Puppet release notes

These are the new features, resolved issues, and deprecations in this version of Puppet.

Important: Security and vulnerability announcements are posted at Security: Puppet's Vulnerability Submission Process.
Important: Before you upgrade from Puppet 7 to Puppet 8, see Upgrading from Puppet 7 to Puppet 8.

Puppet 8.7.0

Released June 2024. This release introduces support for new operating systems.

GitHub releases

Additional details about release updates are available on GitHub. For more information, go to the following sites:



Puppet Agent

Puppet Runtime


New operating systems

You can now install Puppet agent on the following new operating systems:
  • Amazon Linux 2 (aarch64)
  • Fedora 40 (x86_64)
  • Red Hat Enterprise Linux 9 for Power (ppc64le)

Major version upgrade for curl

Curl is now upgraded in Puppet agent to Version 8.7.1. This version of curl is designed to enhance security and stability.



Upgraded to Ruby 3.2.4 to address CVE-2024-27282.


The Puppet team appreciates the Puppet Community members who contributed content for recent releases and extends special appreciation to these first-time contributors: anhpt37, Animeshz, garrettrowell, smokris, tlehman, and yakatz.

Puppet 8.6.0

Released April 2024.

GitHub Releases

More details about what has changed in this release are available on GitHub. Visit the following links for more information:



Puppet Agent

Puppet Runtime


Option to disable catalog messages

Added a boolean Puppet setting to disable "notice" level messages specifying which server the agent requests a catalog from and which server actually handles the request. Catalog messages are enabled by default. PUP-12023

package: pacman provider: Add purgeable feature

Added an option to the pacman provider to purge config files. This feature was contributed by community member bastelfreak.

Update core modules

Updated all core modules. In particular, this update includes:
  • Removal of concurrent-ruby as a dependency
  • Support for Amazon Linux

Resolved issues

Non-literal class parameter types need to be deprecated.

Previously, non-literal class parameters caused errors due to the different default values of the strict setting. puppet parser validate also returned non-zero exit codes. Now the issue is a language deprecation, so a warning is generated and puppet parser validate returns 0. All language deprecation warnings can be disabled by setting disable_warnings=deprecations in the main section of puppet.conf. PUP-12026

Package provider "pip" not fully functional with network urls on Ubuntu 22.04.

Puppet's pip package provider now supports installing python modules via network URLs, e.g. source => 'git+https://github.com/<org>/<repo>.git'. Fix contributed by community member smokris. PUP-12027

Provider dnfmodule prompts user to trust gpg key when performing module list.

Added assumeyes option to dnf module list. Fix contributed by community member loopiv.

Puppet resource returns zero if it fails to make changes

Added new --fail command line flag for Puppet resource.

Remove Accept-Encoding header on redirect

Previously, Puppet copied all request headers in an HTTP redirect, including Accept-Encoding. In some cases when HTTP compression was enabled, the response failed to decompress, then failed to parse and triggered a vague error. This change strips the Accept-Encoding headers on redirect, allowing Ruby's built-in Net::HTTP to both compress and decompress the traffic.

Accept UnaryMinusExpression as class parameter type

Previously, class parameters of the form Integer[-1] $param failed compilation, because the value -1 was lexed as a UnaryMinusExpression containing a LiteralInteger. And since the LiteralEvaluator didn't implement theliteral_UnaryMinusExpression method, the visitor called literal_XXX for each ancestor class, until reaching literal_Object, which always raises.

This adds the literal_UnaryMinusExpression method and returns -1 times the expression it wraps.

If strict is off, the issue is ignored. If strict is warning, a warning is reported, but compilation continues. If strict is error, compilation fails.


Upgrade OpenSSL

Upgraded openssl to version 3.0.13 to address the following CVEs: CVE-2023-5678; CVE-2023-6129; CVE-2023-6237; CVE-2024-0727. PA-6131

Vulnerabilities in curl

Backported patches for CVE-2024-2004 and CVE-2024-2398 in curl 7.88.1. PA-6291

New Digicert code-signing cert

Windows MSI are now signed with a new certificate, valid until March 2027. The Issuing CA is "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1".

Puppet 8.5.1

Released March 2024.

Resolved issues

Using a negative value with the integer type assertion on a class causes a compilation error.

Previously, negative values caused a compilation errors when used with the integer type assertion on a class. This has been fixed. PUP-12024

Puppet 8.5.0

Released February 2024.


