node that's already current is a no-op. If you'd rather not touch the command line, wire the same query into a node group in the PE console and drive it from there.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 3: Enforce It In Code
&lt;/h2&gt;

&lt;p&gt;If you'd rather declare the state and have Puppet hold the state on every run, use the &lt;code&gt;openssl&lt;/code&gt; module's class. The module knows the package names per platform:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight puppet"&gt;&lt;code&gt;&lt;span class="k"&gt;class&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="s1"&gt;'openssl'&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
  &lt;span class="py"&gt;package_ensure&lt;/span&gt;         &lt;span class="p"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="n"&gt;latest&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
  &lt;span class="py"&gt;ca_certificates_ensure&lt;/span&gt; &lt;span class="p"&gt;=&amp;gt;&lt;/span&gt; &lt;span class="n"&gt;latest&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Using &lt;code&gt;latest&lt;/code&gt; keeps the library current; set &lt;code&gt;package_ensure&lt;/code&gt; to a specific version from Hiera if you want a pinned, auditable rollout.&lt;/p&gt;

&lt;p&gt;This enforcement step is something a one-off script and a scanner both miss. A patch run fixes the issue once; declaring the state is what makes it stay fixed. The agent runs on a schedule, every 30 minutes by default, and enforces desired state each time. So when a node drifts back to a vulnerable version, a VM reprovisioned off a stale image, say, or a change someone made by hand and forgot, the next run quietly puts the desired state back. A scanner would notice that regression on its next sweep and open you a ticket. Enforcement just doesn't let the gap stay open that long.&lt;/p&gt;

&lt;p&gt;The two paths aren't either/or. The patching framework is the quicker way to clear the initial backlog; enforcement is what keeps the backlog cleared. Run both and the framework does the first sweep while the module holds the line from then on.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 4: Restart Processes That Link the Library
&lt;/h2&gt;

&lt;p&gt;Patching the package is only half the job. A running process keeps the old &lt;code&gt;.so&lt;/code&gt; mapped until the process restarts, and a library swap under a live OpenSSL is exactly the case where that bites.&lt;/p&gt;

&lt;p&gt;If you patched with the framework, it already tracks this for you. &lt;code&gt;pe_patch&lt;/code&gt; reports the processes that require a restart in the node's fact, so you don't go hunting:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="nl"&gt;"reboots"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"app_restart_required"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;true&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"apps_needing_restart"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"1"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"/usr/lib/systemd/systemd --switched-root --system --deserialize 31"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"586"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"/usr/lib/systemd/systemd-journald"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"601"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"/usr/lib/systemd/systemd-udevd"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"657"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"/sbin/auditd"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"691"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"694"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"/usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -x namedpipe -x jitter -D daemon:daemon"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"696"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"/usr/lib/systemd/systemd-logind"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"766"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"/usr/sbin/NetworkManager --no-daemon"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"863"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"sshd: /usr/sbin/sshd -D [listener] 0 of 10-60 startups"&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"reboot_required"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;true&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="err"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;apps_needing_restart&lt;/code&gt; is the list of processes still mapping a file that's been replaced underneath them, and &lt;code&gt;reboot_required&lt;/code&gt; flags when a restart of individual services won't cut it. The patch run acts on these according to its reboot policy, so the same job that applies the update also clears the stale library, or tells you precisely which nodes still need a bounce. That's the manual &lt;code&gt;lsof&lt;/code&gt; check in the next section, done for the whole fleet as a fact.&lt;/p&gt;

&lt;p&gt;If you went the module route instead, chain the dependent services onto the class so they refresh when it changes the library:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight puppet"&gt;&lt;code&gt;&lt;span class="nc"&gt;Class&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'openssl'&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="p"&gt;~&amp;gt;&lt;/span&gt; &lt;span class="nc"&gt;Service&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'nginx'&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Chaining on the class rather than a &lt;code&gt;Package['...']&lt;/code&gt; title means you don't have to know the package name the module picks per platform. The refresh fires only when something actually changes, so steady-state runs leave your services alone.&lt;/p&gt;

&lt;p&gt;A note on the language-level copies inventory turned up. Where a gem or &lt;code&gt;pyOpenSSL&lt;/code&gt; links the system library, patching &lt;code&gt;libssl&lt;/code&gt;/&lt;code&gt;libcrypto&lt;/code&gt; fixes the underlying crypto and these processes will pick up the patch on restart. The few that statically bundle their own copy get updated through their own toolchain (&lt;code&gt;gem update&lt;/code&gt;, &lt;code&gt;pip&lt;/code&gt;). The OS-packaged bindings ride along with the patch run either way.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 5: Verify the Process Has Reloaded the Library
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;reboots&lt;/code&gt; fact above is your fleet-wide answer. When you want to confirm a single box by hand, or you're working somewhere the fact isn't available, &lt;code&gt;lsof&lt;/code&gt; against the actual PID tells you what that process has mapped:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;lsof &lt;span class="nt"&gt;-p&lt;/span&gt; &lt;span class="si"&gt;$(&lt;/span&gt;pgrep nginx | &lt;span class="nb"&gt;head&lt;/span&gt; &lt;span class="nt"&gt;-1&lt;/span&gt;&lt;span class="si"&gt;)&lt;/span&gt; | &lt;span class="nb"&gt;grep &lt;/span&gt;libssl
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If the &lt;code&gt;lsof&lt;/code&gt; query still shows the old path after the run, the restart didn't fire. Check the agent log or the patch run's reboot status. The &lt;code&gt;openssl&lt;/code&gt; CLI version won't help here, the version says nothing about what a long-running daemon has mapped.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 6: Confirm Convergence
&lt;/h2&gt;

&lt;p&gt;Re-run the inventory query to verify closure. This query doubles as audit evidence:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;puppet query &lt;span class="s1"&gt;'package_inventory[certname, package_name, version, provider] {
  package_name ~ "(?i)openssl$|libssl$|libcrypto$"
}'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Anything still on an affected version, across any provider, is your remaining work. Puppet Enterprise users can pull the same data from the compliance dashboard for audit review.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Point Isn't OpenSSL
&lt;/h2&gt;

&lt;p&gt;OpenSSL is this month's fire drill. Next month it's something else, and the one after that hasn't been disclosed yet. None of the steps above were really about OpenSSL. They were about having a tool already in place that answers the questions every advisory asks, before the advisory lands.&lt;/p&gt;

&lt;p&gt;Look back at what each step actually was:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The exposure query was inventory: what have I got, and where, as of the last check-in. &lt;/li&gt;
&lt;li&gt;The patch task, scoped from that same query, was remediation. The &lt;code&gt;reboots&lt;/code&gt; fact was reporting, telling you what's still exposed and what needs a bounce. &lt;/li&gt;
&lt;li&gt;Enforcement was the bit that holds the line afterwards, so a reprovisioned box can't slip back in unnoticed. &lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That's the whole vulnerability-response loop, and the worst time to start building it is the morning a CVE lands with the clock already running.&lt;/p&gt;

&lt;p&gt;That's the case for putting the capability in now, while nothing's on fire. The next disclosure becomes a query and a patch run instead of a fortnight of spreadsheets and change tickets. The same loop applies well beyond library upgrades, too. &lt;a href="https://dev.to/puppet/handling-dirty-frag-and-copy-fail-with-puppet-6ff"&gt;We recently showed how to deal with dirty frag and copy-fail with Puppet&lt;/a&gt;, which walks the same detect-mitigate-remediate pattern on a different class of problem.&lt;/p&gt;

&lt;p&gt;Using Puppet provides a consistent way to address OpenSSL vulnerabilities across environments. It'll still be set up and ready when the next vulnerability lands.&lt;/p&gt;

&lt;h2&gt;
  
  
  🤖 AI Disclosure
&lt;/h2&gt;

&lt;p&gt;This article has been reviewed by a human expert in the subject matter and all code samples have been reviewed by Puppet technical experts. Initial structural content has been generated by Claude AI tools to assist with editing for clarity, structure, grammar, and maintaining brand voice, and then passed through human review.&lt;/p&gt;

</description>
      <category>puppet</category>
      <category>devops</category>
      <category>cybersecurity</category>
      <category>security</category>
    </item>
    <item>
      <title>What You Need to Know About the New puppetlabs-stdlib 10 in June 2026</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Thu, 11 Jun 2026 14:31:40 +0000</pubDate>
      <link>https://dev.to/puppet/what-you-need-to-know-about-the-new-puppetlabs-stdlib-10-in-june-2026-1jah</link>
      <guid>https://dev.to/puppet/what-you-need-to-know-about-the-new-puppetlabs-stdlib-10-in-june-2026-1jah</guid>
      <description>&lt;h2&gt;
  
  
  The&amp;nbsp;TL;DR&amp;nbsp;
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;  We are releasing&amp;nbsp;puppetlabs-stdlib&amp;nbsp;10.0.1&amp;nbsp;with a target date of&amp;nbsp;June 30, 2026.&lt;/li&gt;
&lt;li&gt;  This is a major version bump because we are dropping support for Puppet 7 (which&amp;nbsp;reached its end-of-life&amp;nbsp;in&amp;nbsp;February&amp;nbsp;2025) and requiring Ruby 3.1+.&lt;/li&gt;
&lt;li&gt;  If your modules pin&amp;nbsp;stdlib&amp;nbsp;to &amp;lt; 10.0.0, they will continue to work as-is on&amp;nbsp;stdlib&amp;nbsp;9.x.&amp;nbsp;&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  You do not need to take any immediate action, but we wanted to give the community advance&amp;nbsp;notice&amp;nbsp;so module owners have time to plan.&amp;nbsp;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Why a Major Release?&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;The&amp;nbsp;&lt;a href="https://forge.puppet.com/modules/puppetlabs/stdlib/readme" rel="noopener noreferrer"&gt;puppetlabs-stdlib&amp;nbsp;module&lt;/a&gt; is one of the most widely depended-upon&amp;nbsp;open source&amp;nbsp;modules in the Puppet ecosystem. Because of that, we take major version bumps seriously and want to be transparent about what is changing and why.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;The last release of&amp;nbsp;stdlib&amp;nbsp;(9.7.0) was published in December 2024. Since then, maintenance work has accumulated in the main branch,&amp;nbsp;updates to Puppet Core tooling,&amp;nbsp;CentOS 9 support,&amp;nbsp;Rubocop&amp;nbsp;alignment, CI and testing infrastructure updates, and various bug fixes and enhancements contributed by both Puppet engineers and community members.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;Among those accumulated changes is the&amp;nbsp;&lt;strong&gt;removal of Puppet 7 from the supported platforms&lt;/strong&gt;&amp;nbsp;in the module metadata. Since Puppet 7 reached end-of-life over a year ago, this is a natural and expected housekeeping step. However, because removing a previously supported Puppet version is a backwards-incompatible change under&amp;nbsp;semver, it requires a major version bump.&amp;nbsp;By making a major version release along with the removal of Puppet 7 support, this will make a clean delineation for any users still running Puppet 7.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;Additionally, the&amp;nbsp;Rubocop&amp;nbsp;and tooling updates in the branch enforce Ruby 3.1+ syntax standards (such as the shorthand hash syntax). While these are primarily code-style changes, they mean the module codebase is no longer guaranteed to run on Ruby versions older than 3.1, which further supports the decision to move to a new major version.&amp;nbsp;&lt;/p&gt;

&lt;h2&gt;
  
  
  What’s Included in&amp;nbsp;stdlib&amp;nbsp;10&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;This release rolls up approximately 18 months of changes. The highlights include:&amp;nbsp;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Puppet 7 support removed:&lt;/strong&gt;&amp;nbsp;The module metadata now requires Puppet 8.0.0 or later. Puppet 7 has been end-of-life since early 2025.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Ruby 3.1+&amp;nbsp;required:&lt;/strong&gt;&amp;nbsp;Rubocop&amp;nbsp;and code style enforcement now targets Ruby 3.1 standards. Syntax that is incompatible with older Ruby versions has been adopted throughout the codebase.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;CentOS 9 support:&lt;/strong&gt;&amp;nbsp;The module metadata now&amp;nbsp;states&amp;nbsp;support for CentOS 9.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Bug fixes and enhancements:&lt;/strong&gt;&amp;nbsp;Multiple community-contributed fixes and improvements that have been pending release.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;CI and testing updates:&lt;/strong&gt;&amp;nbsp;Updated&amp;nbsp;testing infrastructure using Puppet Core tooling, updated nightly test matrices, and improved CI workflows.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A full changelog will&amp;nbsp;accompany&amp;nbsp;the release on the Puppet Forge and on GitHub.&amp;nbsp;&lt;/p&gt;

&lt;h2&gt;
  
