puppet 7.26.0-universal-darwin → 7.28.0-universal-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bf25e42634968757c424965508aa6fa26a66f57ee03868a2a4b0ddbd5503e7cf
-  data.tar.gz: b4194a13ab7e9f12eb46a82d5995e483b203ed578be64b9b39fd1d77e1f6199a
+  metadata.gz: 4ca69a6f361800e19a86c6b4a2178a6e039fbfc85ef05070b1e358b247993c8c
+  data.tar.gz: ed17551e5d149da2665c928587681b6f6477993c3c7b6c99f430620471009d50
 SHA512:
-  metadata.gz: bf6c5912116c3254330a96d5cc21d6d52807f613820967c1685c042eda64cf5bcb1ab8042b05adcaa936881940492c20d96a1a02640050fbf92140bdc8fc4450
-  data.tar.gz: 04ed925c840517e266cf62475897d32e6564f6bef383e3c57d0f144d89df13a584c21f4e95170f97d4fb8a71c6c7167f5e28dceb0591ba57c86771a84dae6da9
+  metadata.gz: b6520363aa19cded7818197cf5663c5abb2316db12e086d1984c59a586f6817982823934dec29e35cd82cc49d4883fa3c8e0c939ed47daa157f11ce58c38741b
+  data.tar.gz: 8c1c009cb4d877d6b74104e89bd4aa040bab6afa063dba78babd6372d472d0b33726a1d8c4dff907b15aa26afe4c511bd6291e3c5e54a6b11098c27d4195103d

data/Gemfile

@@ -35,7 +35,7 @@ group(:features) do
 end
 
 group(:test) do
-  gem "ffi", require: false
+  gem "ffi", '1.15.5', require: false
   gem "json-schema", "~> 2.0", require: false
   gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 13.0')
   gem "rspec", "~> 3.1", require: false

