Chef Supermarket 5.0.41 Released!

We are delighted to announce the availability of version 5.0.41 of Chef Supermarket.

Upgrade Requiremements

Database Upgrade

Supermarket 5 includes a large upgrade of the underlying PostgreSQL database. An automated upgrade will need to be run post package install. See Upgrade Supermarket for details.

Allowed Host Attribute

In order to prevent potential host header attacks, users will need to specify the FQDN of the Supermarket with the node['supermarket']['allowed_host'] attribute. For example, the public supermarket at would set this value to

Bug Fixes

  • Updated links to the Chef Blog to use the latest URL.
  • Updated links to the Chef Documentation to use the latest URL.
  • Removed unused attributes for New Relic monitoring.


PostgreSQL 13.4

The embedded PostgreSQL 9.3 installation used by Supermarket to store cookbook information has been upgraded to 13.4. This new release of PostgreSQL improves performance, includes new functionality that will be utilized in future Supermarket releases, and resolves multiple security vulnerabilities. See Upgrade Supermarket for more information on completing this upgrade.

Cookstyle Cookbook Quality Metrics

The Cookbook Quality Metrics evaluation in Supermarket now uses our Cookstyle engine to evaluate cookbook quality. This greatly improves the breadth of evaluation we provide with ~250 Cookstyle cops being used for each cookbook. This also aligns the quality metrics with the same tools used in local development and CI processes. Stay tuned for exciting new improvements to the Cookbook Quality Metrics using these new capabilities.

Log Directory Permissions

Users can now set the permissions of the Supermarket log directory with a new default['supermarket']['log_mode'] configuration option. This configuration option defaults to the previous directory default of 0700.

Versioned Universe API Endpoint

The universe API endpoint is now available under the v1 API endpoint. There are no current plans to introduce breaking changes to the existing universe API endpoint, but we highly recommend using the new versioned API endpoint for future compatibility.


HTTP Headers

Supermarket now includes a more secure Permissions-Policy HTTP header by default.

Puma 5.6.2

Puma upgraded from 5.6.1 to 5.6.2 to resolve CVE-2022-23633

Sidekiq 6.4.1

The Sidekiq job processing system used by Supermarket has been updated from 6.3.1 to 6.4.1 to resolve CVE-2021-30151.

Ruby on Rails

The Ruby on Rails framework used by Supermarket has been updated from to to resolve CVE-2021-22904.

Get the Build

You can download binaries directly from

1 Like