Puppet Continuous Delivery 5.15.0 is now available

#puppet #cicd

Puppet Continuous Delivery (CD) version 5.15.0 is now available, with updates focused on stability, security, and day‑to‑day usability for teams running Puppet automation pipelines at scale.

If you’re already on CD 5.x, this is a straightforward upgrade that continues the work of refining the platform while keeping it aligned with current Puppet Enterprise releases and supported tooling.

The detailed release notes are linked below, but here’s a quick breakdown of what this release delivers and why you may want to upgrade.

What’s included in CD 5.15.0

CD 5.15.0 delivers targeted updates across webhook configuration, Pipelines as Code, Impact Analysis, VCS integrations, and platform security. The changes below focus on specific features and integrations rather than broad platform behavior.

Webhooks, sessions, and configuration

Added a new Hiera configuration option, external_webhook_url, which allows you to explicitly set the webhook URL that Continuous Delivery sends to your VCS provider. This is intended for deployments where CD is running behind a proxy.
Added an idle session timeout to the CD console. Users are logged out after 30 minutes of inactivity by default, configurable using the web_session_idle_timeout_mins Hiera option.

Pipelines as Code and Impact Analysis

Added the skip_empty_catalogs parameter to the Impact Analysis settings in the Pipelines as Code schema. When enabled, nodes with no catalog resources in PuppetDB are excluded from Impact Analysis results.
Fixed an issue where the browser would stop polling for Impact Analysis results when an IA run finished or when navigating away from the IA details view.

VCS integrations (Azure DevOps and GitLab)

Updated the Pipeline Summary view so the by field now displays the initiating user’s display name for Azure DevOps pipelines, instead of the user ID.
Changed how Continuous Delivery sends commit status updates to GitLab. When native GitLab pipelines are present, all CD commit status updates are now attached to the same branch pipeline, avoiding fragmented status reporting.

Data visibility and usability fixes

Fixed an issue where package_updates for pe_patch data did not appear in the fact picker. The query service was updated so this data now displays correctly.

Security and authorization hardening

Added CSRF protection to the DeleteUserAccount and SetSuperUser endpoints by restricting them to POST requests and validating CSRF tokens issued at login and expired on logout.
Fixed an issue where any authenticated user could enumerate user accounts and email addresses. Access to the GET /v1/users endpoint is now properly restricted to root and superusers.
Fixed an authorization bypass on the GraphQL /query endpoint where permission checks could be skipped when using workspace variables or omitting the id field. Authorization is now enforced consistently.

Platform and runtime updates

Added Amazon Linux 2023 as a supported platform for Docker‑based installs.
Updated the Postgres base image to postgres:17-trixie.

Security dependency updates

This release includes dependency updates to address reported vulnerabilities, including updates to:

lodash
diffjs
plexus-utils
glibc
undici
jackson
Jetty (updated to version 12)
golang.org/x/crypto
quartz
logrus
log4j2
bouncy-castle

Refer to the release notes for the full list of CVEs addressed in this release.

Why this release matters

For most users, CD sits in the middle of multiple systems: source control, CI tooling, Puppet Enterprise, and infrastructure targets. Small issues can quickly turn into pipeline friction.

CD 5.15.0 continues the effort to: