DEV Community

Cover image for Puppet Core 8.19 and PDK 3.7: Security Updates, Dependency Changes, and Windows Fixes
puppet profile image Jason St-Cyr
Jason St-Cyr for puppet

Posted on

Puppet Core 8.19 and PDK 3.7: Security Updates, Dependency Changes, and Windows Fixes

#devops #puppet #infrastructureascode

Puppet Core 8.19.0 focuses largely on security hardening, with some dependency cleanup and a small but important fix for Windows user management.

If you already run Puppet Core 8, this release is primarily about keeping your runtime secure and predictable, rather than introducing new workflows or configuration changes.

➡️ Full details: Puppet Core 8.19.0 release notes

PDK 3.7.0 was also released to improve performance on Windows, update dependencies, and provide other updates for security and known issues.

➡️ Full details: PDK 3.7.0 release notes

CSV gem dependency removed

Puppet Core no longer depends on the CSV Ruby gem.

  • Removes an external dependency from the Puppet runtime
  • Reduces overall dependency surface area
  • Simplifies installation and long-term maintenance

This change does not alter Puppet DSL behavior or require configuration changes.

Security updates

Puppet Core 8.19.0 updates several bundled runtime components to address recently disclosed security vulnerabilities. These updates apply automatically when you upgrade.

  • Ruby updated to 3.2.11 (CVE-2026-27820)
  • OpenSSL updated to 3.0.20 (CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790)
  • libxml2 updated to 2.15.3 (CVE-2026-6732)
  • curl updated to 8.20.0 (CVE-2026-6253, CVE-2026-6276, CVE-2026-6429, CVE-2026-7009, CVE-2026-7168)
  • net-imap updated to 0.4.24 (CVE-2026-42245, CVE-2026-42246, CVE-2026-42256, CVE-2026-42257, CVE-2026-42258)
  • erb updated to 6.0.4 (CVE-2026-41316)

ℹ️ Important note for net-imap users

If you use net-imap directly in custom Ruby code, the updated version enforces stricter argument validation. Check the release notes for some details on how to manage this gem if you cannot use the upgraded version of net-imap.

Windows user passwords now allow colons

When managing user resources on Windows, Puppet Core no longer rejects passwords containing colons (:).

  • Affects Windows platforms only
  • Behavior on other platforms is unchanged

This prevents unnecessary failures when managing Windows accounts with valid password formats.

Installation safeguards for Ruby versions

Puppet Core now prevents installation on unsupported Ruby versions.

  • Puppet Core 8 enforces a maximum supported Ruby version of 3.x
  • Prevents installation attempts using unsupported versions (such as Ruby 4)
  • Protects against installation failures like can't modify frozen Hash

This applies when installing Puppet Core via bundler or gem commands.

PDK 3.7.0 changes

This version of PDK was updated to help prevent security issues and reduce test failures, and made macOS 15 downloads available.

  • Rexml updated to version 3.4.4 to address CVE-2025-58767
  • macOS 15 downloads now available
  • Windows performance has been improved
  • YAML file validation issues should be resolved
  • Several puppet_forge gems and dependencies were updated

Should you upgrade?

Upgrading to Puppet Core 8.19.0 is recommended for Puppet Core 8.x users if:

  • You want current security fixes for bundled runtime dependencies
  • You manage Windows users with complex passwords
  • You want to avoid accidental installation on unsupported Ruby versions

Want to get started? Here are the install/upgrade guides:

For full details and CVE listings, see the release notes:

➡️ Puppet Core 8.19.0 release notes
➡️ PDK 3.7.0 release notes

Top comments (0)