Debian 12 (x86_64) support

Added support for Debian 12 (x86_64). PA-5549

Debian 12 (ARM) support

Added support for Debian 12 (ARM). PA-5747
Note: Support for Amazon Linux 2023 (ARM, x86_64), Debian 11 (ARM) and macOS 14 (ARM, x86_64) was added in Puppet 8.4.0.

Resolved issues

Syntactically incorrect types cause nil types in Puppet::InfoService::ClassInformationService

Previously, when a type was incorrectly specified, Puppet’s class_information_service ignored the error and produced an empty type specification. Puppet now produces a warning and assigns a default type in the nil case. PUP-11981.

Puppet 8.4.0

Released January 2024.


Bump concurrent-ruby to 1.2.2

Bumped concurrent-ruby gem to 1.2.2. PA-5960

Add logging of server hostnames when requesting configuration

Puppet agents now log server hostnames when requesting catalogs. PUP-11899

Add logging of which Puppet Server handled catalog requests

Puppet agents now log the FQDN name of the server that compiled the catalog. This is useful when there are multiple compilers behind a load balancer. PUP-11900

Update package & service providers for Amazon Linux 2023

Updates Amazon Linux 2023's default package and service providers to DNF and SystemD, respectively. Contributed by GitHub user vchepkov. PUP-11976

Debian 11 (ARM) support

Added support for Debian 11 (ARM).

Amazon Linux 2023 support

Added support for Amazon Linux 2023.

MacOS 14 support

Added support for MacOS 14.

Resolved issues

puppet-agent-7.25: selinux Bindings broken on RHEL9.1

Fixed an issue introduced in 7.25.0 that prevented Puppet from managing selinux if the system libselinux libraries were previous to version 3.5. PA-5632

RHEL 8 FIPS agent fails to start after upgrade to Puppet 8

Fixed an issue that prevented the RHEL 8 FIPS agent from starting after upgrading to Puppet 8. PA-5786

/opt/puppetlabs/puppet/bin/openssl fails to load library dependencies on AIX

Set RPATH for openssl 1.1.1 to load dependencies from Puppetlabs libdir in order to ensure that /opt/puppetlabs/puppet/bin/opensslloads its library dependencies that were shipped in the puppet-agent package. PA-5925

Puppet agent on Solaris 11 x86 fails when updated to SRU >= 57

Fixed a regression that prevented the ffi gem's native extension from loading on newer versions of Solaris 11.4. PA-5929

Puppet chooses wrong service default provider on Gentoo if systemd is used

Systemd is now the default service provider on Gentoo. Fix contributed by community member bastelfreak. PUP-11593

Resources resource type should be marked as apply_to_all

Enables resources metatype compatibility with both hosts and devices. Contributed by GitHub user seanmil. PUP-11666

"Total number of facts" warning not counting array elements

Puppet incorrectly counted array elements and hash keys when determining if the number of facts exceeded the total fact count soft limit. This has been fixed. PUP-11685

Lazily deferred evaluation may not work if type implements autorequire, etc

The command parameter for an exec resource can now be deferred. PUP-11937

dnfmodule fails to enable module with ensure version and no default stream

Puppet can now manage dnfmodule packages with ensure values other than present such as ensure => '1.4'. Fix contributed by community member evgeni. PUP-11985


Upgrade OpenSSL

Upgraded OpenSSL to 3.0.12. PA-5864

Patch Curl in puppet-runtime

Patched Curl to address CVE-2023-38546. PA-5861

Puppet 8.3.1

Released November 2023.


Ship FIPS compatible Java key store in fips agents

FIPS Puppet agent builds now include a FIPS-compatibile java keystore.

