Regression in v9.0.0? Config lines moved "for no reason"

[elofu17]

Just a question, maybe not an issue:

I just upgraded all my Puppet modules to new versions, including saz/sudo from v8.0.0 to v9.0.0.

Now if I do a puppet noop run on a Debian 11 server, it says it will change /etc/sudoers :

Info: Applying configuration version 'abbda11b'

Notice: /Stage[main]/Sudo/File[/etc/sudoers]/content:
--- /etc/sudoers        2022-03-03 16:03:57.126091434 +0100
+++ /tmp/puppet-file20250109-2624740-ibq2gx     2025-01-09 13:55:36.405628796 +0100
@@ -1,7 +1,5 @@
 # file managed by puppet (unless config_file_replace=false)
 #
-Defaults       env_reset
-Defaults       mail_badpass
 Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin"
 
 
@@ -16,4 +14,5 @@
 # See sudoers(5) for more information on "#include" directives:
 
 #includedir /etc/sudoers.d
-
+Defaults       env_reset
+Defaults       mail_badpass

Notice: /Stage[main]/Sudo/File[/etc/sudoers]/content: current_value '{sha256}16312b9d6e14211fc31a8553839e545a82cb81d275b1f1d0c8b6e911ca29153f', should be '{sha256}b9e9b651bc74ef24af41d825ee14691601cae09c0f8e56acc93a4426a69d2d18' (noop)
Notice: Class[Sudo]: Would have triggered 'refresh' from 1 event
Notice: Stage[main]: Would have triggered 'refresh' from 3 events
Notice: Applied catalog in 9.45 seconds

I haven't applied this yet (since the modules changes would affect many++ servers).
It looks like the two lines will be removed from the top of the file and then be added back at the bottom.
This is probably not an issue, but if that happens, the resulting file will look "uglier" than the original, having one Defaults line remain at the top while the other two now are moved to the bottom.
Is this intended and correct?
Ideally, a version bump should not update the file if not necessary -- i.e. keep all three Defaults lines grouped at the top as-is.

The original file looks like this:

# file managed by puppet (unless config_file_replace=false)
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin"




# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

The two relevant original lines contain no extra whitespace or simillar, and use one tab as separator.
The third Defaults line look exactly the same, but it is, for some reason, not affected.
Here's the exact original file:

cat -A /etc/sudoers
# file managed by puppet (unless config_file_replace=false)$
#$
Defaults^Ienv_reset$
Defaults^Imail_badpass$
Defaults^Isecure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin"$
$
$
$
$
# User privilege specification$
root^IALL=(ALL:ALL) ALL$
$
# Allow members of group sudo to execute any command$
%sudo^IALL=(ALL:ALL) ALL$
$
# See sudoers(5) for more information on "#include" directives:$
$
#includedir /etc/sudoers.d$
$