data/Gemfile.lock

@@ -1,6 +1,6 @@
 GIT
   remote: https://github.com/puppetlabs/packaging
-  revision: affecba5dfacc5862fc7199895ccf11b69153570
+  revision: 6c91ebc40b07f2041aa39b21becde6a06684e1b9
   branch: 1.0.x
   specs:
     packaging (0)
@@ -15,7 +15,7 @@ GIT
 PATH
   remote: .
   specs:
-    puppet (7.26.0)
+    puppet (7.28.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -31,27 +31,29 @@ GEM
   remote: https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
   specs:
     CFPropertyList (2.3.6)
-    addressable (2.8.5)
+    addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     apt_stage_artifacts (0.11.0)
       docopt
     artifactory (3.0.15)
     ast (2.4.2)
+    base64 (0.2.0)
     coderay (1.1.3)
     concurrent-ruby (1.2.2)
     crack (0.4.5)
       rexml
-    csv (3.2.7)
+    csv (3.2.8)
     declarative (0.0.20)
     deep_merge (1.2.2)
     diff-lcs (1.5.0)
     digest-crc (0.6.5)
       rake (>= 12.0.0, < 14.0.0)
     docopt (0.6.1)
-    facter (4.4.2)
+    facter (4.5.1)
       hocon (~> 1.3)
       thor (>= 1.0.1, < 2.0)
-    faraday (2.7.10)
+    faraday (2.8.1)
+      base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
@@ -64,7 +66,7 @@ GEM
       fast_gettext (~> 1.1.0)
       gettext (>= 3.0.2, < 3.3.0)
       locale
-    google-apis-core (0.11.1)
+    google-apis-core (0.11.2)
       addressable (~> 2.5, >= 2.5.1)
       googleauth (>= 0.16.2, < 2.a)
       httpclient (>= 2.8.1, < 3.a)
@@ -75,30 +77,30 @@ GEM
       webrick
     google-apis-iamcredentials_v1 (0.17.0)
       google-apis-core (>= 0.11.0, < 2.a)
-    google-apis-storage_v1 (0.19.0)
-      google-apis-core (>= 0.9.0, < 2.a)
-    google-cloud-core (1.6.0)
-      google-cloud-env (~> 1.0)
+    google-apis-storage_v1 (0.31.0)
+      google-apis-core (>= 0.11.0, < 2.a)
+    google-cloud-core (1.6.1)
+      google-cloud-env (>= 1.0, < 3.a)
       google-cloud-errors (~> 1.0)
-    google-cloud-env (1.6.0)
-      faraday (>= 0.17.3, < 3.0)
+    google-cloud-env (2.1.0)
+      faraday (>= 1.0, < 3.a)
     google-cloud-errors (1.3.1)
-    google-cloud-storage (1.44.0)
+    google-cloud-storage (1.47.0)
       addressable (~> 2.8)
       digest-crc (~> 0.4)
       google-apis-iamcredentials_v1 (~> 0.1)
-      google-apis-storage_v1 (~> 0.19.0)
+      google-apis-storage_v1 (~> 0.31.0)
       google-cloud-core (~> 1.6)
       googleauth (>= 0.16.2, < 2.a)
       mini_mime (~> 1.0)
-    googleauth (1.7.0)
-      faraday (>= 0.17.3, < 3.a)
+    googleauth (1.9.1)
+      faraday (>= 1.0, < 3.a)
+      google-cloud-env (~> 2.1)
       jwt (>= 1.4, < 3.0)
-      memoist (~> 0.16)
       multi_json (~> 1.11)
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
-    hashdiff (1.0.1)
+    hashdiff (1.1.0)
     hiera (3.12.0)
     hiera-eyaml (3.4.0)
       highline
@@ -111,7 +113,6 @@ GEM
       addressable (>= 2.4)
     jwt (2.7.1)
     locale (2.1.3)
-    memoist (0.16.2)
     memory_profiler (1.0.1)
     method_source (1.0.0)
     mini_mime (1.1.5)
@@ -121,24 +122,24 @@ GEM
     mustache (1.1.1)
     optimist (3.1.0)
     os (1.1.4)
-    parallel (1.23.0)
-    parser (3.2.2.3)
+    parallel (1.24.0)
+    parser (3.3.0.4)
       ast (~> 2.4.1)
       racc
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.3)
+    public_suffix (5.0.4)
     puppet-resource_api (1.9.0)
       hocon (>= 1.0)
     puppetserver-ca (2.6.0)
       facter (>= 2.0.1, < 5)
     racc (1.5.2)
     rainbow (3.1.1)
-    rake (13.0.6)
-    rdiscount (2.2.7.1)
+    rake (13.1.0)
+    rdiscount (2.2.7.3)
     rdoc (6.3.3)
-    regexp_parser (2.8.1)
+    regexp_parser (2.9.0)
     release-metrics (1.1.0)
       csv
       docopt
@@ -177,7 +178,7 @@ GEM
       rubocop-ast (>= 1.17.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.29.0)
+    rubocop-ast (1.30.0)
       parser (>= 3.2.1.0)
     rubocop-i18n (3.0.0)
       rubocop (~> 1.0)
@@ -186,18 +187,18 @@ GEM
     ruby2_keywords (0.0.5)
     scanf (1.0.0)
     semantic_puppet (1.1.0)
-    signet (0.17.0)
+    signet (0.18.0)
       addressable (~> 2.8)
       faraday (>= 0.17.5, < 3.a)
       jwt (>= 1.5, < 3.0)
       multi_json (~> 1.10)
     text (1.3.1)
-    thor (1.2.2)
+    thor (1.3.0)
     trailblazer-option (0.1.2)
     uber (0.1.0)
-    unicode-display_width (2.4.2)
+    unicode-display_width (2.5.0)
     vcr (5.1.0)
-    webmock (3.18.1)
+    webmock (3.19.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -209,7 +210,7 @@ PLATFORMS
 
 DEPENDENCIES
   diff-lcs (~> 1.3)
-  ffi
+  ffi (= 1.15.5)
   gettext-setup (~> 0.28)
   hiera-eyaml
   hocon (~> 1.0)
@@ -238,4 +239,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.4.12
+   2.4.20

data/Rakefile

@@ -58,33 +58,6 @@ task(:rubocop) do
   raise "RuboCop detected offenses" if exit_code != 0
 end
 
-desc "verify that commit messages match CONTRIBUTING.md requirements"
-task(:commits) do
-  # This rake task looks at the summary from every commit from this branch not
-  # in the branch targeted for a PR.
-  commit_range = 'HEAD^..HEAD'
-  puts "Checking commits #{commit_range}"
-  %x{git log --no-merges --pretty=%s #{commit_range}}.each_line do |commit_summary|
-    # This regex tests for the currently supported commit summary tokens: maint, doc, packaging, or pup-<number>.
-    # The exception tries to explain it in more full.
-    if /^\((maint|doc|docs|packaging|l10n|pup-\d+)\)|revert/i.match(commit_summary).nil?
-      raise "\n\n\n\tThis commit summary didn't match CONTRIBUTING.md guidelines:\n" \
-        "\n\t\t#{commit_summary}\n" \
-        "\tThe commit summary (i.e. the first line of the commit message) should start with one of:\n"  \
-        "\t\t(PUP-<digits>) # this is most common and should be a ticket at tickets.puppet.com\n" \
-        "\t\t(docs)\n" \
-        "\t\t(docs)(DOCUMENT-<digits>)\n" \
-        "\t\t(maint)\n" \
-        "\t\t(packaging)\n" \
-        "\t\t(L10n)\n" \
-        "\n\tThis test for the commit summary is case-insensitive.\n\n\n"
-    else
-      puts "#{commit_summary}"
-    end
-    puts "...passed"
-  end
-end
-
 desc "verify that changed files are clean of Ruby warnings"
 task(:warnings) do
   # This rake task looks at all files modified in this branch.

data/examples/enc/regexp_nodes/regexp_nodes.rb

@@ -133,7 +133,7 @@ class ExternalNode
     patternlist = []
 
     begin
-      open(filepath).each do |l|
+      File.open(filepath).each do |l|
         l.chomp!
 
         next if l =~ /^$/

data/ext/project_data.yaml

@@ -40,11 +40,11 @@ gem_platform_dependencies:
       CFPropertyList: '~> 2.2'
   x86-mingw32:
     gem_runtime_dependencies:
-      ffi: ['> 1.9.24', '< 2']
+      ffi: '1.15.5'
       minitar: '~> 0.9'
   x64-mingw32:
     gem_runtime_dependencies:
-      ffi: ['> 1.9.24', '< 2']
+      ffi: '1.15.5'
       minitar: '~> 0.9'
 bundle_platforms:
   universal-darwin: all

data/lib/puppet/application/ssl.rb

@@ -59,6 +59,11 @@ ACTIONS
   the CSR. Otherwise a new key pair will be generated. If a CSR has already
   been submitted with the given `certname`, then the operation will fail.
 
+* generate_request:
+  Generate a certificate signing request (CSR). If
+  a private and public key pair already exist, they will be used to generate
+  the CSR. Otherwise a new key pair will be generated.
+
 * download_cert:
   Download a certificate for this host. If the current private key matches
   the downloaded certificate, then the certificate will be saved and used
@@ -136,9 +141,21 @@ HELP
       unless cert
         raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: certname }
       end
+    when 'generate_request'
+      generate_request(certname)
     when 'verify'
       verify(certname)
     when 'clean'
+      possible_extra_args = command_line.args.drop(1)
+      unless possible_extra_args.empty?
+        raise Puppet::Error, _(<<END) % { args: possible_extra_args.join(' ')}
+Extra arguments detected: %{args}
+Did you mean to run:
+  puppetserver ca clean --certname <name>
+Or:
+  puppet ssl clean --target <name>
+END
+      end
       clean(certname)
     when 'bootstrap'
       if !Puppet::Util::Log.sendlevel?(:info)
@@ -162,13 +179,7 @@ HELP
   def submit_request(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
     unless key
-      if Puppet[:key_type] == 'ec'
-        Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: Puppet[:certname], curve: Puppet[:named_curve] }
-        key = OpenSSL::PKey::EC.generate(Puppet[:named_curve])
-      else
-        Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
-        key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
-      end
+      key = create_key(Puppet[:certname])
       @cert_provider.save_private_key(Puppet[:certname], key)
     end
 
