Comments on Ruby 3.1’s incompatible changes to its YAML module (Psych 4)

Be civil and read the entire article first. This is not a support forum. Comments from new contributors are moderated. English only.

Leave a comment

Required. Optional. E.g. your homepage, Twitter. or Email required unless anonymous. Not published or shared. Reuse to be recognized as the same commenter.
Plain-text only. Begin lines with a > character to quote.

Saito

While not exactly "news", I agree with your conclusion. Psych should have printed deprecation warnings some months before making this change. I must have fixed this in over a hundred places since January. Good blog and thanks!

Nekonull

It seems that the "Psych::DisallowedClass" error message still uses a black color even when the preferred `color-scheme` is dark, resulting the message unreadable unless selected when reading in dark mode. Just a note about a possible CSS misconfiguration. Still, great article with useful advice!

fastryan

A deprecation error message calling attention to the fact that something is unsafe against malicious payloads is not necessarily great, either. If that stderr is redirected somewhere visible to a would-be attacker, that could be an open invitation.

Daniel Aleksandersen

I don’t see that as a big problem, fastryan. It wouldn’t reveal any more information to attackers than what is already public, and it would encourage developers to update their code to be more secure.