PDK 3.6.0 is out with security patches and more!

Source: Dev.to

PDK 3.6.0 is now available! Validate against Puppet or OpenVox and get loads of security patches in this release. You can download it from the Forge: Download Puppet Development Kit.

Security Updates

• cURL upgraded to 8.16.0 – addresses CVE‑2025‑9086 and CVE‑2025‑10148.
• OpenSSL bumped to 3.0.18 – resolves CVE‑2025‑9230 and CVE‑2025‑9232.
• libxslt removed; nokogiri replaced with libxml‑ruby on macOS – eliminates CVE‑2025‑7424 and CVE‑2025‑7425.
• net‑imap updated to 0.3.9 – fixes CVE‑2025‑43857.

Other Changes

• Flexible Validation for Puppet or OpenVox values: thanks to community member cocker‑cc for adding support so the pdk validate command can accept either openvox or puppet as a metadata requirement.
• License Update: the PDK license file now reflects the latest Puppet Core license, including changes related to Puppet Edge.
• Dependency Changes:
  • Bolt is now a dependency.
  • RuboCop dependencies updated:
    • rubocop → 1.73.0
    • rubocop-performance → 1.24.0
    • rubocop-spec → 3.5.0

For a full official list of changes, please refer to the PDK 3.6.0 Release Notes.

Thank you for using PDK! For more details, installation instructions, or help getting started with Puppet Core, please visit the PDK docs site.