@@ -187,6 +198,20 @@ HELP
     raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
   end
 
+  def generate_request(certname)
+    key = @cert_provider.load_private_key(certname)
+    unless key
+      key = create_key(certname)
+      @cert_provider.save_private_key(certname, key)
+    end
+
+    csr = @cert_provider.create_request(certname, key)
+    @cert_provider.save_request(certname, csr)
+    Puppet.notice _("Generated certificate request in '%{path}'") % { path: @cert_provider.to_path(Puppet[:requestdir], certname) }
+  rescue => e
+    raise Puppet::Error.new(_("Failed to generate certificate request: %{message}") % { message: e.message }, e)
+  end
+
   def download_cert(ssl_context)
     key = @cert_provider.load_private_key(Puppet[:certname])
 
@@ -285,4 +310,14 @@ END
   def create_route(ssl_context)
     @session.route_to(:ca, ssl_context: ssl_context)
   end
+
+  def create_key(certname)
+    if Puppet[:key_type] == 'ec'
+      Puppet.info _("Creating a new EC SSL key for %{name} using curve %{curve}") % { name: certname, curve: Puppet[:named_curve] }
+      OpenSSL::PKey::EC.generate(Puppet[:named_curve])
+    else
+      Puppet.info _("Creating a new SSL key for %{name}") % { name: certname }
+      OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+    end
+  end
 end

data/lib/puppet/application.rb

@@ -503,8 +503,12 @@ class Application
     runtime_info = {
       'puppet_version' => Puppet.version,
       'ruby_version'   => RUBY_VERSION,
-      'run_mode'       => self.class.run_mode.name,
+      'run_mode'       => self.class.run_mode.name
     }
+    unless Puppet::Util::Platform.jruby_fips?
+      runtime_info['openssl_version'] = "'#{OpenSSL::OPENSSL_VERSION}'"
+      runtime_info['openssl_fips'] = OpenSSL::OPENSSL_FIPS
+    end
     runtime_info['default_encoding'] = Encoding.default_external
     runtime_info.merge!(extra_info) unless extra_info.nil?
 

data/lib/puppet/configurer.rb

@@ -194,7 +194,6 @@ class Puppet::Configurer
         path.push(key)
         parse_fact_name_and_value_limits(value, path)
         path.pop
-        @number_of_facts += 1
       end
     when Array
       object.each_with_index do |e, idx|
@@ -205,6 +204,7 @@ class Puppet::Configurer
     else
       check_fact_name_length(path.join(), path.size)
       check_fact_values_length(object)
+      @number_of_facts += 1
     end
   end
 

data/lib/puppet/file_system/file_impl.rb

@@ -150,7 +150,7 @@ class Puppet::FileSystem::FileImpl
   end
 
   def compare_stream(path, stream)
-    open(path, 0, 'rb') { |this| FileUtils.compare_stream(this, stream) }
+    ::File.open(path, 0, 'rb') { |this| FileUtils.compare_stream(this, stream) }
   end
 
   def chmod(mode, path)

data/lib/puppet/file_system/posix.rb

@@ -10,7 +10,7 @@ class Puppet::FileSystem::Posix < Puppet::FileSystem::FileImpl
   # issue this method reimplements the faster 2.0 version that will correctly
   # compare binary File and StringIO streams.
   def compare_stream(path, stream)
-    open(path, 0, 'rb') do |this|
+    ::File.open(path, 'rb') do |this|
       bsize = stream_blksize(this, stream)
       sa = "".force_encoding('ASCII-8BIT')
       sb = "".force_encoding('ASCII-8BIT')

data/lib/puppet/functions/split.rb

@@ -35,6 +35,21 @@ Puppet::Functions.create_function(:split) do
     param 'Type[Regexp]', :pattern
   end
 