  
  What This Means for Module Authors&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;If you&amp;nbsp;maintain&amp;nbsp;a Puppet module that depends on&amp;nbsp;puppetlabs-stdlib, here is what you need to know.&amp;nbsp;&lt;/p&gt;

&lt;h3&gt;
  
  
  If You Do Nothing&amp;nbsp;
&lt;/h3&gt;

&lt;p&gt;Your module will continue to work. Most modules pin their stdlib&amp;nbsp;dependency with an upper bound like &lt;code&gt;"puppetlabs/stdlib": "&amp;gt;= 4.0.0 &amp;lt; 10.0.0"&lt;/code&gt;. The Puppet module resolver will keep you on the latest 9.x release. Nothing breaks, nothing changes.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;If your module did not specify an upper bound, your module will be able to start using version 10 without any changes.&amp;nbsp;&lt;/p&gt;

&lt;h3&gt;
  
  
  If You Want to Adopt&amp;nbsp;stdlib&amp;nbsp;10&amp;nbsp;
&lt;/h3&gt;

&lt;p&gt;When you are ready, update the upper bound of your&amp;nbsp;stdlib&amp;nbsp;dependency in your&amp;nbsp;&lt;code&gt;metadata.json&lt;/code&gt;:&amp;nbsp;&lt;/p&gt;

&lt;p&gt;&lt;code&gt;"puppetlabs/stdlib": "&amp;gt;= 4.0.0 &amp;lt; 11.0.0"&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;This will allow your module to resolve either&amp;nbsp;stdlib&amp;nbsp;9.x or 10.x, giving your users flexibility. You should also confirm that your module no longer requires Puppet 7 support and that&amp;nbsp;your&amp;nbsp;testing and CI pipelines use Ruby 3.1 or later.&amp;nbsp;&lt;/p&gt;

&lt;h3&gt;
  
  
  Timing Is Up to You&amp;nbsp;
&lt;/h3&gt;

&lt;p&gt;There is no urgency to adopt&amp;nbsp;stdlib&amp;nbsp;10 on day one. The 9.x line will remain available on the Forge. We encourage module owners to update at their own pace, and we are providing this advance notice specifically so you can plan that work into your roadmap rather than being caught off-guard.&amp;nbsp;&lt;/p&gt;

&lt;h2&gt;
  
  
  What&amp;nbsp;Perforce&amp;nbsp;Puppet Is Doing to Prepare&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;We recognize that&amp;nbsp;stdlib&amp;nbsp;touches a huge&amp;nbsp;portion&amp;nbsp;of the module ecosystem. There are approximately&amp;nbsp;34&amp;nbsp;puppetlabs&amp;nbsp;modules&amp;nbsp;that depend on&amp;nbsp;stdlib. Between now and the release date, we will be updating&amp;nbsp;all of&amp;nbsp;those modules to expand their dependency bounds to accept&amp;nbsp;stdlib&amp;nbsp;10.x. These updated modules will be released to the Forge ahead of or alongside the&amp;nbsp;stdlib&amp;nbsp;10 release so that the transition is as smooth as possible.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;Our goal is that by the time&amp;nbsp;stdlib&amp;nbsp;10 lands on the Forge, the&amp;nbsp;puppetlabs&amp;nbsp;module ecosystem will already be ready for it.&amp;nbsp;&lt;/p&gt;

&lt;h3&gt;
  
  
  Timeline&amp;nbsp;
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Date&lt;/th&gt;
&lt;th&gt;Milestone&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Now&lt;/td&gt;
&lt;td&gt;This announcement. Community has advance notice.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;June 18–30&lt;/td&gt;
&lt;td&gt;Perforce will release updated dependency bounds across puppetlabs modules.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;June 30, 2026&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;Target release date for puppetlabs-stdlib 10 on the Puppet Forge.&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  A Note on Communication&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;We want to acknowledge that an earlier attempt to release&amp;nbsp;stdlib&amp;nbsp;10.0.0 was made without sufficient advance communication to the community. We heard the feedback, rolled that release back, and are now doing this the right way: giving you notice, giving you time, and coordinating the broader module ecosystem before the release lands.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;Major&amp;nbsp;stdlib&amp;nbsp;releases have historically been disruptive because of how deeply the module is embedded across the ecosystem. We are committed to making this transition as smooth as possible, and your feedback during this notice period is welcome and appreciated.&amp;nbsp;&lt;/p&gt;

&lt;h2&gt;
  
  
  How to Prepare&amp;nbsp;
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Review your dependency bounds:&lt;/strong&gt;&amp;nbsp;Check your&amp;nbsp;metadata.json&amp;nbsp;for your&amp;nbsp;stdlib&amp;nbsp;version constraint.&amp;nbsp; &lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Check your Puppet version support:&lt;/strong&gt;&amp;nbsp;If your module still claims Puppet 7 support, consider whether that is still necessary given Puppet 7 is end-of-life.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Check your Ruby version:&lt;/strong&gt;&amp;nbsp;Ensure your testing and CI environments use Ruby 3.1 or later.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Test against the main branch:&lt;/strong&gt;&amp;nbsp;If you want to verify compatibility ahead of the release, you can test your module against the main branch of&amp;nbsp;puppetlabs-stdlib&amp;nbsp;on GitHub.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Questions and Feedback&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;We want to hear from you. If you have questions, concerns, or feedback about this upcoming release, please reach out through any of the following channels:&amp;nbsp;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Community Slack:&lt;/strong&gt;&amp;nbsp;The &lt;a href="https://slack.puppet.com" rel="noopener noreferrer"&gt;Puppet community Slack workspace&lt;/a&gt;, particularly the &lt;code&gt;#forge-modules&lt;/code&gt; channel where we have already had some discussion on this upcoming change.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Comments on this post:&lt;/strong&gt;&amp;nbsp;We will be&amp;nbsp;monitoring&amp;nbsp;and responding to comments here on dev.to.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Perforce Forums:&lt;/strong&gt; Join the discussion on the&amp;nbsp;&lt;a href="https://portal.perforce.com/s/group/0F9PA000000085d0AA/puppet-product-discussion" rel="noopener noreferrer"&gt;Perforce Puppet forums&lt;/a&gt;, part of the official Perforce Portal.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Thank you for being part of the Puppet community!&amp;nbsp;We appreciate your&amp;nbsp;collaboration&amp;nbsp;and your contributions, and we are looking forward to getting&amp;nbsp;this release&amp;nbsp;into your hands.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://forge.puppet.com/modules/puppetlabs/stdlib/readme" class="crayons-btn crayons-btn--primary" rel="noopener noreferrer"&gt;stdlib Forge Module&lt;/a&gt;
&lt;/p&gt;

</description>
      <category>puppet</category>
      <category>opensource</category>
      <category>devops</category>
    </item>
    <item>
      <title>Puppetlabs Modules Roundup – May 2026</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Wed, 03 Jun 2026 21:48:48 +0000</pubDate>
      <link>https://dev.to/puppet/puppetlabs-modules-roundup-may-2026-2gp2</link>
      <guid>https://dev.to/puppet/puppetlabs-modules-roundup-may-2026-2gp2</guid>
      <description>&lt;p&gt;This time around we look back at May 2026 and the 11 Puppetlabs module releases on the Forge, with an emphasis on the changes most likely to matter in active environments.&lt;/p&gt;

&lt;h2&gt;
  
  
  Highlighted Updates
&lt;/h2&gt;

&lt;h3&gt;
  
  
  New Windows audit policy module released!
&lt;/h3&gt;

&lt;p&gt;The new &lt;a href="https://forge.puppet.com/modules/puppetlabs/audit_policy/readme" rel="noopener noreferrer"&gt;audit_policy module&lt;/a&gt; has been released by Perforce as a Ruby replacement for the generated &lt;a href="https://forge.puppet.com/modules/dsc/auditpolicydsc/readme" rel="noopener noreferrer"&gt;DSC community auditpolicydsc module&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;This module uses Puppet Resources API for managing Windows audit policy using &lt;code&gt;auditpol.exe&lt;/code&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  ruby_task_helper Dependency Bound Update
&lt;/h3&gt;

&lt;p&gt;Five Bolt-adjacent modules all bumped the ruby_task_helper upper bound to &amp;lt; 2.0.0 in a coordinated maintenance pass, helping with dependency resolution failures when using Bolt 5.x.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Affected modules: vault, terraform, http_request, gcloud_inventory, azure_inventory.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  CentOS 9 Support
&lt;/h3&gt;

&lt;p&gt;Multiple modules added explicit CentOS 9 compatibility, expanding the Linux platform coverage in line with the broader Puppet ecosystem push.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Affected modules: concat, inifile.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What Updates Happened to Puppetlabs Modules in May 2026?
&lt;/h2&gt;

&lt;p&gt;The following is an alphabetical listing of modules which received updates in May 2026. If a module had multiple versions released, the updates are collected together, numbered with the "latest" version available.&lt;/p&gt;




&lt;h3&gt;
  
  
  apt 11.3.1
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-05-19 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/apt" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release introduced an explicit hash value syntax while also adding a param to support purging keyrings and other community contributions.&lt;/p&gt;

&lt;p&gt;Includes monthly releases: 11.3.1 (2026-05-19), 11.3.0 (2026-05-18).&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Use explicit hash value syntax instead of shorthand &lt;a href="https://github.com/puppetlabs/puppetlabs-apt/pull/1285" rel="noopener noreferrer"&gt;#1285&lt;/a&gt; (&lt;a href="https://github.com/SugatD" rel="noopener noreferrer"&gt;SugatD&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;Add param for purging keyrings &lt;a href="https://github.com/puppetlabs/puppetlabs-apt/pull/1266" rel="noopener noreferrer"&gt;#1266&lt;/a&gt; (&lt;a href="https://github.com/bwitt" rel="noopener noreferrer"&gt;bwitt&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;Include components when suite does not end with slash &lt;a href="https://github.com/puppetlabs/puppetlabs-apt/pull/1259" rel="noopener noreferrer"&gt;#1259&lt;/a&gt; (&lt;a href="https://github.com/bwitt" rel="noopener noreferrer"&gt;bwitt&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;Bugfix - sources format and ensure =&amp;gt; absent fails &lt;a href="https://github.com/puppetlabs/puppetlabs-apt/pull/1243" rel="noopener noreferrer"&gt;#1243&lt;/a&gt; (&lt;a href="https://github.com/traylenator" rel="noopener noreferrer"&gt;traylenator&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;fix: allow plus signs in ppa &lt;a href="https://github.com/puppetlabs/puppetlabs-apt/pull/1222" rel="noopener noreferrer"&gt;#1222&lt;/a&gt; (&lt;a href="https://github.com/moritz-makandra" rel="noopener noreferrer"&gt;moritz-makandra&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;Fix and improve DEB822-style template &lt;a href="https://github.com/puppetlabs/puppetlabs-apt/pull/1212" rel="noopener noreferrer"&gt;#1212&lt;/a&gt; (&lt;a href="https://github.com/smortex" rel="noopener noreferrer"&gt;smortex&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  audit_policy 1.0.0
&lt;/h3&gt;

&lt;p&gt;🌟 &lt;strong&gt;&lt;em&gt;New Module:&lt;/em&gt;&lt;/strong&gt; 2026-05-29 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/audit_policy" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This new module allows you to manage Windows audit policy with auditpol.exe as a replacement for the generated DSC community module. Initial release contains:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;audit_policy_subcategory: manage Windows audit policy subcategories by display name using auditpol.exe&lt;/li&gt;
&lt;li&gt;audit_policy_guid: manage Windows audit policy subcategories by GUID using auditpol.exe&lt;/li&gt;
&lt;li&gt;audit_policy_option: manage global Windows audit policy options (CrashOnAuditFail, FullPrivilegeAuditing, AuditBaseObjects, AuditBaseDirectories)&lt;/li&gt;
&lt;li&gt;audit_policy_csv: manage Windows audit policy by importing settings from an auditpol /backup CSV file&lt;/li&gt;
&lt;li&gt;Support for Windows Server 2016, 2019, 2022, and 2025&lt;/li&gt;
&lt;li&gt;Pure Ruby implementation — no PowerShell dependency; replaces the dsc-auditpolicydsc community module&lt;/li&gt;
&lt;li&gt;Puppet requirement pinned to &amp;gt;= 8.0.0 &amp;lt; 9.0.0&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  azure_inventory 0.5.1
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-05-14 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/azure_inventory" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release bumped the ruby_task_helper upper bound to &lt;strong&gt;&amp;lt; 2.0.0&lt;/strong&gt;.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Bump ruby_task_helper upper bound to &amp;lt; 2.0.0 (&lt;a href="https://github.com/puppetlabs/puppetlabs-azure_inventory/pull/16" rel="noopener noreferrer"&gt;#16&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  cd4peadm 5.15.1
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-05-07 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/cd4peadm" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;A few highlights from this release:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Fixed an issue where SAML logins were failing.&lt;/li&gt;
&lt;li&gt;Fixed an issue where CD would not use the configured HTTP timeouts when making calls to the Azure DevOps API, resulting in unexpected timeout failures.&lt;/li&gt;
&lt;li&gt;Fixed an issue where GitLab merge request updates that do not involve code changes would trigger CD pipelines.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVE-2026-42198.&lt;/strong&gt; Updated to address this vulnerability.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Check the official &lt;a href="https://help.puppet.com/cdpe/current/Content/UserGuide/CDPE/ReleaseNotes/cd_release_notes.htm#Version5151" rel="noopener noreferrer"&gt;release notes for cd4peadm 5.15.1&lt;/a&gt; for the full details.&lt;/p&gt;