The following Certificate Authorities were also added and removed:
  • create Atos_TrustedRoot_Root_CA_ECC_TLS_2021:
  • create Atos_TrustedRoot_Root_CA_RSA_TLS_2021:
  • create BJCA_Global_Root_CA1:
  • create BJCA_Global_Root_CA2:
  • create Certainly_Root_E1:
  • create Certainly_Root_R1:
  • create DigiCert_TLS_ECC_P384_Root_G5:
  • create DigiCert_TLS_RSA4096_Root_G5:
  • delete E-Tugra_Certification_Authority:
  • delete EC-ACC:
  • delete Hellenic_Academic_and_Research_Institutions_RootCA_2011:2.1.0.crt
  • delete Hongkong_Post_Root_CA_1:
  • delete Network_Solutions_Certificate_Authority:
  • create SSL.com_TLS_ECC_Root_CA_2022:
  • create SSL.com_TLS_RSA_Root_CA_2022:
  • create Sectigo_Public_Server_Authentication_Root_E46:
  • create Sectigo_Public_Server_Authentication_Root_R46:
  • create Security_Communication_ECC_RootCA1:
  • create Security_Communication_RootCA3:
  • delete Staat_der_Nederlanden_EV_Root_CA:


Bump augeas to 1.14.1

Updated the augeas component of Puppet agent to from 1.13.0 to 1.14.1. PA-4938
CAUTION: This update changes the PubkeyAcceptedAlgorithms setting in /etc/ssh/sshd_config from a string to a list.
Example: the line 'set Settings/PubkeyAcceptedAlgorithms +ssh-rsa' in the following code block:
augeas { 'sshd_allow_rsa':
  incl    => '/etc/ssh/sshd_config',
  lens    => 'Sshd.lns',
  context => '/files/etc/ssh/sshd_config/Match/',
  changes => [
    'set Condition/Address',
    'set Condition/User user',
    'set Settings/PubkeyAcceptedAlgorithms +ssh-rsa',
must be changed to 'set Settings/PubkeyAcceptedAlgorithms/seq::*[.="ssh-rsa"] ssh-rsa' following this update.

Add RHEL 9 (ARM64) support

Puppet now supports RHEL 9 (ARM64). PA-4998

Add Ubuntu 22.04 (ARM64) support

Puppet now supports Ubuntu 22.04 (ARM64). PA-5050

Make split() sensitive aware

The split function now accepts sensitive values and returns a Sensitive[Array]. This change was contributed by community user cocker-cc. PUP-11429

Freeze string literals

String literals are now frozen or immutable by default. PUP-11841

Log openssl version and fips mode

Puppet agent now logs the openssl version along with ruby and Puppet versions when running in debug mode. PUP-11930

Monkey patch {File,Dir}.exists?

Added a monkey patch in Ruby for Puppet code using older Ruby language exists? method. PUP-11945

Resolved issues

puppet ssl clean <REMOTE CERT> clears local private key and local certificate

puppet ssl clean <argument> now prints an error that <argument> is unexpected instead of deleting the local certificate and private key. PUP-11895

100% usage of a CPU core when an exec command sends EOF

Previously, Puppet could cause excessive CPU utilization on *nix if a child process closed stdin. This has been fixed. Fix contributed by community user bugfood. PUP-11897

string.new generates strings with unexpected encoding

A regression was introduced in Puppet 8.0.0 which caused the epp and inline_epp functions to return a binary string. If the value was assigned to the parameter of an exported resource, then the parameter's value was converted to base64 in PuppetDB. Any agents that collected the resource then received the base64 encoded value. This release fixes the regression so the functions return a UTF-8 string. PUP-11932

puppet/lib/puppet/pops/time/timespan.rb:637: warning: passing a block to String#codepoints is deprecated

Eliminated a warning when running on JRuby 9.4 and using the Timespan data type. PUP-11934

Correct inaccurate comment in find_file() function

Updated find_file function documentation. This fix was contributed by community member pillarsdotnet. PUP-11940

epp and inline_epp functions return binary strings

Fixed a regression that caused the epp and inline_epp functions to return binary strings instead of UTF-8 encoded strings. This resulted in exported resources being stored as base64 in puppetdb, breaking any node that collected those resources. Fix contributed by community member smortex. PUP-11943

Update host_autorenewal_interval Puppet setting documentation

Previously documentation implied that host_autorenewal_interval refreshes in 30 days regardless of when it expires by default. Documentation was updated to better reflect actual behavior where implementation only attempts to renew its client cert if the cert expires within N days from now. PUP-11944

Error when using {File,Dir}.exists? in Ruby

Added a patch for some Puppet code using older Ruby language exists? method.


Upgrade OpenSSL

Upgraded OpenSSL to 3.0.11 to address CVE-2023-4807. PA-5783

Patch Curl in puppet-runtime

Patched Curl to address CVE-2023-38545. PA-5848

Deprecations and removals

Remove TrustCor CA certs

The following CA certs were removed:
  • TrustCor_ECA-1:
  • TrustCor_RootCert_CA-1:
  • TrustCor_RootCert_CA-2:

Puppet 8.3.0

This version was never released.

