Comments on Ruby 3.1’s incompatible changes to its YAML module (Psych 4)

Be civil and read the entire article first. This is not a support forum. Comments from new contributors are moderated. English only.

Leave a comment

Required. Optional. E.g. your homepage, Twitter. or Email required unless anonymous. Not published or shared. Reuse to be recognized as the same commenter.
Plain-text only. Begin lines with a > character to quote.

Saito

While not exactly "news", I agree with your conclusion. Psych should have printed deprecation warnings some months before making this change. I must have fixed this in over a hundred places since January. Good blog and thanks!

Nekonull

It seems that the "Psych::DisallowedClass" error message still uses a black color even when the preferred `color-scheme` is dark, resulting the message unreadable unless selected when reading in dark mode. Just a note about a possible CSS misconfiguration. Still, great article with useful advice!

fastryan

A deprecation error message calling attention to the fact that something is unsafe against malicious payloads is not necessarily great, either. If that stderr is redirected somewhere visible to a would-be attacker, that could be an open invitation.

Daniel Aleksandersen

I don’t see that as a big problem, fastryan. It wouldn’t reveal any more information to attackers than what is already public, and it would encourage developers to update their code to be more secure.

Discussions also happens elsewhere! Read and participate in 2 external discussions (17 comments).