&lt;h3&gt;
  
  
  concat 10.0.0
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-05-19 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/concat" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release added support for CentOS 9 while also addressing runner images for Ubuntu 24.04.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Redact sensitive content &lt;a href="https://github.com/puppetlabs/puppetlabs-concat/pull/828" rel="noopener noreferrer"&gt;#828&lt;/a&gt; (&lt;a href="https://github.com/smortex" rel="noopener noreferrer"&gt;smortex&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(CAT-2296) Update github runner image to ubuntu-24.04 &lt;a href="https://github.com/puppetlabs/puppetlabs-concat/pull/823" rel="noopener noreferrer"&gt;#823&lt;/a&gt; (&lt;a href="https://github.com/shubhamshinde360" rel="noopener noreferrer"&gt;shubhamshinde360&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(CAT-2152) Add support for CentOS 9 &lt;a href="https://github.com/puppetlabs/puppetlabs-concat/pull/818" rel="noopener noreferrer"&gt;#818&lt;/a&gt; (&lt;a href="https://github.com/skyamgarp" rel="noopener noreferrer"&gt;skyamgarp&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;Allow user defined tag or list of tags &lt;a href="https://github.com/puppetlabs/puppetlabs-concat/pull/790" rel="noopener noreferrer"&gt;#790&lt;/a&gt; (&lt;a href="https://github.com/Lightning-" rel="noopener noreferrer"&gt;Lightning-&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;Use explicit hash value syntax instead of shorthand &lt;a href="https://github.com/puppetlabs/puppetlabs-concat/pull/835" rel="noopener noreferrer"&gt;#835&lt;/a&gt; (&lt;a href="https://github.com/SugatD" rel="noopener noreferrer"&gt;SugatD&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  gcloud_inventory 0.3.1
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-05-14 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/gcloud_inventory" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release bumped the ruby_task_helper upper bound to &lt;strong&gt;&amp;lt; 2.0.0&lt;/strong&gt;.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Bump ruby_task_helper upper bound to &amp;lt; 2.0.0 (&lt;a href="https://github.com/puppetlabs/puppetlabs-gcloud_inventory/pull/14" rel="noopener noreferrer"&gt;#14&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  http_request 0.3.2
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-05-14 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/http_request" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release bumped the ruby_task_helper upper bound to &lt;strong&gt;&amp;lt; 2.0.0&lt;/strong&gt;.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Bump ruby_task_helper upper bound to &amp;lt; 2.0.0 (&lt;a href="https://github.com/puppetlabs/puppetlabs-http_request/pull/18" rel="noopener noreferrer"&gt;#18&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  inifile 6.4.0
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-05-19 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/inifile" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;The inifile module now supports multiple values per key while also adding support for CentOS 9.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Add support for multiple values per key &lt;a href="https://github.com/puppetlabs/puppetlabs-inifile/pull/555" rel="noopener noreferrer"&gt;#555&lt;/a&gt; (&lt;a href="https://github.com/bwitt" rel="noopener noreferrer"&gt;bwitt&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(CAT-2152) Add support for CentOS 9 &lt;a href="https://github.com/puppetlabs/puppetlabs-inifile/pull/549" rel="noopener noreferrer"&gt;#549&lt;/a&gt; (&lt;a href="https://github.com/skyamgarp" rel="noopener noreferrer"&gt;skyamgarp&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  puppet_agent 4.28.0
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-05-07 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/puppet_agent" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;Updates to new tooling (Bolt, PDK Templates) as well as support for MacOS 26 and some pre-work for the upcoming Puppet Core 9.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;(PA-7824) Use newest Bolt &lt;a href="https://github.com/puppetlabs/puppetlabs-puppet_agent/pull/829" rel="noopener noreferrer"&gt;#829&lt;/a&gt; (&lt;a href="https://github.com/mhashizume" rel="noopener noreferrer"&gt;mhashizume&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(PA-7897) Update to pdk-templates 3.6.1.1 &lt;a href="https://github.com/puppetlabs/puppetlabs-puppet_agent/pull/825" rel="noopener noreferrer"&gt;#825&lt;/a&gt; (&lt;a href="https://github.com/joshcooper" rel="noopener noreferrer"&gt;joshcooper&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(PA-8250) Allow installation of puppetcore9-nightly packages &lt;a href="https://github.com/puppetlabs/puppetlabs-puppet_agent/pull/822" rel="noopener noreferrer"&gt;#822&lt;/a&gt; (&lt;a href="https://github.com/joshcooper" rel="noopener noreferrer"&gt;joshcooper&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(PA-8238) Add support for MacOS 26 in install_shell.sh &lt;a href="https://github.com/puppetlabs/puppetlabs-puppet_agent/pull/821" rel="noopener noreferrer"&gt;#821&lt;/a&gt; (&lt;a href="https://github.com/shubhamshinde360" rel="noopener noreferrer"&gt;shubhamshinde360&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(PA-8250) Restore windows command to check puppet service &lt;a href="https://github.com/puppetlabs/puppetlabs-puppet_agent/pull/826" rel="noopener noreferrer"&gt;#826&lt;/a&gt; (&lt;a href="https://github.com/joshcooper" rel="noopener noreferrer"&gt;joshcooper&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(PA-8041) Fix puppetcore8-nightly installs on rpm and mac &lt;a href="https://github.com/puppetlabs/puppetlabs-puppet_agent/pull/824" rel="noopener noreferrer"&gt;#824&lt;/a&gt; (&lt;a href="https://github.com/joshcooper" rel="noopener noreferrer"&gt;joshcooper&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(PA-8247) Add guard against other ruby process when installing &lt;a href="https://github.com/puppetlabs/puppetlabs-puppet_agent/pull/823" rel="noopener noreferrer"&gt;#823&lt;/a&gt; (&lt;a href="https://github.com/AriaXLi" rel="noopener noreferrer"&gt;AriaXLi&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  terraform 0.7.2
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-05-14 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/terraform" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release bumped the ruby_task_helper upper bound to &lt;strong&gt;&amp;lt; 2.0.0&lt;/strong&gt;.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Bump ruby_task_helper upper bound to &amp;lt; 2.0.0 (&lt;a href="https://github.com/puppetlabs/puppetlabs-terraform/pull/37" rel="noopener noreferrer"&gt;#37&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  vault 0.4.1
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-05-14 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/vault" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release bumped the ruby_task_helper upper bound to &lt;strong&gt;&amp;lt; 2.0.0&lt;/strong&gt;.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Bump ruby_task_helper upper bound to &amp;lt; 2.0.0 (&lt;a href="https://github.com/puppetlabs/puppetlabs-vault/pull/19" rel="noopener noreferrer"&gt;#19&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Until Next Time!
&lt;/h2&gt;

&lt;p&gt;That closes out the May 2026 update set. For deeper implementation detail, the linked module pages and release notes remain the best source of truth.&lt;/p&gt;

&lt;p&gt;If you have feedback on the roundup format or want a deeper look at a specific module area, the Perforce Community Slack is still the best place to continue the conversation.&lt;/p&gt;

&lt;p&gt;See you next month with a roundup for June releases!&lt;/p&gt;

</description>
      <category>puppet</category>
      <category>infrastructureascode</category>
    </item>
    <item>
      <title>Puppet Core 8.19 and PDK 3.7: Security Updates, Dependency Changes, and Windows Fixes</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Thu, 21 May 2026 16:17:55 +0000</pubDate>
      <link>https://dev.to/puppet/puppet-core-819-and-pdk-37-security-updates-dependency-changes-and-windows-fixes-1j6n</link>
      <guid>https://dev.to/puppet/puppet-core-819-and-pdk-37-security-updates-dependency-changes-and-windows-fixes-1j6n</guid>
      <description>&lt;p&gt;Puppet Core &lt;strong&gt;8.19.0&lt;/strong&gt; focuses largely on security hardening, with some dependency cleanup and a small but important fix for Windows user management.&lt;/p&gt;

&lt;p&gt;If you already run Puppet Core 8, this release is primarily about &lt;strong&gt;keeping your runtime secure and predictable&lt;/strong&gt;, rather than introducing new workflows or configuration changes.&lt;/p&gt;

&lt;p&gt;➡️ Full details: &lt;a href="https://help.puppet.com/core/current/Content/PuppetCore/PuppetReleaseNotes/release_notes_puppet_x-8-19-0.htm" rel="noopener noreferrer"&gt;Puppet Core 8.19.0 release notes&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;PDK 3.7.0 was also released to improve performance on Windows, update dependencies, and provide other updates for security and known issues.&lt;/p&gt;

&lt;p&gt;➡️ Full details: &lt;a href="https://help.puppet.com/pdk/current/topics/release_notes_pdk.htm#PDK370" rel="noopener noreferrer"&gt;PDK 3.7.0 release notes&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  CSV gem dependency removed
&lt;/h2&gt;

&lt;p&gt;Puppet Core no longer depends on the &lt;strong&gt;CSV&lt;/strong&gt; Ruby gem.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Removes an external dependency from the Puppet runtime&lt;/li&gt;
&lt;li&gt;Reduces overall dependency surface area&lt;/li&gt;
&lt;li&gt;Simplifies installation and long-term maintenance&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This change does not alter Puppet DSL behavior or require configuration changes.&lt;/p&gt;




&lt;h2&gt;
  
  
  Security updates
&lt;/h2&gt;

&lt;p&gt;Puppet Core 8.19.0 updates several bundled runtime components to address recently disclosed security vulnerabilities. These updates apply automatically when you upgrade.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Ruby&lt;/strong&gt; updated to &lt;strong&gt;3.2.11&lt;/strong&gt; (CVE-2026-27820)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;OpenSSL&lt;/strong&gt; updated to &lt;strong&gt;3.0.20&lt;/strong&gt; (CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;libxml2&lt;/strong&gt; updated to &lt;strong&gt;2.15.3&lt;/strong&gt; (CVE-2026-6732)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;curl&lt;/strong&gt; updated to &lt;strong&gt;8.20.0&lt;/strong&gt; (CVE-2026-6253, CVE-2026-6276, CVE-2026-6429, CVE-2026-7009, CVE-2026-7168)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;net-imap&lt;/strong&gt; updated to &lt;strong&gt;0.4.24&lt;/strong&gt; (CVE-2026-42245, CVE-2026-42246, CVE-2026-42256, CVE-2026-42257, CVE-2026-42258)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;erb&lt;/strong&gt; updated to &lt;strong&gt;6.0.4&lt;/strong&gt; (CVE-2026-41316)&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  ℹ️ Important note for net-imap users
&lt;/h3&gt;

&lt;p&gt;If you use net-imap directly in custom Ruby code, the updated version enforces stricter argument validation. &lt;a href="https://help.puppet.com/core/current/Content/PuppetCore/PuppetReleaseNotes/release_notes_puppet_x-8-19-0.htm" rel="noopener noreferrer"&gt;Check the release notes&lt;/a&gt; for some details on how to manage this gem if you cannot use the upgraded version of net-imap.&lt;/p&gt;




&lt;h2&gt;
  
  
  Windows user passwords now allow colons
&lt;/h2&gt;

&lt;p&gt;When managing &lt;strong&gt;user resources on Windows&lt;/strong&gt;, Puppet Core no longer rejects passwords containing colons (&lt;code&gt;:&lt;/code&gt;).&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Affects Windows platforms only&lt;/li&gt;
&lt;li&gt;Behavior on other platforms is unchanged&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This prevents unnecessary failures when managing Windows accounts with valid password formats.&lt;/p&gt;




&lt;h2&gt;
  
  
  Installation safeguards for Ruby versions
&lt;/h2&gt;

&lt;p&gt;Puppet Core now prevents installation on unsupported Ruby versions.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Puppet Core 8 enforces a &lt;strong&gt;maximum supported Ruby version of 3.x&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;Prevents installation attempts using unsupported versions (such as Ruby 4)&lt;/li&gt;
&lt;li&gt;Protects against installation failures like &lt;code&gt;can't modify frozen Hash&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This applies when installing Puppet Core via &lt;strong&gt;bundler or gem commands&lt;/strong&gt;.&lt;/p&gt;




