PDK 3.6.0 is out with security patches and more!

PDK 3.6.0 is now available! Validate against Puppet or OpenVox and get loads of security patches in this release. You can download from the Forge: Download Puppet Development Kit

Here’s what you need to know:

Security First

Several updates in this release have been made to address known vulnerabilities:

• Curl upgraded to 8.16.0: Tackles CVE-2025-9086 and CVE-2025-10148.
• OpenSSL bumped to 3.0.18: Resolves CVE-2025-9230 and CVE-2025-9232.
• libxslt removed, nokogiri replaced with libxml-ruby on macOS: Eliminates CVE-2025-7424 and CVE-2025-7425.
• net-imap updated to 0.3.9: Fixes CVE-2025-43857.

New Features, Enhancements, and Changes

Outside of security updates, there are a few other changes you might be interested to learn about:

• Flexible Validation for puppet or openvox values: Thank you to community member cocker-cc for the contribution that makes it easier to use PDK with different types of agents and installations by adding support for the pdk validate command to accept either openvox or puppet as a metadata requirement.
• License Update: The PDK license file now reflects the latest Puppet Core license which included changes related to Puppet Edge.
• Dependency changes: Bolt now a dependency, and Rubocop dependencies updated for rubocop (1.73.0), rubocop-performance (1.24.0), and rubocop-spec (3.5.0).

For a full official list of changes, please refer to the PDK 3.6.0 Release Notes.

Thank you for using PDK! For more details, installation instructions, or help getting started with Puppet Core, please visit the PDK docs site.