+  dispatch :split_String_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'String', :pattern
+  end
+
+  dispatch :split_Regexp_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'Regexp', :pattern
+  end
+
+  dispatch :split_RegexpType_sensitive do
+    param 'Sensitive[String]', :sensitive
+    param 'Type[Regexp]', :pattern
+  end
+
   def split_String(str, pattern)
     str.split(Regexp.compile(pattern))
   end
@@ -46,4 +61,16 @@ Puppet::Functions.create_function(:split) do
   def split_RegexpType(str, pattern)
     str.split(pattern.regexp)
   end
-end
+
+  def split_String_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_String(sensitive.unwrap, pattern))
+  end
+
+  def split_Regexp_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_Regexp(sensitive.unwrap, pattern))
+  end
+
+  def split_RegexpType_sensitive(sensitive, pattern)
+    Puppet::Pops::Types::PSensitiveType::Sensitive.new(split_RegexpType(sensitive.unwrap, pattern))
+  end
+end

data/lib/puppet/functions/versioncmp.rb

@@ -4,7 +4,7 @@ require_relative '../../puppet/util/package'
 #
 # Prototype:
 #
-#     \$result = versioncmp(a, b)
+#     $result = versioncmp(a, b)
 #
 # Where a and b are arbitrary version strings.
 #

data/lib/puppet/http/service/compiler.rb

@@ -119,6 +119,10 @@ class Puppet::HTTP::Service::Compiler < Puppet::HTTP::Service
       params: { environment: environment },
     )
 
+    if (compiler = response['X-Puppet-Compiler-Name'])
+      Puppet.notice("Catalog compiled by #{compiler}")
+    end
+
     process_response(response)
 
     [response, deserialize(response, Puppet::Resource::Catalog)]

data/lib/puppet/indirector/catalog/compiler.rb

@@ -53,12 +53,20 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
     node.trusted_data = Puppet.lookup(:trusted_information) { Puppet::Context::TrustedInformation.local(node) }.to_h
 
     if node.environment
-      # If the requested environment doesn't match the server specified environment,
-      # as determined by the node terminus, and the request wants us to check for an
+      # If the requested environment name doesn't match the server specified environment
+      # name, as determined by the node terminus, and the request wants us to check for an
       # environment mismatch, then return an empty catalog with the server-specified
       # enviroment.
-      if request.remote? && request.options[:check_environment] && node.environment != request.environment
-        return Puppet::Resource::Catalog.new(node.name, node.environment)
+      if request.remote? && request.options[:check_environment]
+        # The "environment" may be same while environment objects differ. This
+        # is most likely because the environment cache was flushed between the request
+        # processing and node lookup. Environment overrides `==` but requires the
+        # name and modulepath to be the same. When using versioned environment dirs the
+        # same "environment" can have different modulepaths so simply compare names here.
+        if node.environment.name != request.environment.name
+          Puppet.warning _("Requested environment '%{request_env}' did not match server specified environment '%{server_env}'") % {request_env: request.environment.name, server_env: node.environment.name}
+          return Puppet::Resource::Catalog.new(node.name, node.environment)
+        end
       end
 
       node.environment.with_text_domain do

data/lib/puppet/indirector/catalog/rest.rb

@@ -13,6 +13,14 @@ class Puppet::Resource::Catalog::Rest < Puppet::Indirector::REST
 
     session = Puppet.lookup(:http_session)
     api = session.route_to(:puppet)
+
+    ip_address = begin
+      " (#{Resolv.getaddress(api.url.host)})"
+    rescue Resolv::ResolvError
+      nil
+    end
+    Puppet.notice("Requesting catalog from #{api.url.host}:#{api.url.port}#{ip_address}")
+
     _, catalog = api.post_catalog(
       request.key,
       facts: request.options[:facts_for_catalog],

