path: root/ext/psych/lib/psych
AgeCommit message (Collapse)Author
2023-02-07[ruby/psych] Bump version to 5.1 for releaseCharles Oliver Nutter
This version primarily updates the JRuby extension to use SnakeYAML Engine, a newer version of the SnakeYAML library, which also updates YAML support to 1.2. The JRuby extension now also exposes settings for the parser.
2023-01-31Initial move to SnakeYAML EngineCharles Oliver Nutter
See jruby/jruby#7570 for some of the justification for this move. We only require the parser from SnakeYAML, but in the original form it is encumbered with Java object serialization code that keeps getting flagged as a CVE risk. We disagree with the assessment, at least as it pertains to JRuby (we do not use the code in question) but our inclusion of the library continues to get flagged by auditing tools. This commit starts the process of moving to the successor library, SnakeYAML Engine. The parser API is largely unchanged, except as seen in this commit. No Java exceptions are thrown, but a number of Psych tests fail (possibly due to Engine being YAML 1.2 only).
2023-01-23[ruby/psych] Fix RestrictedYAMLTree allowing the Symbol class should allow ↵Jean Boussier
all symbols Ref: That's how it works for `safe_load`: ```ruby >> YAML.safe_load(':foo', permitted_classes: [Symbol]) => :foo ``` So `safe_dump` should mirror that.
2023-01-18[ruby/psych] Bump up 5.0.2Hiroshi SHIBATA
2023-01-17[ruby/psych] Bump up 5.0.2.pre1 for testingHiroshi SHIBATA
2023-01-11[ruby/psych] Get rid of anonymous eval callsJean Boussier
Things declared in anonymous eval are always annoying to locate.
2022-12-08[ruby/psych] Bump version to 5.0.1Hiroshi SHIBATA
2022-12-05[ruby/psych] Bump version to 5.0.0Hiroshi SHIBATA
2022-09-28[ruby/psych] Bump snakeyaml from 1.31 to 1.33Chad Wilson
2022-09-20[ruby/psych] Convert some of Parser#parse to RubyAaron Patterson
This commit just converts some of the parse method to Ruby
2022-09-07[ruby/psych] Bump snakeyaml from 1.28 to 1.31Chad Wilson
Resolves CVE-2022-25857, among other fixes.
2022-09-07[ruby/psych] Dump Date/DateTime as proleptic Gregorian date as well as TimeNobuyoshi Nakada
Fix ruby/psych#572
2022-08-09[ruby/psych] Raise specific error when an anchor isn't definedAlexander Momchilov
2022-08-09[ruby/psych] Raise specific error when aliases are not enabledAlexander Momchilov
2022-05-18[ruby/psych] Prepare to develop 5.0.0Hiroshi SHIBATA
2022-05-18[ruby/psych] [CI] Add/update 'rake install', update Psych version for Ruby ↵MSP-Greg
3.1 gem install
2022-05-10[ruby/psych] tr is typically 4 to 5 times faster than gsubMSP-Greg
2022-01-22[ruby/psych] Add strict_integer option to parse numbers with commas as stringsSeth Boyles
Authored-by: Seth Boyles <>
2022-01-14[ruby/psych] Don't require `strscan` unnecessarilyDavid Rodríguez
It does not seem needed, and it's causing issues on Windows when uninstalling `strscan`, because strscan's shared library being used when RubyGems tries to remove it (because its loaded through Psych, which RubyGems uses for loading configuration).
2021-12-20[ruby/psych] Bump version to 4.0.3Hiroshi SHIBATA
2021-10-24[ruby/psych] Prefer `require_relative` for internal requiresDavid Rodríguez
2021-10-21[ruby/psych] Bump up psych version to 4.0.2Hiroshi SHIBATA
2021-08-31[ruby/psych] Replace A-Za-z with [:alpha:]jory-graham
2021-08-31[ruby/psych] Add quotes to the strings "y" and "n"Aaron Patterson
'y' and 'n' are kind of ambiguous. Syck treated y and n literals in YAML documents as strings. But this is not what the YAML 1.1 spec says. YAML 1.1 says they should be treated as booleans. When we're dumping documents, we know it's a string, so adding quotes will eliminate the "ambiguity" in the emitted document Fixes #443
2021-08-31[ruby/psych] Update lib/psych/scalar_scanner.rbopak Co-authored-by: Olle Jonsson <>
2021-08-31[ruby/psych] add more testsAlexandr Opak
2021-08-31[ruby/psych] fix parsing integer values with '_' at the endAlexandr Opak
2021-08-31[ruby/psych] Improve float scalar scannerTomer Brisker
Previously, `+.inf` was not handled correctly. Additionally, the regexp was checking for inf and NaN, even though these cases are handled earlier in the condition. Added a few tests to ensure handling some missing cases.