Puppet 8.2.0

Released August 2023.


macOS 13 support

Added support for macOS 13. PA-4772

Upgrade hiera-eyaml to 3.4+

Upgraded the hiera-eyaml component to 3.4. PA-5633

Add agent renew REST implementation

Added a method to send a client certificate renewal request to puppetserver. PUP-11854

Add Puppet setting to configure renewal interval

Added a setting for how often a node attempts to automatically renew its client certificate. PUP-11855

Retry failed CA & CRL refreshes sooner than the next interval

Puppet now attempts to refresh its CA and CRL sooner if initial attempts fail. PUP-11869

Send auto-renew attribute in CSR

Puppet now has an auto-renew attribute. If the agent supports auto-renewal, this attribute is added to the CSR (Certificate Signing Request) when it is generated and is used by Puppet Server to determine if auto-renewal TTL needs to be enabled for a given agent.

Agents that either do not have the hostcert_renewal_interval setting or have it set to 0 do not support auto-renewal and do not have the auto-renew attribute. PUP-11896

Resolved issues

ffi and nokogiri gem use the wrong architecture when cross compiling

Fixed an issue where some gems would get built using the wrong architecture when cross compiling. PA-5666

certname with .pp in the middle doesn't pick up its own manifest

Fixed an issue where manifests with .pp in their file names were not imported. PUP-11788

The --no-preprocess_deferred option breaks deferring of Sensitive file content

It is now possible to specify the content property for file resources as containing a Deferred function that returns a Sensitive value when lazily evaluating deferred values (the default behavior in 8.x or when setting Puppet[:preprocess_deferred] false in 7.x). For example: content => Deferred('new', [Sensitive, "password"]). PUP-11846

"Sleeping" agents raise "attempt to read body out of block (IOError)"

Previously, the agent erroneously tried to read a response body after closing the connection when a Puppet server requested the agent retry. Now when the agent is told to retry, the agent waits the specified sleep duration and does not error trying to read the request body after closing the connection. PUP-11853

puppet-resource_api bug with ruby 3.2 and integer munging

Updated puppet-resource_api to enable Ruby 3.2 compatibility. PA-5641

CRL authorityKeyIdentifier is not printed in Puppet 8

Fixed a regression in Puppet 8.x which caused the agent to omit the authorityKeyIdentifier extension for its CRL. PUP-11849


Upgrade OpenSSL

Upgraded OpenSSL to address various vulnerabilities (CVE-2023-3817, CVE-2023-3446, CVE-2023-2975, CVE-2023-0464). PA-5699

Bump Ruby URI component for CVE-2023-36617

Patched Ruby to address a vulnerability in the URI gem (CVE-2023-36617). PA-5638

Puppet 8.1.0

Released June 2023.


Refresh cached Puppet CA on Puppet client

Puppet agents will now attempt to refresh their CA certificate(s) once per day. The frequency is controlled by a new Puppet setting: ca_refresh_interval. PUP-10639

Resolved issues

Removed dependency on private class Concurrent::RubyThreadLocalVar

The Puppet::ThreadLocal class no longer relies on concurrent-ruby's private Concurrent::RubyThreadLocalVar class and instead uses Concurrent::ThreadLocalVar. PUP-11723

Yumrepo target attribute does not work

Using the yumrepo resource, enables the target parameter to set the filepath for a Yum repository to an arbitrary filepath or to an existing repository file. Thank you to community member nabertrand for this contribution. PA-5187


Bump curl to 7.88.1

Upgraded the curl component from 7.86 to 7.88.1 to address several security vulnerabilities. PA-5393

Puppet 8.0.0

Released April 2023.


Freeze string literals

String literals are now immutable by default. PUP-11841

Strict mode enabled by default

For Puppet 8, strict mode is on by default, meaning strict defaults to error and strict_variables defaults to true. With strict set to error, extra validation & checks are performed and fail as an error. This change could be a breaking change if your code does not conform to strict mode.