data/lib/puppet/interface/action.rb

@@ -264,12 +264,14 @@ def #{@name}(#{decl.join(", ")})
 end
 WRAPPER
 
+    # It should be possible to rewrite this code to use `define_method`
+    # instead of `class/instance_eval` since Ruby 1.8 is long dead.
     if @face.is_a?(Class)
-      @face.class_eval do eval wrapper, nil, file, line end
+      @face.class_eval do eval wrapper, nil, file, line end # rubocop:disable Security/Eval
       @face.send(:define_method, internal_name, &block)
       @when_invoked = @face.instance_method(name)
     else
-      @face.instance_eval do eval wrapper, nil, file, line end
+      @face.instance_eval do eval wrapper, nil, file, line end # rubocop:disable Security/Eval
       @face.meta_def(internal_name, &block)
       @when_invoked = @face.method(name).unbind
     end

data/lib/puppet/interface/action_builder.rb

@@ -4,6 +4,8 @@
 # within the context of a new instance of this class.
 # @api public
 class Puppet::Interface::ActionBuilder
+  extend Forwardable
+
   # The action under construction
   # @return [Puppet::Interface::Action]
   # @api private
@@ -141,15 +143,8 @@ class Puppet::Interface::ActionBuilder
     property = setter.to_s.chomp('=')
 
     unless method_defined? property
-      # Using eval because the argument handling semantics are less awful than
-      # when we use the define_method/block version.  The later warns on older
-      # Ruby versions if you pass the wrong number of arguments, but carries
-      # on, which is totally not what we want. --daniel 2011-04-18
-      eval <<-METHOD
-        def #{property}(value)
-          @action.#{property} = value
-        end
-      METHOD
+      # ActionBuilder#<property> delegates to Action#<setter>
+      def_delegator :@action, setter, property
     end
   end
 

data/lib/puppet/node/environment.rb

@@ -591,10 +591,12 @@ class Puppet::Node::Environment
       if file == NO_MANIFEST
         empty_parse_result
       elsif File.directory?(file)
-        parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*.pp')).glob.sort.map do | file_to_parse |
-          parser.file = file_to_parse
-          parser.parse
-          end
+        # JRuby does not properly perform Dir.glob operations with wildcards, (see PUP-11788 and https://github.com/jruby/jruby/issues/7836).
+        # We sort the results because Dir.glob order is inconsistent in Ruby < 3 (see PUP-10115).
+        parse_results = Puppet::FileSystem::PathPattern.absolute(File.join(file, '**/*')).glob.select {|globbed_file| globbed_file.end_with?('.pp')}.sort.map do | file_to_parse |
+                          parser.file = file_to_parse
+                          parser.parse
+                        end
         # Use a parser type specific merger to concatenate the results
         Puppet::Parser::AST::Hostclass.new('', :code => Puppet::Parser::ParserFactory.code_merger.concatenate(parse_results))
       else

data/lib/puppet/pops/loader/ruby_data_type_instantiator.rb

@@ -19,7 +19,7 @@ class Puppet::Pops::Loader::RubyDataTypeInstantiator
     # make the private loader available in a binding to allow it to be passed on
     loader_for_type = loader.private_loader
     here = get_binding(loader_for_type)
-    created = eval(ruby_code_string, here, source_ref, 1)
+    created = eval(ruby_code_string, here, source_ref, 1) # rubocop:disable Security/Eval
     unless created.is_a?(Puppet::Pops::Types::PAnyType)
       raise ArgumentError, _("The code loaded from %{source_ref} did not produce a data type when evaluated. Got '%{klass}'") % { source_ref: source_ref, klass: created.class }
     end

data/lib/puppet/pops/loader/ruby_function_instantiator.rb

@@ -19,7 +19,7 @@ class Puppet::Pops::Loader::RubyFunctionInstantiator
     # make the private loader available in a binding to allow it to be passed on
     loader_for_function = loader.private_loader
     here = get_binding(loader_for_function)
-    created = eval(ruby_code_string, here, source_ref, 1)
+    created = eval(ruby_code_string, here, source_ref, 1) # rubocop:disable Security/Eval
     unless created.is_a?(Class)
       raise ArgumentError, _("The code loaded from %{source_ref} did not produce a Function class when evaluated. Got '%{klass}'") % { source_ref: source_ref, klass: created.class }
     end