2021-06-07[ruby/psych] Bump version to 4.0.1Hiroshi SHIBATA
2021-06-07[ruby/psych] Implement YAML.safe_dump to make safe_load more usable.Jean Boussier
In case where Psych is used as a two way serializers, e.g. to serialize some cache or config, it is preferable to have the same restrictions on both load and dump. Otherwise you might dump and persist some objects payloads that you later won't be able to read.
2021-05-17[ruby/psych] Bump versionAaron Patterson
2021-05-17[ruby/psych] Introduce `Psych.unsafe_load`Aaron Patterson
In future versions of Psych, the `load` method will be mostly the same as the `safe_load` method. In other words, the `load` method won't allow arbitrary object deserialization (which can be used to escalate to an RCE). People that need to load *trusted* documents can use the `unsafe_load` method. This commit introduces the `unsafe_load` method so that people can incrementally upgrade. For example, if they try to upgrade to 4.0.0 and something breaks, they can downgrade, audit callsites, change to `safe_load` or `unsafe_load` as required, and then upgrade to 4.0.0 smoothly.
2021-05-17[ruby/psych] Fix symabolize_name with non-string keysJean Boussier
2021-05-17[ruby/psych] feat: allow scalars and sequences to be styled when dumpedJeremy Ebler
2021-05-10[ruby/psych] Fix some typos [ci skip]Ryuta Kamizono
2021-05-10[ruby/psych] bump versionAaron Patterson
2021-05-10[ruby/psych] Update to latest SnakeYAMLCharles Oliver Nutter
Fixes jruby/jruby#6365
2021-05-10[ruby/psych] Fix custom marshalization with symbolize_names: trueJean Boussier
2021-05-10[ruby/psych] Cache dispatch cache in an instance variableJean Boussier
2021-05-10[ruby/psych] Cache access to Psych.load_tags in Visitor::ToRubyJean Boussier
2020-12-23[ruby/psych] Bump version to 3.3.0Hiroshi SHIBATA
2020-12-23[ruby/psych] Optimize cache with `compare_by_identity`Marc-Andre Lafortune
Using `compare_by_identity` gives a 4x performance boost on cache hits. Benchmark in Notes: Merged:
2020-12-23[ruby/psych] Make Ractor-ready.Marc-Andre Lafortune
Config is Ractor-local. Benchmarking reveals that using `Ractor.local_storage` for storing cache is similar to accessing a constant (~15% slower). Notes: Merged:
2020-12-23[ruby/psych] Avoid methods depending on bindingsMarc-Andre Lafortune
Improves Ractor-readiness. Notes: Merged:
2020-12-23[ruby/psych] Freeze constants.Marc-Andre Lafortune
Improves Ractor-readiness. Notes: Merged:
2020-12-14Merge Psych-3.2.1 from ruby/psychHiroshi SHIBATA
2020-09-25[ruby/psych] Bump version to 3.2.0Hiroshi SHIBATA
2020-09-25[ruby/psych] Revert psych versionSzymonKowalczyk
2020-09-25[ruby/psych] Update SNAKEYAML CVE-2017-18640SzymonKowalczyk
to version 1.26
2020-09-25Remove private_iv_getCharles Oliver Nutter
The only remaining use of this function was to get the internal message object from an exception's hidden `mesg` instance variable to allow it to be dumped wiithout converting to a string. As discussed in #103, this exposes internal implementation details of CRuby, and ultimately does not provide any real utility to the user since they can't directly inspect this hidden variable. The test change here is to reflect CRuby behavior that denies equality if the internal message objects do not match, as is the case after the exception has been loaded and now has a simple String value. The impact to users is that exceptions with special hidden message objects will convert those objects to String during marshaling through YAML. I believe this only affects NameError and its descendants, since users can't set this field directly on their own exception types. Fixes #103.