&lt;h2&gt;
  
  
  PDK 3.7.0 changes
&lt;/h2&gt;

&lt;p&gt;This version of PDK was updated to help prevent security issues and reduce test failures, and made macOS 15 downloads available.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Rexml updated to version 3.4.4 to address CVE-2025-58767&lt;/li&gt;
&lt;li&gt;macOS 15 downloads now available&lt;/li&gt;
&lt;li&gt;Windows performance has been improved&lt;/li&gt;
&lt;li&gt;YAML file validation issues should be resolved&lt;/li&gt;
&lt;li&gt;Several &lt;code&gt;puppet_forge&lt;/code&gt; gems and dependencies were updated&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Should you upgrade?
&lt;/h2&gt;

&lt;p&gt;Upgrading to Puppet Core &lt;strong&gt;8.19.0&lt;/strong&gt; is recommended for Puppet Core 8.x users if:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;You want current security fixes for bundled runtime dependencies&lt;/li&gt;
&lt;li&gt;You manage Windows users with complex passwords&lt;/li&gt;
&lt;li&gt;You want to avoid accidental installation on unsupported Ruby versions&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Want to get started? Here are the install/upgrade guides:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://help.puppet.com/core/current/Content/PuppetCore/installing_and_upgrading.htm" rel="noopener noreferrer"&gt;Install docs&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://help.puppet.com/core/current/Content/PuppetCore/upgrade.htm" rel="noopener noreferrer"&gt;Upgrade docs&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For full details and CVE listings, see the release notes:&lt;/p&gt;

&lt;p&gt;➡️ &lt;a href="https://help.puppet.com/core/current/Content/PuppetCore/PuppetReleaseNotes/release_notes_puppet_x-8-19-0.htm" rel="noopener noreferrer"&gt;Puppet Core 8.19.0 release notes&lt;/a&gt;&lt;br&gt;
➡️ &lt;a href="https://help.puppet.com/pdk/current/topics/release_notes_pdk.htm#PDK370" rel="noopener noreferrer"&gt;PDK 3.7.0 release notes&lt;/a&gt;&lt;/p&gt;

</description>
      <category>puppet</category>
      <category>devops</category>
      <category>infrastructureascode</category>
    </item>
    <item>
      <title>Puppetlabs Modules Roundup – April 2026</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Thu, 07 May 2026 16:31:43 +0000</pubDate>
      <link>https://dev.to/puppet/puppetlabs-modules-roundup-april-2026-358</link>
      <guid>https://dev.to/puppet/puppetlabs-modules-roundup-april-2026-358</guid>
      <description>&lt;p&gt;In April 2026, the Puppetlabs module lineup saw 8 Puppetlabs module releases, with the most notable updates collected here for a quick review.&lt;/p&gt;

&lt;p&gt;The overall pattern in these releases was event forwarding enhancements and security and compliance platform updates, which makes this month’s roundup a useful quick scan for teams planning upgrades or routine maintenance.&lt;/p&gt;

&lt;h2&gt;
  
  
  Highlighted Updates
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Event Forwarding Enhancements
&lt;/h3&gt;

&lt;p&gt;Coordinated updates to Splunk HEC and PE Event Forwarding modules add support for orchestrator_plan event type, improving visibility into Puppet orchestrator activities with enhanced filtering and integration capabilities.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Affected modules: splunk_hec, pe_event_forwarding.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Security and Compliance Platform Updates
&lt;/h3&gt;

&lt;p&gt;Comply and Comply Admin modules received coordinated releases, advancing the Security Compliance Management platform capabilities.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Affected modules: comply, complyadm.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What Updates Happened to Puppetlabs Modules in April 2026?
&lt;/h2&gt;

&lt;p&gt;The following is an alphabetical listing of modules which received updates in April 2026. If a module had multiple versions released, the updates are collected together, numbered with the "latest" version available.&lt;/p&gt;




&lt;h3&gt;
  
  
  cd4peadm 5.15.0
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-04-28 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/cd4peadm" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;A few highlights from this release:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Added a Hiera configuration option, external_webhook_url, that allows you to set the webhook URL that Continuous Delivery sends to your VCS provider. This is useful if you are using a proxy between your VCS and CD.&lt;/li&gt;
&lt;li&gt;Added an idle timeout to the CD console that logs users out after 30 minutes. Configure this using the Hiera option, web_session_idle_timeout_mins.&lt;/li&gt;
&lt;li&gt;Added CSRF protection to the DeleteUserAccount and SetSuperUser endpoints by restricting them to POST requests and validating CSRF tokens issued at login and expired on logout.&lt;/li&gt;
&lt;li&gt;20 CVEs addressed.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Check the official &lt;a href="https://help.puppet.com/cdpe/current/Content/UserGuide/CDPE/ReleaseNotes/cd_release_notes.htm#Version5150" rel="noopener noreferrer"&gt;release notes for cd4peadm 5.15.0&lt;/a&gt; for the full details.&lt;/p&gt;




&lt;h3&gt;
  
  
  comply 3.7.1
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-04-28 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/comply" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;A few highlights from this release:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Fixed a stale image which resulted in checksum and benchmark issues upon install.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVE-2026-33815, CVE-2026-33816.&lt;/strong&gt; Updated gorm.io to v5.9.2 to address these vulnerabilities.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Check the official &lt;a href="https://help.puppet.com/scm/current/Content/UserGuide/SCM/Release_notes/release_notes.htm#SecurityComplianceManagement371" rel="noopener noreferrer"&gt;release notes for comply 3.7.1&lt;/a&gt; for the full details.&lt;/p&gt;




&lt;h3&gt;
  
  
  complyadm 3.7.1
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-04-28 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/complyadm" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;A few highlights from this release:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Fixed a stale image which resulted in checksum and benchmark issues upon install.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;CVE-2026-33815, CVE-2026-33816.&lt;/strong&gt; Updated gorm.io to v5.9.2 to address these vulnerabilities.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Check the official &lt;a href="https://help.puppet.com/scm/current/Content/UserGuide/SCM/Release_notes/release_notes.htm#SecurityComplianceManagement371" rel="noopener noreferrer"&gt;release notes for complyadm 3.7.1&lt;/a&gt; for the full details.&lt;/p&gt;




&lt;h3&gt;
  
  
  lvm 4.0.1
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-04-30 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/lvm" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release addresses two bug fixes. A race condition where &lt;code&gt;lvcreate&lt;/code&gt; returns before udev finishes processing device-add events could cause a subsequent &lt;code&gt;filesystem&lt;/code&gt; resource targeting the same logical volume to fail with "device or resource busy" — the fix calls &lt;code&gt;udevadm settle&lt;/code&gt; after a successful &lt;code&gt;lvcreate&lt;/code&gt;. The release also corrects an AIX-specific issue where boolean filesystem parameters such as &lt;code&gt;isnapshot&lt;/code&gt; were passed to &lt;code&gt;crfs&lt;/code&gt; as &lt;code&gt;true&lt;/code&gt;/&lt;code&gt;false&lt;/code&gt; instead of the required &lt;code&gt;yes&lt;/code&gt;/&lt;code&gt;no&lt;/code&gt;, causing the command to reject them outright.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;(MODULES-11756) Wait for udev to settle after lvcreate &lt;a href="https://github.com/puppetlabs/puppetlabs-lvm/pull/380" rel="noopener noreferrer"&gt;#380&lt;/a&gt; (&lt;a href="https://github.com/imaqsood" rel="noopener noreferrer"&gt;imaqsood&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(MODULES-11788) Pass converted boolean parameter &lt;a href="https://github.com/puppetlabs/puppetlabs-lvm/pull/379" rel="noopener noreferrer"&gt;#379&lt;/a&gt; (&lt;a href="https://github.com/joshcooper" rel="noopener noreferrer"&gt;joshcooper&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  pe_event_forwarding 2.3.0
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-04-09 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/pe_event_forwarding" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release adds orchestrator plan-job collection controls and fixes duplicate forwarding behavior in job collection.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Added plan job data collection from the &lt;code&gt;orchestrator/v1/plan_jobs&lt;/code&gt; API, with progress tracked in a dedicated &lt;code&gt;pe_event_forwarding_plan_index.yaml&lt;/code&gt; state file.&lt;/li&gt;
&lt;li&gt;Added the &lt;code&gt;pe_event_forwarding::skip_plans&lt;/code&gt; parameter to disable plan job collection when needed.&lt;/li&gt;
&lt;li&gt;Fixed &lt;code&gt;get_jobs&lt;/code&gt; behavior where the first page could return more records than newly available jobs, which could cause duplicate forwarded data.&lt;/li&gt;
&lt;li&gt;Source attribution: &lt;a href="https://github.com/puppetlabs/puppetlabs-pe_event_forwarding/pull/137" rel="noopener noreferrer"&gt;(PIE-1683) Add support for collecting plan data #137&lt;/a&gt; (&lt;a href="https://github.com/coreymbe" rel="noopener noreferrer"&gt;coreymbe&lt;/a&gt;).&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  peadm 3.37.0
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-04-01 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/peadm" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release is a small change to add support for Puppet Enterprise 2025.10.0.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;(PE-43654) Add support for PE 2025.10.0 &lt;a href="https://github.com/puppetlabs/puppetlabs-peadm/pull/661" rel="noopener noreferrer"&gt;#661&lt;/a&gt; (&lt;a href="https://github.com/davidmalloncares" rel="noopener noreferrer"&gt;davidmalloncares&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  sce_linux 2.6.1
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-04-06 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/sce_linux" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;A few highlights from this release:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Error message:&lt;/strong&gt; comparison of NilClass with  failed. Some users saw this error message and experienced catalog compilation failures when attempting to manage mounted file system options with SCE for Linux. The issue was caused by /etc/fstab files that did not have at least one comment line or blank line. The internal parser was updated to avoid the issue and help prevent compilation errors.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;sce_mount_info fact does not resolve to a value.&lt;/strong&gt; This issue is related to the Linux findmnt command, which is used to list all mounted file systems. The command, which supports different options depending on operating system, was failing on specific systems, resulting in a failure of the sce_mount_info fact. Now, if the findmnt command fails, warnings will be logged, and the /etc/fstab file will be parsed directly for mount information.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Error messages related to rsyslog.&lt;/strong&gt; Because the version of the rsyslog logging service used on Red Hat Enterprise Linux (RHEL) 9 differs from earlier versions, users of RHEL 9 sometimes see error messages like this: imjournal: open() failed for path: '/var/lib/rsyslog/imjournal.state.tmp': Operation not permitted These messages indicate a failure to load the rsyslog imjournal module. To accommodate the changes in rsyslog and avoid this error, the module loading syntax was updated in SCE for Linux.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Check the official &lt;a href="https://help.puppet.com/sce/current/linux/scel_relnotes_261.htm" rel="noopener noreferrer"&gt;release notes for sce_linux 2.6.1&lt;/a&gt; for the full details.&lt;/p&gt;




&lt;h3&gt;
  
  
  splunk_hec 2.2.0
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-04-09 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/splunk_hec" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release focuses on support for the &lt;code&gt;orchestrator_plan&lt;/code&gt; event type from the &lt;strong&gt;puppetlabs-pe_event_forwarding&lt;/strong&gt; module while also addressing &lt;code&gt;orchestrator_plan&lt;/code&gt; to index mappings in util_splunk_hec template.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Added support for the &lt;code&gt;orchestrator_plan&lt;/code&gt; event type from the &lt;strong&gt;puppetlabs-pe_event_forwarding&lt;/strong&gt; module.&lt;/li&gt;
&lt;li&gt;Added &lt;code&gt;orchestrator_plan&lt;/code&gt; to index mappings in util_splunk_hec template.&lt;/li&gt;
&lt;li&gt;New PE Event Forwarding filter &lt;code&gt;orchestrator_plan_data_filter&lt;/code&gt; to allow filtering orchestrator plan event payloads.&lt;/li&gt;
&lt;li&gt;Module dependency updated to ensure &lt;code&gt;pe_event_forwarding&lt;/code&gt; v2.3.0+ is installed.&lt;/li&gt;
&lt;li&gt;Removed support for Debian platform and EOL operating system versions.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Until Next Time!
&lt;/h2&gt;

&lt;p&gt;That’s the full pass through the 8 Puppetlabs module releases from April 2026. The Forge links above are the quickest path to the underlying release details.&lt;/p&gt;

&lt;p&gt;If there is a part of the Puppetlabs ecosystem that would benefit from more context in future roundups, that feedback is worth sending along.&lt;/p&gt;

&lt;p&gt;Catch you in the next roundup for May 2026.&lt;/p&gt;