data/lib/puppet/pops/loader/ruby_legacy_function_instantiator.rb

@@ -37,7 +37,7 @@ class Puppet::Pops::Loader::RubyLegacyFunctionInstantiator
       # This will do the 3x loading and define the "function_<name>" and "real_function_<name>" methods
       # in the anonymous module used to hold function definitions.
       #
-      func_info = eval(ruby_code_string, here, source_ref, 1)
+      func_info = eval(ruby_code_string, here, source_ref, 1) # rubocop:disable Security/Eval
 
       # Validate what was loaded
       unless func_info.is_a?(Hash)

data/lib/puppet/pops/time/timespan.rb

@@ -633,7 +633,7 @@ module Time
         position = -1
         fstart = 0
 
-        str.codepoints do |codepoint|
+        str.each_codepoint do |codepoint|
           position += 1
           if state == STATE_LITERAL
             if codepoint == 0x25 # '%'

data/lib/puppet/provider/package/appdmg.rb

@@ -66,7 +66,7 @@ Puppet::Type.type(:package).provide(:appdmg, :parent => Puppet::Provider::Packag
         end
       end
 
-      open(cached_source) do |dmg|
+      File.open(cached_source) do |dmg|
         xml_str = hdiutil "mount", "-plist", "-nobrowse", "-readonly", "-mountrandom", "/tmp", dmg.path
           ptable = Puppet::Util::Plist::parse_plist(xml_str)
           # JJM Filter out all mount-paths into a single array, discard the rest.

data/lib/puppet/provider/package/apt.rb

@@ -12,7 +12,7 @@ Puppet::Type.type(:package).provide :apt, :parent => :dpkg, :source => :dpkg do
     These options should be specified as an array where each element is either a
      string or a hash."
 
-  has_feature :versionable, :install_options, :virtual_packages
+  has_feature :versionable, :install_options, :virtual_packages, :version_ranges
 
   commands :aptget => "/usr/bin/apt-get"
   commands :aptcache => "/usr/bin/apt-cache"

data/lib/puppet/provider/package/dnf.rb

@@ -9,7 +9,7 @@ Puppet::Type.type(:package).provide :dnf, :parent => :yum do
   These options should be specified as an array where each element is either
    a string or a hash."
 
-  has_feature :install_options, :versionable, :virtual_packages, :install_only
+  has_feature :install_options, :versionable, :virtual_packages, :install_only, :version_ranges
 
   commands :cmd => "dnf", :rpm => "rpm"
 
@@ -32,6 +32,7 @@ Puppet::Type.type(:package).provide :dnf, :parent => :yum do
   notdefaultfor :operatingsystem => :fedora, :operatingsystemmajrelease => (19..21).to_a
   defaultfor :osfamily => :redhat
   notdefaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
+  defaultfor :operatingsystem => :amazon, :operatingsystemmajrelease => ["2023"]
 
   def self.update_command
     # In DNF, update is deprecated for upgrade

data/lib/puppet/provider/package/dnfmodule.rb

@@ -93,7 +93,7 @@ Puppet::Type.type(:package).provide :dnfmodule, :parent => :dnf do
         # module has no default profile and no profile was requested, so just enable the stream
         # DNF versions prior to 4.2.8 do not need this workaround
         # see https://bugzilla.redhat.com/show_bug.cgi?id=1669527
-        if @resource[:flavor] == nil && e.message =~ /^(?:missing|broken) groups or modules: #{Regexp.quote(@resource[:name])}$/
+        if @resource[:flavor] == nil && e.message =~ /^(?:missing|broken) groups or modules: #{Regexp.quote(args)}$/
           enable(args)
         else
           raise