Examples of code that does not conform to strict mode:
  • Accessing a variable without first defining it: notice($myvar)

  • Accessing a legacy fact: notice($facts['osfamily'])

  • Coercing a string into a numeric: "1" + 1

To return to the previous behavior, set, strict to warning and strict_variables to false. PUP-11725

Change default value of exclude_unchanged_resources

Puppet reports no longer contain detailed information about resources already matching their desired state. Doing so reduces the amount of data stored in PuppetDB in the most common case when nothing has changed. The previous behavior can be enabled by setting exclude_unchanged_resources=false in puppet.conf on each agent. PUP-11684

Drop Hiera 3 Requirement

Hiera 3 is no longer a hard dependency for Puppet. PUP-11621

Change default crl_refresh_interval to 1 day

Puppet agent now defaults to refreshing its certificate revocation list (CRL) once every 24 hours. PUP-11602

Evaluate deferred functions lazily by default

Deferred functions follow normal resource relationships and ordering, so it is now possible to install a dependency for a deferred function and call the deferred function in a single agent run. The previous behavior can be enabled by setting preprocess_deferred=false in puppet.conf on each agent. PUP-11526

Exclude legacy facts by default

Legacy facts are no longer collected on Puppet agent or sent to Puppet server. This saves network bandwidth and reduces Puppetserver's memory footprint when using templates.

Since legacy facts are not available during compilation, they cannot be referenced in Puppet code, ERB/EPP templates or Hiera configuration. The legacy_facts puppet-lint plugin can help identify and automatically correct legacy fact usage in Puppet code. For more information visit https://github.com/puppetlabs/puppet-lint/blob/main/lib/puppet-lint/plugins/legacy_facts/legacy_facts.rb.

Legacy facts can be re-enabled by setting include_legacy_facts=true in puppet.conf on each agent. PUP-11430

Replace c_rehash script with native openssl implementation

Puppet agent 8 no longer bundles the c_rehash binary. Instead, users must rely on the bundled openssl binary's subcommand rehash. Example: /opt/puppetlabs/puppet/bin/openssl rehash. PA-4265

MRI Ruby 3.2

Puppet agent vendors Ruby 3.2. Ruby 3.2 has several notable breaking changes that may affect Puppet extensions, such as functions, custom facts, types & providers, report processors, etc. For a complete list visit: https://github.com/puppetlabs/puppet/wiki/Puppet-8-Compatibility#ruby-32-compatibility

If Puppet is installed as a gem, then it requires Ruby 3.1 or greater.

OpenSSL 3.0

Puppet agent vendors OpenSSL 3.0. If an application compiles against Puppet's openssl, then the application must be recompiled. For more information visit https://www.openssl.org/docs/man3.0/man7/migration_guide.html

Resolved issues

selinux: undefining the allocator of T_DATA class swig_runtime_data

Patch selinux ruby native extension for Ruby 3.2 compatibility. PA-4844

ruby-shadow failing in Ruby 3.2

Patch shadow ruby native extension for Ruby 3.2. PA-4843

Deprecations and removals

Remove Windows ENV patches on Ruby 3

The Puppet::Util methods for getting, setting, clearing and merging environment variables are still available, but are deprecated and will be removed in the next major release. Puppet 8 now uses Ruby's built-in ENV class to manage environment variables on Windows. PUP-11348

Remove extra cli option

The extra CLI option, which was previously hidden, has been entirely removed. PUP-11119

Drop openssl man pages and html docs

OpenSSL man pages and html docs are no longer included in Puppet agent. PA-4908

Drop Hiera 3 Component

This is a breaking change. The Hiera 3 gem is no longer vendored in puppet-agent packages, but may be installed separately.

If you rely on a Hiera 3 backend (a class that extends Hiera::Backend), you must convert your backend to Hiera 5 using the steps found at https://www.puppet.com/docs/puppet/latest/hiera_migrate.html, or manually install the Hiera 3 gem on all Puppet Server hosts. This change does not affect Hiera 5, puppet lookup or the hiera_include, hiera_hash, etc set of functions. PA-4646

Drop PSON support

Support for the PSON (Pure JSON) serialization format has been removed. Puppet agents may fail if binary data is accidentally added to the catalog without using the Binary data type or binary_file function. For more information visit https://www.puppet.com/docs/puppet/latest/lang_data_binary.html.

It is possible, but not recommended, to reenable PSON support by installing the puppet-pson gem on all agents and server hosts and setting preferred_serialization_format=pson in puppet.conf on each agent.