</description>
      <category>puppet</category>
    </item>
    <item>
      <title>Puppet Continuous Delivery 5.15.0 is now available</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Wed, 29 Apr 2026 16:20:25 +0000</pubDate>
      <link>https://dev.to/puppet/puppet-continuous-delivery-5150-is-now-available-5990</link>
      <guid>https://dev.to/puppet/puppet-continuous-delivery-5150-is-now-available-5990</guid>
      <description>&lt;p&gt;Puppet Continuous Delivery (CD) &lt;strong&gt;version 5.15.0&lt;/strong&gt; is now available, with updates focused on stability, security, and day‑to‑day usability for teams running Puppet automation pipelines at scale.&lt;/p&gt;

&lt;p&gt;If you’re already on CD 5.x, this is a straightforward upgrade that continues the work of refining the platform while keeping it aligned with current Puppet Enterprise releases and supported tooling.&lt;/p&gt;

&lt;p&gt;The detailed release notes are linked below, but here’s a quick breakdown of what this release delivers and why you may want to upgrade.&lt;/p&gt;

&lt;h2&gt;
  
  
  What’s included in CD 5.15.0
&lt;/h2&gt;

&lt;p&gt;CD 5.15.0 delivers targeted updates across webhook configuration, Pipelines as Code, Impact Analysis, VCS integrations, and platform security. The changes below focus on specific features and integrations rather than broad platform behavior.&lt;/p&gt;

&lt;h3&gt;
  
  
  Webhooks, sessions, and configuration
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Added a new Hiera configuration option, &lt;code&gt;external_webhook_url&lt;/code&gt;, which allows you to explicitly set the webhook URL that Continuous Delivery sends to your VCS provider. This is intended for deployments where CD is running behind a proxy.&lt;/li&gt;
&lt;li&gt;Added an idle session timeout to the CD console. Users are logged out after 30 minutes of inactivity by default, configurable using the &lt;code&gt;web_session_idle_timeout_mins&lt;/code&gt; Hiera option.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Pipelines as Code and Impact Analysis
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Added the &lt;code&gt;skip_empty_catalogs&lt;/code&gt; parameter to the Impact Analysis settings in the Pipelines as Code schema. When enabled, nodes with no catalog resources in PuppetDB are excluded from Impact Analysis results.&lt;/li&gt;
&lt;li&gt;Fixed an issue where the browser would stop polling for Impact Analysis results when an IA run finished or when navigating away from the IA details view.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  VCS integrations (Azure DevOps and GitLab)
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Updated the &lt;strong&gt;Pipeline Summary&lt;/strong&gt; view so the &lt;code&gt;by&lt;/code&gt; field now displays the initiating user’s &lt;strong&gt;display name&lt;/strong&gt; for Azure DevOps pipelines, instead of the user ID.&lt;/li&gt;
&lt;li&gt;Changed how Continuous Delivery sends commit status updates to &lt;strong&gt;GitLab&lt;/strong&gt;. When native GitLab pipelines are present, all CD commit status updates are now attached to the same branch pipeline, avoiding fragmented status reporting.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Data visibility and usability fixes
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Fixed an issue where &lt;code&gt;package_updates&lt;/code&gt; for &lt;code&gt;pe_patch&lt;/code&gt; data did not appear in the fact picker. The query service was updated so this data now displays correctly.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Security and authorization hardening
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Added CSRF protection to the &lt;code&gt;DeleteUserAccount&lt;/code&gt; and &lt;code&gt;SetSuperUser&lt;/code&gt; endpoints by restricting them to POST requests and validating CSRF tokens issued at login and expired on logout.&lt;/li&gt;
&lt;li&gt;Fixed an issue where any authenticated user could enumerate user accounts and email addresses. Access to the &lt;code&gt;GET /v1/users&lt;/code&gt; endpoint is now properly restricted to root and superusers.&lt;/li&gt;
&lt;li&gt;Fixed an authorization bypass on the GraphQL &lt;code&gt;/query&lt;/code&gt; endpoint where permission checks could be skipped when using workspace variables or omitting the &lt;code&gt;id&lt;/code&gt; field. Authorization is now enforced consistently.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Platform and runtime updates
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Added &lt;strong&gt;Amazon Linux 2023&lt;/strong&gt; as a supported platform for Docker‑based installs.&lt;/li&gt;
&lt;li&gt;Updated the Postgres base image to &lt;code&gt;postgres:17-trixie&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Security dependency updates
&lt;/h3&gt;

&lt;p&gt;This release includes dependency updates to address reported vulnerabilities, including updates to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;lodash&lt;/li&gt;
&lt;li&gt;diffjs&lt;/li&gt;
&lt;li&gt;plexus-utils&lt;/li&gt;
&lt;li&gt;glibc&lt;/li&gt;
&lt;li&gt;undici&lt;/li&gt;
&lt;li&gt;jackson&lt;/li&gt;
&lt;li&gt;Jetty (updated to version 12)&lt;/li&gt;
&lt;li&gt;golang.org/x/crypto&lt;/li&gt;
&lt;li&gt;quartz&lt;/li&gt;
&lt;li&gt;logrus&lt;/li&gt;
&lt;li&gt;log4j2&lt;/li&gt;
&lt;li&gt;bouncy-castle&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Refer to &lt;a href="https://help.puppet.com/cdpe/current/Content/UserGuide/CDPE/ReleaseNotes/cd_release_notes.htm#Version5150" rel="noopener noreferrer"&gt;the release notes&lt;/a&gt; for the full list of CVEs addressed in this release.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why this release matters
&lt;/h2&gt;

&lt;p&gt;For most users, CD sits in the middle of multiple systems: source control, CI tooling, Puppet Enterprise, and infrastructure targets. Small issues can quickly turn into pipeline friction.&lt;/p&gt;

&lt;p&gt;CD 5.15.0 continues the effort to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Reduce pipeline noise caused by edge‑case failures&lt;/li&gt;
&lt;li&gt;Improve the quality of feedback when something goes wrong&lt;/li&gt;
&lt;li&gt;Keep security posture current without forcing disruptive changes&lt;/li&gt;
&lt;li&gt;Make upgrades between minor versions low‑risk&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you’re standardizing on CD 5.x, staying current helps ensure you’re getting fixes before they turn into operational problems.&lt;/p&gt;

&lt;h2&gt;
  
  
  Installation and upgrade notes
&lt;/h2&gt;

&lt;p&gt;If you’re new to Puppet Continuous Delivery, start with the official install documentation:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://help.puppet.com/cdpe/current/Content/UserGuide/CDPE/Installation/install_set_up.htm" rel="noopener noreferrer"&gt;Puppet CD installation docs&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you’re already running CD 5.x, upgrading to 5.15.0 should follow the standard upgrade path described in the documentation:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://help.puppet.com/cdpe/current/Content/UserGuide/CDPE/Upgrade/upgrading.htm" rel="noopener noreferrer"&gt;Puppet CD upgrade docs&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;As always, review the release notes before upgrading, especially if you rely on specific integrations or custom pipeline behavior.&lt;/p&gt;

&lt;h2&gt;
  
  
  Read the full details
&lt;/h2&gt;

&lt;p&gt;For the complete list of fixes, security updates, and known issues, check the official release notes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://help.puppet.com/cdpe/current/Content/UserGuide/CDPE/ReleaseNotes/cd_release_notes.htm#Version5150" rel="noopener noreferrer"&gt;Continuous Delivery 5.15.0 release notes&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you have feedback or run into issues after upgrading, the Puppet community channels are always a good place to share what you’re seeing.&lt;/p&gt;




&lt;p&gt;Happy automating!&lt;/p&gt;

</description>
      <category>puppet</category>
      <category>cicd</category>
    </item>
    <item>
      <title>Security Compliance Management 3.7.0 Is Now Available</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Wed, 15 Apr 2026 14:56:44 +0000</pubDate>
      <link>https://dev.to/puppet/security-compliance-management-370-is-now-available-1i47</link>
      <guid>https://dev.to/puppet/security-compliance-management-370-is-now-available-1i47</guid>
      <description>&lt;p&gt;Security Compliance Management (SCM) 3.7.0 helps teams assess systems against recognized security benchmarks. This release supports evolving baselines and improves audit readiness, operational reliability, and overall governance by giving administrators tighter control over platform performance, user access, and API security within the Puppet Enterprise platform.&lt;/p&gt;

&lt;h2&gt;
  
  
  What's new in this release
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Expanded benchmark coverage for evolving environments
&lt;/h3&gt;

&lt;p&gt;SCM 3.7.0 updates CIS-CAT Pro Assessor benchmark coverage to support newer operating systems and standards. This helps ensure compliance reporting remains current as teams adopt new platforms.&lt;/p&gt;

&lt;p&gt;Highlights include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;New CIS benchmarks for numerous Linux distributions and macOS.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;An updated benchmark for Microsoft Windows 11 Enterprise.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  More predictable performance during compliance scans
&lt;/h3&gt;

&lt;p&gt;Administrators can now control JVM memory allocation for the CIS Assessor, allowing performance tuning based on environment size and available resources. This results in more reliable scans and fewer disruptions during compliance assessments.&lt;/p&gt;

&lt;h3&gt;
  
  
  Greater control over user access and session behavior
&lt;/h3&gt;

&lt;p&gt;New centralized session management options allow administrators to better align SCM authentication behavior with corporate security and identity policies. The outcome is reduced risk from long-lived sessions and improved governance.&lt;/p&gt;

&lt;h3&gt;
  
  
  Improved API governance and security posture
&lt;/h3&gt;

&lt;p&gt;Additional GraphQL controls help limit exposure and enforce request limits in regulated or security-sensitive environments. The smaller API attack surface provides stronger API governance.&lt;/p&gt;

&lt;h3&gt;
  
  
  Security fixes and dependency updates
&lt;/h3&gt;

&lt;p&gt;This release addresses multiple known vulnerabilities across core dependencies, helping reduce inherited risk and support ongoing vulnerability management.&lt;/p&gt;

&lt;p&gt;For a complete list of addressed CVEs and detailed configuration guidance, see the release notes.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Upgrade to SCM 3.7.0
&lt;/h2&gt;

&lt;p&gt;Organizations should consider upgrading to SCM 3.7.0 to reduce compliance gaps, stabilize large-scale assessments, and strengthen security controls as environments grow more complex.&lt;/p&gt;

&lt;p&gt;With this release, teams can:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Maintain audit readiness as new operating systems and benchmarks are adopted.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Improve scan reliability and performance in large-scale environments managed through Puppet Enterprise.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Centralize and standardize user session and API behavior across the platform.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Reduce exposure to known vulnerabilities through updated dependencies and security fixes.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Next Steps
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Review the&amp;nbsp;&lt;a href="https://help.puppet.com/scm/current/Content/UserGuide/SCM/Release_notes/release_notes.htm#SecurityComplianceManagement370" rel="noopener noreferrer"&gt;release notes&lt;/a&gt;&amp;nbsp;for technical details and configuration information.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Upgrade to SCM 3.7.0 to take advantage of expanded coverage and new governance controls.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>puppet</category>
      <category>security</category>
    </item>
    <item>
      <title>Generate a Puppet Module Using GitHub Copilot and VS Code</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Mon, 13 Apr 2026 13:23:29 +0000</pubDate>
      <link>https://dev.to/puppet/generate-a-puppet-module-using-github-copilot-and-vs-code-50mm</link>
      <guid>https://dev.to/puppet/generate-a-puppet-module-using-github-copilot-and-vs-code-50mm</guid>
      <description>&lt;p&gt;This tutorial shows how to use GitHub Copilot with the Puppet Model Context Protocol (MCP) server to generate, validate, and refine a Puppet module—even if you’re new to Puppet development.&amp;nbsp;&lt;/p&gt;

&lt;h3&gt;
  
  
  What You’ll Learn&amp;nbsp;
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;  How to configure GitHub Copilot with the Puppet MCP server&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  How AI agents can use the Puppet Development Kit (PDK) to generate Puppet modules&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  How AI agents can use the PDK to validate and iterate on generated Puppet code&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The Challenge: Overcoming the Puppet Module Learning Curve&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;When you start automating infrastructure with Puppet, you might face an initial learning curve. You will begin to learn Puppet syntax, best practices around module structure and Puppet Domain-Specific Language (DSL), and even what tools are available to you.&amp;nbsp;&amp;nbsp;&lt;/p&gt;

&lt;p&gt;To help DevOps practitioners get started, Puppet first released an MCP server to&amp;nbsp;&lt;a href="https://help.puppet.com/pe/current/topics/infra-assistant-code-assist.htm" rel="noopener noreferrer"&gt;accelerate development&lt;/a&gt;&amp;nbsp;when using the new Puppet EdgeOps module for&amp;nbsp;&lt;a href="https://www.puppet.com/blog/puppet-edge-code-assist" rel="noopener noreferrer"&gt;working with network devices&lt;/a&gt;. Starting with Puppet Enterprise Advanced 2025.7, tools are available to provide even more guidance and information for working with agents on Puppet code in control repos, tasks, and modules. Traditional module development demanded deep domain expertise that teams often lack, but using modern AI-assisted development flows can help you bridge the knowledge gap.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;Puppet's MCP server can be used with your favorite Integrated Development Environment (IDE) and code assist agent so that you can describe your requirements in natural language and work with your agent to get validated Puppet code and architecture. This tutorial demonstrates the use of Visual Studio (VS) Code and GitHub Copilot to generate a Puppet module with minimal Puppet expertise, helping you get started faster!&amp;nbsp;&amp;nbsp;&lt;/p&gt;

&lt;p&gt;⚠️&amp;nbsp;&lt;strong&gt;Important:&lt;/strong&gt;&amp;nbsp;AI tools make mistakes, just like people. For this reason, your process should always involve review and testing as part of the end-to-end process. Use these tools to augment yourself and the team, but make those tools earn your trust.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;Time to get started!&lt;/p&gt;

&lt;h2&gt;
  
  
  Tech Stack Overview: VS Code, GitHub Copilot, and Puppet MCP&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;&lt;a href="https://www.puppet.com/sites/default/files/inline-images/1.png" rel="noopener noreferrer"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdz63dnnmh3aa53llhhw7.png" alt="Flow chart depicting VS Code, GitHub, and MCP Server" width="800" height="800"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;For this tutorial, the Puppet development workflow will combine three key technologies:&amp;nbsp;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;a href="https://code.visualstudio.com/download" rel="noopener noreferrer"&gt;&lt;strong&gt;Visual Studio Code&lt;/strong&gt;&lt;/a&gt;&lt;strong&gt;:&lt;/strong&gt;&amp;nbsp;Serves as the IDE where all coding (and code generation) happens. &amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://code.visualstudio.com/docs/copilot/overview" rel="noopener noreferrer"&gt;&lt;strong&gt;GitHub Copilot&lt;/strong&gt;&lt;/a&gt;&lt;strong&gt;:&lt;/strong&gt;&amp;nbsp;Acts as the AI coding assistant that provides intelligent code suggestions and executes autonomous tasks.&amp;nbsp;&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/infra-assistant-code-assist.htm" rel="noopener noreferrer"&gt;&lt;strong&gt;Puppet MCP server&lt;/strong&gt;&lt;/a&gt;&lt;strong&gt;:&lt;/strong&gt;&amp;nbsp;Exposes Puppet-specific intelligence through MCP, enabling GitHub Copilot to better generate Puppet solutions.&amp;nbsp;&amp;nbsp;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The MCP server provides&amp;nbsp;&lt;a href="https://help.puppet.com/pe/current/topics/available-mcp-tools-for-code-assist.htm" rel="noopener noreferrer"&gt;several tools&lt;/a&gt;&amp;nbsp;to provide Puppet language guides, information about Puppet environment entities, Puppet documentation, and networking info. This integration eliminates context switching between documentation, terminal windows, and code editors and provides the information required by AI agents to support smooth transitions from one step to the next.&amp;nbsp;&amp;nbsp;&lt;/p&gt;

&lt;p&gt;Authentication to the Puppet MCP server happens via Puppet Enterprise (PE) API keys with&amp;nbsp;&lt;a href="https://help.puppet.com/pe/current/topics/adding-an-mcp-server.htm" rel="noopener noreferrer"&gt;secure token storage in VS Code&lt;/a&gt;. The MCP architecture follows a client-server model where VS Code instantiates client connections to the Puppet MCP server running in your Puppet Enterprise environment.&lt;/p&gt;

&lt;h2&gt;
  
  
  Prerequisites and Required Software Installation&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;This brief tutorial is based on the assumption that you have met several prerequisites. Plan time to go through this checklist before starting:&amp;nbsp;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  Obtain your authentication credentials to download Perforce Puppet applications. The credentials are either your Forge API key or your&amp;nbsp;&lt;a href="https://help.puppet.com/pe/current/topics/verify_installed_licenses_and_active_nodes.htm?Highlight=%22license%20id%22" rel="noopener noreferrer"&gt;Puppet Enterprise license ID&lt;/a&gt;.&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/installing.htm" rel="noopener noreferrer"&gt;Install Puppet Enterprise Advanced 2025.7+&lt;/a&gt;.&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/enabling-the-infra-assistant.htm" rel="noopener noreferrer"&gt;Enable the Infra Assistant feature on your PE server&lt;/a&gt;. You do not have to configure the Infra Assistant OpenAI settings, but the Infra Assistant must be turned on in order for the MCP server to accept requests from your agent.&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/rbac-token-auth-generate-token-console.htm" rel="noopener noreferrer"&gt;Generate a valid Puppet Enterprise API key&lt;/a&gt;&amp;nbsp;from the console for a user with the&amp;nbsp;&lt;code&gt;infrastructure_assistant:use&lt;/code&gt;&amp;nbsp;permission. (The API key is sometimes called a token.)&lt;/li&gt;
&lt;li&gt;  Install&amp;nbsp;&lt;a href="https://code.visualstudio.com/download" rel="noopener noreferrer"&gt;Visual Studio Code&lt;/a&gt;&amp;nbsp;on your development machine and complete configuration tasks:&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://code.visualstudio.com/docs/copilot/overview#_getting-started" rel="noopener noreferrer"&gt;Configure the GitHub Copilot extension&lt;/a&gt;&amp;nbsp;in Visual Studio Code.&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  Configure GitHub Copilot to&amp;nbsp;&lt;a href="https://code.visualstudio.com/docs/copilot/customization/mcp-servers" rel="noopener noreferrer"&gt;use MCP servers in VS Code&lt;/a&gt;.&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  Ensure that your developer machine has network access to the PE console host.&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  Verify that your developer machine&amp;nbsp;&lt;a href="https://portal.perforce.com/s/article/8078496522135?utm_medium=social&amp;amp;utm_source=youtube&amp;amp;utm_campaign=2025-puppet-forge&amp;amp;utm_content=puppet-forge" rel="noopener noreferrer"&gt;trusts the PE console CA certificate&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Tutorial Walkthrough: From Empty Repository to Generated Module&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;These steps walk through how you can take a completely empty repository to a validated Puppet module by using an AI-assisted flow in Visual Studio with a code assistant. Remember to meet the previously listed prerequisites! The following steps use GitHub Copilot, but if you happen to use a different stack (like Claude Code or Cursor), the process is mostly the same.&amp;nbsp;&amp;nbsp;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Tip:&lt;/strong&gt;&amp;nbsp;In this tutorial, “agent chat” refers to the GitHub Copilot Agent chat window in Visual Studio Code.&amp;nbsp;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; Using your favorite source control tool, create a blank repository to begin working.&amp;nbsp;&lt;/li&gt;
&lt;li&gt; Clone the repository and open it in Visual Studio Code.&amp;nbsp;&lt;/li&gt;
&lt;li&gt; To support the use of Puppet tools, install GitHub Copilot instructions in your solution. Sample instructions are&amp;nbsp;&lt;a href="https://github.com/jst-cyr/puppet-copilot-instructions-example" rel="noopener noreferrer"&gt;available on GitHub&lt;/a&gt;.&amp;nbsp;
&lt;strong&gt;Tip:&lt;/strong&gt;&amp;nbsp;Some models cannot easily find instructions in subfolders and&amp;nbsp; search only in the root directory. Some models look only for the&amp;nbsp;&lt;code&gt;copilot-instructions.md&lt;/code&gt;&amp;nbsp;file. The example provides a&amp;nbsp;&lt;code&gt;README.md&lt;/code&gt;&amp;nbsp;and a&amp;nbsp;&lt;code&gt;copilot-instructions.md&lt;/code&gt;&amp;nbsp;file that help lead the model toward the custom Puppet instructions file.&amp;nbsp;&amp;nbsp;&lt;/li&gt;
&lt;li&gt; &lt;a href="https://help.puppet.com/pe/current/topics/adding-an-mcp-server.htm" rel="noopener noreferrer"&gt;Add the Puppet MCP server&lt;/a&gt;&amp;nbsp;to your&amp;nbsp;&lt;code&gt;mcp.json&lt;/code&gt;&amp;nbsp;file.&amp;nbsp;&lt;/li&gt;
&lt;li&gt; Start the Puppet MCP server, either by clicking&amp;nbsp;&lt;strong&gt;Start&lt;/strong&gt;&amp;nbsp;in your&amp;nbsp;&lt;code&gt;mcp.json&lt;/code&gt;&amp;nbsp;file or through the&amp;nbsp;&lt;strong&gt;MCP Servers – Installed&lt;/strong&gt;&amp;nbsp;list in the&amp;nbsp;&lt;strong&gt;Extensions&lt;/strong&gt;&amp;nbsp;view.&amp;nbsp;&lt;/li&gt;
&lt;li&gt; Open an agent chat window for GitHub Copilot.&amp;nbsp;&lt;/li&gt;
&lt;li&gt; Run a prompt to generate a new module. For example: “I want to create a new Puppet module to automate the provisioning of new AWS VMs. Please follow best practices for Puppet module creation.”&amp;nbsp;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Note that this is a simple prompt example. To follow context engineering best practices, you would provide much more detail to get your desired output. For tutorial purposes, the prompt is intentionally lightweight. By using a simple prompt, you can recognize the extra context and benefits provided by Puppet tools to accelerate your progress.&lt;/p&gt;

&lt;p&gt;  &lt;iframe src="https://www.youtube.com/embed/F25NUANJT04"&gt;
  &lt;/iframe&gt;
&lt;/p&gt;

&lt;h2&gt;
  
  
  Installing Puppet Development Kit (PDK)&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;At this point, your agent should be running and attempting to solve the problem. The agent will quickly detect the need for &amp;nbsp;additional information from the&amp;nbsp;&lt;strong&gt;Puppet MCP server.&lt;/strong&gt;&amp;nbsp;In addition, the agent will determine that the&amp;nbsp;&lt;strong&gt;Puppet Development Kit (PDK)&lt;/strong&gt;&amp;nbsp;must be used to create modules. In my model testing, the GitHub Copilot agent undertook the following tasks, which required minimal input from the user:&amp;nbsp;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; Processed the provided Puppet instructions and determined that the Puppet MCP server should be connected to retrieve guidelines.&amp;nbsp;&lt;/li&gt;
&lt;li&gt; Attempted to connect to the Puppet MCP server for the&amp;nbsp;&lt;code&gt;get_puppet_guide&lt;/code&gt;&amp;nbsp;tool and augmented the context with information from the Puppet MCP server.&amp;nbsp;&lt;/li&gt;
&lt;li&gt; Recognized that the PDK is required and attempted to check whether PDK was installed (by running&amp;nbsp;&lt;code&gt;pdk --version&lt;/code&gt;).&amp;nbsp;&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;If PDK was not detected, attempted to fetch the PDK installation instructions.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Tip:&lt;/strong&gt;&amp;nbsp;The agent may use different URLs to search for the PDK installation instructions. Eventually, the agent will find the correct installation instructions for the operating system.&amp;nbsp;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;&lt;p&gt;After the agent discovered the installation instructions, the agent determined that authentication credentials are required to download the software. At this point, the user would be prompted for Forge credentials or Puppet Enterprise credentials. At the prompt, you will specify the type of credentials. For example: “Here is my license ID: abcdefghizjklmnopzrstuvwxyz1”. This sample prompt informs the agent to use a Puppet Enterprise license ID, instead of a Forge API key, as the authentication method.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Submit the prompt and the agent will begin to download and install the PDK.&amp;nbsp;&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The agent typically installs the PDK as part of its setup routine. In practice, the agent might run incorrect commands or fail to use elevated privileges on the first attempt. When that happens, allow the agent to iterate until the installation succeeds.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;💡&amp;nbsp;&lt;strong&gt;Tip:&lt;/strong&gt;&amp;nbsp;This is a huge boost for new users because the agent can search for instructions and quickly iterate through installation failures, while you focus on reviewing the results.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;After the agent successfully completes the PDK download and installation on your behalf, the agent continues with module generation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Generating the Module&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;With the PDK installed, it’s time to create the first steps of a module that will accomplish your goals. Only minimal context is provided in the tutorial example for provisioning new AWS VMs. The models will attempt to create the functionality you require based on their training data, the context from the Puppet MCP server, and the context you provide. The better your prompting, the more accurate the output will be. For this tutorial, however, assume that you are not trying to generate the module in one step and will follow up with further prompting to refine the module. During this tutorial step, the agent will generate the basics of the module.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;At this stage, GitHub Copilot typically performs the following actions without requiring additional prompts:&amp;nbsp;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; After completing installation, validates the installation by running&amp;nbsp;&lt;code&gt;pdk --version&lt;/code&gt;.&amp;nbsp;&lt;/li&gt;
&lt;li&gt; If successful, creates a module with a PDK command like&amp;nbsp;&lt;code&gt;pdk new module aws_provisioning --skip-interview&lt;/code&gt;.&amp;nbsp;&lt;/li&gt;
&lt;li&gt; After the PDK module creation logic completes processing, creates profile classes for AWS VM provisioning. This command might be&amp;nbsp;&lt;code&gt;pdk new class aws_provisioning&lt;/code&gt;&amp;nbsp;or similar.&amp;nbsp;&lt;/li&gt;
&lt;li&gt; Creates additional supporting classes. In my testing, the agent ran these additional commands:&amp;nbsp;

&lt;ol&gt;
&lt;li&gt; &lt;code&gt;pdk new class aws_provisioning::config&lt;/code&gt;&amp;nbsp;&lt;/li&gt;
&lt;li&gt; &lt;code&gt;pdk new class aws_provisioning::instance&lt;/code&gt;&amp;nbsp;&lt;/li&gt;
&lt;/ol&gt;


&lt;/li&gt;

&lt;li&gt; After the basic structure of the classes is in place, begins implementing Puppet code for the classes. The actions resemble typical code generation steps, creating and editing a variety of files and patching them with new implementation logic.&amp;nbsp;&lt;/li&gt;

&lt;li&gt; When the initial code generation is completed on top of the PDK skeleton implementations, updates documentation such as the&amp;nbsp;&lt;code&gt;metadata.json&lt;/code&gt;&amp;nbsp;file and the README file to match the needs of the generated code.&amp;nbsp;&lt;/li&gt;

&lt;/ol&gt;

&lt;p&gt;When documentation updates are completed, a typical agent might stop without validating further. However, by setting the context for the agent with knowledge of PDK and its capabilities as well as the best practices from the Puppet MCP server, the agent knows that validation of modules is an important next step.&lt;/p&gt;

&lt;h2&gt;
  
  
  Validating the Module&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;PDK supports validation of a module to ensure that it meets specific standards. Even with the best practices and instructions that were provided to the agent, along with its training, agents can make mistakes. With validation, you can catch some of these mistakes up front. Augmenting with tools is a key strategy for agentic workflows. Using the agent as an automation process to leverage the tools you have is a great way to take advantage of more deterministic capabilities along with the non-deterministic nature of the agentic automation.&amp;nbsp;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; For validation, the agent should attempt to use the PDK:&amp;nbsp;&lt;code&gt;pdk validate&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt; PDK should find issues, even if they are only indentation issues in YAML files. The agent should then attempt to correct the issues with code assist using the output of the PDK validation.&amp;nbsp;&lt;/li&gt;
&lt;li&gt; When the patch edits are complete, the agent should run PDK validation again (&lt;code&gt;pdk validate&lt;/code&gt;).&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;If more issues are found, the agent should circle back and try to resolve them, looping until no more issues are found, but typically the first run of validation should find all issues.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;You can now continue your own testing and building out the module with a solid base that follows Puppet best practices! This workflow compresses the traditional learning curve and gets you to the interesting bits of your development much faster.&lt;/p&gt;

&lt;h2&gt;
  
  
  Key Benefits of Agent-Assisted Module Creation&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;This AI-assisted approach offers several key advantages over manual development:&amp;nbsp;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  Agent-led requirements detection and installation help you get started so that your system achieves a correct state.&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  Autonomous error detection and correction reduce debugging time significantly.&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  The agent's ability to reference the Puppet MCP server and official Puppet documentation helps to ensure that generated code follows best practices and coding standards.&amp;nbsp;&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  Integration with PDK tooling provides deterministic automation and continuous quality checks throughout the development process.&amp;nbsp;&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  Structured instruction files create a consistent and repeatable development experience across different projects and team members.&amp;nbsp;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;By building your AI-assisted flow on top of solid DevOps tools and practices, you’ll be equipped to avoid the typical challenges faced by generic coding models.&amp;nbsp;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;&lt;strong&gt;“DevOps is not dying. It is becoming the economic and operational foundation for AI at scale.&lt;/strong&gt;&lt;/em&gt;&amp;nbsp;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;&lt;strong&gt;The data shows the same pattern across every domain: AI succeeds when delivery systems are standardized, centralized, automated, and measurable. Where those foundations are weak, AI magnifies existing gaps in coordination, governance, auditability, cost, and outcomes.”&lt;/strong&gt;&lt;/em&gt;&amp;nbsp;&lt;br&gt;&lt;br&gt;
&lt;em&gt;&lt;strong&gt;-&lt;/strong&gt;&lt;/em&gt;&amp;nbsp;&lt;a href="https://www.perforce.com/resources/state-of-devops/conclusion?utm_medium=social&amp;amp;utm_source=youtube&amp;amp;utm_campaign=2025-puppet-forge&amp;amp;utm_content=puppet-forge" rel="noopener noreferrer"&gt;&lt;em&gt;&lt;strong&gt;State of DevOps Report 2026&lt;/strong&gt;&lt;/em&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Challenges and Solutions in AI-Assisted Puppet Development&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;You might encounter a few common challenges when using AI agents for Puppet module generation:&amp;nbsp;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; According to a&amp;nbsp;&lt;a href="https://vercel.com/blog/agents-md-outperforms-skills-in-our-agent-evals" rel="noopener noreferrer"&gt;recent evaluation by Vercel&lt;/a&gt;, coding agents&amp;nbsp;&lt;strong&gt;ignore available skills in 56% of cases,&lt;/strong&gt;&amp;nbsp;choosing not to invoke skills even when relevant documentation exists. The solution involves using instruction files that force context loading rather than relying on agent decisions. In the evaluation, Vercel found that directly embedding a compressed 8 KB docs index into an&amp;nbsp;&lt;code&gt;AGENTS.md&lt;/code&gt;&amp;nbsp;file helped coding agents achieve 100% pass rates compared to 79% with skills combined with explicit instructions. In my own tests with GitHub Copilot, references from the README.md file to other instruction files helped the agent, with less sophisticated models, to find the correct instructions and load them.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Agents sometimes refuse to use PDK or read proper installation instructions&lt;/strong&gt;, requiring iterative prompt refinement. The solution involves adding explicit installation commands, troubleshooting steps, and URL references to your&amp;nbsp;&lt;code&gt;copilot-instructions.md&lt;/code&gt;&amp;nbsp;file. Ensure that you follow&amp;nbsp;&lt;a href="https://vercel.com/blog/agents-md-outperforms-skills-in-our-agent-evals" rel="noopener noreferrer"&gt;best practices for instructions files to keep them lean&lt;/a&gt;. Getting GitHub Copilot to consistently read instruction files requires understanding that passive context (always-loaded files) outperforms active retrieval (on-demand skills). Instruction files should be concise (fewer than 1,000 lines), structured with headings and bullet points, and use imperative rules rather than long paragraphs. &amp;nbsp;&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;AI agents can get stuck in validation and fixing loops.&lt;/strong&gt;&amp;nbsp;For linting and validation errors that agents struggle to fix, adding error-specific guidance to instruction files helps GitHub Copilot learn from mistakes. The goal is to eliminate decision points by providing persistent context rather than making agents decide when to look up information.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Table 1: Common challenges in AI-assisted Puppet module development and recommended solutions&amp;nbsp;
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Challenge&amp;nbsp;&lt;/th&gt;
&lt;th&gt;Impact&amp;nbsp;&lt;/th&gt;
&lt;th&gt;Solution&amp;nbsp;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Agents ignore MCP tools (56% of cases)&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Skills documentation not invoked when needed&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Use .github/copilot-instructions.md for passive context loading (achieves 100% pass rate versus 79% with on-demand skills).&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;PDK installation issues&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Agents fail to use PDK or read installation instructions&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Add explicit installation commands and troubleshooting steps to copilot-instructions.md.&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Inconsistent reading of instruction files&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Agent decisions create unpredictable behavior&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Provide persistent context (always-loaded files) rather than relying on agent retrieval decisions.&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Incorrect Puppet code or missing namespaces or invalid spacing&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Generated configurations fail validation&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Include specific vendor configuration examples in instruction files and use PDK validation for testing modules.&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Validation errors agents can't fix&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Repeated mistakes across generations&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Document error-specific guidance in instruction files so agents learn from past failures.&amp;nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;File structure guidelines&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Keep instruction files concise (fewer than 1,000 lines) with clear structure&amp;nbsp;&lt;/td&gt;
&lt;td&gt;Use headings, bullet points, and imperative rules instead of long paragraphs.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Should You Use Agent Skills or Instructions?&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;Vercel's research on AI agent instruction approaches provides compelling evidence to show why instruction files are essential for effective AI-assisted development. Their evaluation tested Next.js 16 API generation using four configurations:&amp;nbsp;&amp;nbsp;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; No documentation: 53% pass rate&amp;nbsp;&lt;/li&gt;
&lt;li&gt; Skills with default behavior: 53% pass rate, same as no documentation&amp;nbsp;&lt;/li&gt;
&lt;li&gt; Skills with explicit trigger instructions: 79% pass rate&amp;nbsp;&lt;/li&gt;
&lt;li&gt; A compressed 8 KB docs index in AGENTS.md: 100% pass rate&amp;nbsp;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The static markdown file outperformed sophisticated retrieval systems because the file eliminated decision points where agents must choose whether to invoke tools. In 56% of eval cases, skills were never invoked despite being available, producing no improvement over the baseline.&amp;nbsp;&lt;/p&gt;

&lt;h3&gt;
  
  
  &lt;a href="https://www.puppet.com/sites/default/files/inline-images/2_0.png" rel="noopener noreferrer"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa7z7h9xf8dwzhnxwauiq.png" alt="AI Agent Performance: Instruction Approach comparison" width="800" height="450"&gt;&lt;/a&gt;
&lt;/h3&gt;

&lt;p&gt;Although these findings were focused on web development frameworks like Next.js, similar issues occur with agents across language frameworks and IDEs. For Puppet development, my testing found that combining instructions, PDK tooling, and the Puppet MCP server gave agents the best chance to have the correct context information. &amp;nbsp;&lt;/p&gt;

&lt;p&gt;AI-assisted development is still evolving but is expected to become an important part of many DevOps team processes. The Model Context Protocol is establishing itself as an enterprise-wide standard enabling vendor interoperability, with companies like Figma, Notion, Linear, Atlassian, and MongoDB building MCP servers that work seamlessly together.&amp;nbsp;&lt;/p&gt;

&lt;p&gt;For infrastructure-as-code specifically, the shift toward “vibe coding” is opening up the opportunity for developers to express intentions in natural language rather than memorizing command-line syntax or the specifics of the Puppet Desired State Language (DSL). &amp;nbsp;Given a solid base of DevOps tools across the lifecycle, from development to testing to operations, coding assistants are well positioned to take advantage of these tools, thus unlocking opportunities for more practitioners to achieve greater efficiency across the entire workflow.&lt;/p&gt;

&lt;h2&gt;
  
  
  References&amp;nbsp;
&lt;/h2&gt;

&lt;p&gt;Check out the following sources, some of which were referenced in the document, and some of which provide a deeper dive if this topic is of interest to you!&amp;nbsp;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;a href="https://github.com/jst-cyr/puppet-copilot-instructions-example" rel="noopener noreferrer"&gt;Sample instructions for GitHub Copilot and Puppet MCP server&lt;/a&gt;&amp;nbsp;(github.com/jst-cyr)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/installing.htm" rel="noopener noreferrer"&gt;Installing Puppet Enterprise (PE)&lt;/a&gt;&amp;nbsp;(help.puppet.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/infra-assistant-code-assist.htm" rel="noopener noreferrer"&gt;Infra Assistant: code assist&lt;/a&gt;&amp;nbsp;(help.puppet.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/enabling-the-infra-assistant.htm" rel="noopener noreferrer"&gt;Infra Assistant: Enable the Infra Assistant&lt;/a&gt;&amp;nbsp;(help.puppet.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/available-mcp-tools-for-code-assist.htm" rel="noopener noreferrer"&gt;Infra Assistant - code assist: Available MCP tools&lt;/a&gt;&amp;nbsp;(help.puppet.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/configuring-your-client-to-use-the-mcp-server.htm" rel="noopener noreferrer"&gt;Infra Assistant - code assist: Configuring your client to use the MCP server&lt;/a&gt;&amp;nbsp;(help.puppet.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/adding-an-mcp-server.htm" rel="noopener noreferrer"&gt;Infra Assistant - code assist: Add the Puppet MCP server&lt;/a&gt;&amp;nbsp;(help.puppet.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/rbac-token-auth-generate-token-console.htm" rel="noopener noreferrer"&gt;SAML authentication: Generate a token in the console&lt;/a&gt;&amp;nbsp;(help.puppet.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://help.puppet.com/pe/current/topics/verify_installed_licenses_and_active_nodes.htm" rel="noopener noreferrer"&gt;View your license details | Puppet Enterprise&lt;/a&gt;&amp;nbsp;(help.puppet.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://portal.perforce.com/s/article/8078496522135?utm_medium=social&amp;amp;utm_source=youtube&amp;amp;utm_campaign=2025-puppet-forge&amp;amp;utm_content=puppet-forge" rel="noopener noreferrer"&gt;Get the Puppet CA certificate chain in Puppet Enterprise&lt;/a&gt;&amp;nbsp;(portal.perforce.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.puppet.com/blog/puppet-edge-code-assist" rel="noopener noreferrer"&gt;Build Tasks for Network Devices Faster with Code Assistance and Puppet Edge&lt;/a&gt;&amp;nbsp;(puppet.com)&amp;nbsp;&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.perforce.com/resources/state-of-devops?utm_medium=social&amp;amp;utm_source=youtube&amp;amp;utm_campaign=2025-puppet-forge&amp;amp;utm_content=puppet-forge" rel="noopener noreferrer"&gt;The State of DevOps Report 2026&lt;/a&gt;&amp;nbsp;(perforce.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vercel.com/blog/agents-md-outperforms-skills-in-our-agent-evals" rel="noopener noreferrer"&gt;AGENTS.md outperforms skills in our agent evals&lt;/a&gt;&amp;nbsp;(vercel.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://code.visualstudio.com/docs/copilot/customization/mcp-servers" rel="noopener noreferrer"&gt;GitHub Copilot: Use MCP servers in VS Code&lt;/a&gt;&amp;nbsp;(code.visualstudio.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://code.visualstudio.com/docs/copilot/overview" rel="noopener noreferrer"&gt;GitHub Copilot in VS Code&lt;/a&gt;&amp;nbsp;(code.visualstudio.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://docs.github.com/en/copilot/tutorials/use-custom-instructions" rel="noopener noreferrer"&gt;Using custom instructions to unlock the power of Copilot code review&lt;/a&gt;&amp;nbsp;(docs.github.com)&amp;nbsp;&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://dev.to/razvan_dim/bridging-the-gap-a-deep-dive-into-the-model-context-protocol-mcp-4e0p"&gt;Bridging the Gap: A Deep Dive into the Model Context Protocol (MCP)&lt;/a&gt;&amp;nbsp;(dev.to)&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>puppet</category>
      <category>githubcopilot</category>
      <category>vscode</category>
      <category>aiops</category>
    </item>
    <item>
      <title>Puppet Core 8.18.0 is out: macOS 15 support and key security updates</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Thu, 09 Apr 2026 12:06:38 +0000</pubDate>
      <link>https://dev.to/puppet/puppet-core-8180-is-out-macos-15-support-and-key-security-updates-2ng8</link>
      <guid>https://dev.to/puppet/puppet-core-8180-is-out-macos-15-support-and-key-security-updates-2ng8</guid>
      <description>&lt;p&gt;You can now download Puppet Core &lt;strong&gt;8.18.0&lt;/strong&gt;! This update adds support for macOS 15 and includes several important security updates to help keep your infrastructure protected.&lt;/p&gt;

&lt;p&gt;As always, Puppet Core releases focus on stability, platform support, and staying ahead of reported vulnerabilities.&lt;/p&gt;

&lt;p&gt;👉 &lt;a href="https://help.puppet.com/core/current/Content/PuppetCore/PuppetReleaseNotes/release_notes_puppet_x-8-18-0.htm" rel="noopener noreferrer"&gt;Official Puppet Core 8.18 release notes&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  What’s new in Puppet Core 8.18.0
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Support for macOS 15&lt;/strong&gt;: Puppet Core now supports macOS 15 on both x86_64 and ARM architectures. This enables continued management of macOS systems using the same automation controls and policies you already rely on.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Security focused dependency updates
&lt;/h2&gt;

&lt;p&gt;Security remains a top priority in every Puppet Core release. This release includes updates to several bundled components to address recently disclosed security vulnerabilities. By delivering these updates as part of hardened Puppet Core builds, you reduce dependency risk without tracking, validating, or rebuilding components independently. &lt;/p&gt;

&lt;h3&gt;
  
  
  🔐 libxml2 updated
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;libxml2&lt;/strong&gt; has been updated to &lt;strong&gt;version 2.15.2&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;Addresses the following CVEs:

&lt;ul&gt;
&lt;li&gt;CVE-2026-0989&lt;/li&gt;
&lt;li&gt;CVE-2026-0990&lt;/li&gt;
&lt;li&gt;CVE-2026-0992&lt;/li&gt;
&lt;li&gt;CVE-2026-1757&lt;/li&gt;
&lt;/ul&gt;


&lt;/li&gt;

&lt;/ul&gt;

&lt;h3&gt;
  
  
  🔐 zlib gem updated
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;zlib gem&lt;/strong&gt; updated to &lt;strong&gt;version 3.0.1&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;Addresses:

&lt;ul&gt;
&lt;li&gt;CVE-2026-27820&lt;/li&gt;
&lt;/ul&gt;


&lt;/li&gt;

&lt;/ul&gt;

&lt;h3&gt;
  
  
  🔐 curl updated
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;curl&lt;/strong&gt; updated to &lt;strong&gt;version 8.19.0&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;Addresses:

&lt;ul&gt;
&lt;li&gt;CVE-2026-1965&lt;/li&gt;
&lt;li&gt;CVE-2026-3783&lt;/li&gt;
&lt;li&gt;CVE-2026-3784&lt;/li&gt;
&lt;li&gt;CVE-2026-3805&lt;/li&gt;
&lt;/ul&gt;


&lt;/li&gt;

&lt;/ul&gt;

&lt;p&gt;If you rely on Puppet Core in security‑sensitive or regulated environments, this release is strongly recommended.&lt;/p&gt;




&lt;h2&gt;
  
  
  Getting Puppet Core 8.18.0
&lt;/h2&gt;

&lt;p&gt;You can upgrade to Puppet Core 8.18.0 using your existing Puppet Core repositories and standard upgrade workflows. Upgrading to Puppet Core 8.18.0 helps you take advantage of the latest platform support, reduce exposure to dependency related security risk, and rely on vendor-tested packages instead of managing updates yourself.&lt;/p&gt;

&lt;p&gt;As always:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Test upgrades in a staging environment first&lt;/li&gt;
&lt;li&gt;Review the full release notes for platform‑specific details&lt;/li&gt;
&lt;li&gt;Roll out broadly once validated&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;📄 &lt;strong&gt;Puppet Core Installation Docs:&lt;/strong&gt;  &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://help.puppet.com/core/current/Content/PuppetCore/install_puppet.htm" rel="noopener noreferrer"&gt;Installing Puppet Core&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://help.puppet.com/core/current/Content/PuppetCore/upgrade.htm" rel="noopener noreferrer"&gt;Upgrading Puppet Core&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Let us know how it goes
&lt;/h2&gt;

&lt;p&gt;If you’re upgrading to 8.18.0, running Puppet Core on macOS 15, or have feedback on this release, let us know in the comments. Your input helps shape future updates.&lt;/p&gt;

&lt;p&gt;Happy puppeting!&lt;/p&gt;

</description>
      <category>puppet</category>
      <category>devops</category>
      <category>security</category>
      <category>automation</category>
    </item>
    <item>
      <title>Puppetlabs Modules Roundup – March 2026</title>
      <dc:creator>Jason St-Cyr</dc:creator>
      <pubDate>Mon, 06 Apr 2026 14:24:03 +0000</pubDate>
      <link>https://dev.to/puppet/puppetlabs-modules-roundup-march-2026-3bde</link>
      <guid>https://dev.to/puppet/puppetlabs-modules-roundup-march-2026-3bde</guid>
      <description>&lt;p&gt;March 2026 brought 4 Puppetlabs module releases in the Puppetlabs Forge catalog. Read along to see what changed this month!&lt;/p&gt;

&lt;p&gt;Across the month, the clearest themes were compatibility updates across Puppet Enterprise (PE), supported platforms, and operational hardening and troubleshooting improvements.&lt;/p&gt;

&lt;h2&gt;
  
  
  Highlighted Updates
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Compatibility updates across PE and supported platforms
&lt;/h3&gt;

&lt;p&gt;March releases leaned toward version-alignment work, with updates for newer Puppet Enterprise releases, Ubuntu 24.04 benchmark coverage, and dependency ranges that allow newer supporting modules.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Added support for PE 2023.8.9 and 2025.9.0.&lt;/li&gt;
&lt;li&gt;Added CIS Benchmark support for Ubuntu 24.04 Server Levels 1 and 2.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Operational hardening and troubleshooting improvements
&lt;/h3&gt;

&lt;p&gt;Several releases focused on making "Day Two" operations safer and easier to debug through better validation, more useful logging, and targeted runtime fixes.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Added installer untar checks and deduplicated hosts in the legacy compiler group.&lt;/li&gt;
&lt;li&gt;Moved most SCE-specific logging into the Puppet agent run log for easier debugging.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What Updates Happened to Puppetlabs Modules in March 2026?
&lt;/h2&gt;

&lt;p&gt;The following is an alphabetical listing of modules which received updates in March 2026. If a module had multiple versions released, the updates are collected together, numbered with the "latest" version available.&lt;/p&gt;




&lt;h3&gt;
  
  
  cd4pe 3.4.0
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-03-04 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/cd4pe" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release focuses on updated puppetlabs-docker and puppetlabs-hocon dependencies to allow usage of newer versions while also addressing updated module with PDK 3.6.1.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Updated puppetlabs-docker and puppetlabs-hocon dependencies to allow usage of newer versions&lt;/li&gt;
&lt;li&gt;Updated module with PDK 3.6.1&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  peadm 3.36.0
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-03-25 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/peadm" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release focuses on adding support for PE 2023.8.9 and 2025.9.0 while also addressing deduplicate hosts in legacy compiler group.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Adding support for PE 2023.8.9 and 2025.9.0 &lt;a href="https://github.com/puppetlabs/puppetlabs-peadm/pull/657" rel="noopener noreferrer"&gt;#657&lt;/a&gt; (&lt;a href="https://github.com/Jade2153" rel="noopener noreferrer"&gt;Jade2153&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(PE-43572) deduplicate hosts in legacy compiler group &lt;a href="https://github.com/puppetlabs/puppetlabs-peadm/pull/658" rel="noopener noreferrer"&gt;#658&lt;/a&gt; (&lt;a href="https://github.com/davidmalloncares" rel="noopener noreferrer"&gt;davidmalloncares&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;(PE-42686) Add checks to installer untar command &lt;a href="https://github.com/puppetlabs/puppetlabs-peadm/pull/654" rel="noopener noreferrer"&gt;#654&lt;/a&gt; (&lt;a href="https://github.com/davidmalloncares" rel="noopener noreferrer"&gt;davidmalloncares&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  sce_linux 2.6.0
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-03-17 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/sce_linux" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;This release focuses on support for Ubuntu 24.04. You can use Security Compliance Enforcement (SCE) to enforce the Center for Internet Security (CIS) Benchmark for Ubuntu Linux 24.04, v1.0.0, Server Levels 1 and 2 while also addressing support for Puppet module dependencies.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Check the official &lt;a href="https://help.puppet.com/sce/current/linux/scel_relnotes_260.htm" rel="noopener noreferrer"&gt;release notes for sce_linux 2.6.0&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;




&lt;h3&gt;
  
  
  sqlserver 5.1.1
&lt;/h3&gt;

&lt;p&gt;📅 Latest release: 2026-03-04 (🌐 &lt;a href="https://forge.puppet.com/modules/puppetlabs/sqlserver" rel="noopener noreferrer"&gt;View on the Forge&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;Small change this month to ensure permission the variable is set.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;(MODULES-11613) Set permission variable in permission sql EPP &lt;a href="https://github.com/puppetlabs/puppetlabs-sqlserver/pull/500" rel="noopener noreferrer"&gt;#500&lt;/a&gt; (&lt;a href="https://github.com/shubhamshinde360" rel="noopener noreferrer"&gt;shubhamshinde360&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Until Next Time!
&lt;/h2&gt;

&lt;p&gt;That wraps up the March 2026 roundup. If any of the modules overlap with your environment, the linked Forge pages and release notes are worth a closer look.&lt;/p&gt;

&lt;p&gt;Feedback on the series is always useful, especially if there are module families or release-note patterns that deserve more attention in future editions.&lt;/p&gt;

&lt;p&gt;More updates coming next month when the April 2026 releases land.&lt;/p&gt;

</description>
      <category>puppet</category>
    </item>
  </channel>
</rss>
