[PoC] Imprement yaml parser written by pure ruby instead of Psych

[hsbt]

What was the end-user or developer problem that led to this PR?

We would like to allow users to freely specify the version, but the version of the libraries used internally like Psych cannot be specified.

Vendoring is workaround solution, But we can't vendor Psych because that is C extension.

What is your fix for the problem, implemented in this PR?

I tried to rewrite the minimum specification of YAML with Gemini.

Make sure the following tasks are checked

• Describe the problem / feature
• Write tests for features and bug fixes
• Write code to solve the problem
• Make sure you follow the current code style and write meaningful commit messages without tags

[Copilot]

Pull request overview

This PR replaces RubyGems' dependency on Psych (a C extension YAML library) with a pure Ruby YAML parser implementation to allow users to freely specify library versions without C extension constraints. The implementation provides a custom Gem::YAMLSerializer module that handles YAML serialization and deserialization for Gem specifications and related data structures.

Changes:

• Implemented a new pure Ruby YAML parser in lib/rubygems/yaml_serializer.rb with custom dump and load methods
• Removed dependency on Psych library and deleted lib/rubygems/psych_tree.rb
• Updated all YAML serialization/deserialization call sites to use the new YAMLSerializer API

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 21 comments.

Show a summary per file

File	Description
lib/rubygems/yaml_serializer.rb	Complete rewrite from simple stub to full YAML parser with support for Gem objects, arrays, hashes, strings, and Ruby object tags
lib/rubygems.rb	Changed to load yaml_serializer instead of psych and psych_tree
lib/rubygems/safe_yaml.rb	Updated to use YAMLSerializer.load instead of Psych.safe_load
lib/rubygems/specification.rb	Simplified to_yaml method to use YAMLSerializer.dump directly
lib/rubygems/package.rb	Changed to use YAMLSerializer.dump for checksums
lib/rubygems/package/old.rb	Changed exception handling from Psych::SyntaxError to StandardError
lib/rubygems/commands/specification_command.rb	Updated to use YAMLSerializer.dump for spec output
lib/rubygems/config_file.rb	Added defensive check for respond_to?(:empty?)
lib/rubygems/ext/cargo_builder.rb	Correctly switched from YAML to JSON for parsing cargo metadata
test/rubygems/test_gem_safe_yaml.rb	Added pend statements for Psych-specific tests (logic appears inverted)
test/rubygems/test_gem_package.rb	Updated to use YAMLSerializer.dump in tests
test/rubygems/test_gem_commands_owner_command.rb	Changed expected exception from Psych::DisallowedClass to ArgumentError
test/rubygems/helper.rb	Updated load_yaml helper to use YAMLSerializer.load
lib/rubygems/psych_tree.rb	Deleted (no longer needed)
Manifest.txt	Removed psych_tree.rb entry

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The convert_any function handles Gem::Version, Gem::Platform, Gem::Requirement, and Gem::Dependency by reconstructing them from their serialized form, but it doesn't handle "Gem::Version::Requirement" consistently with other permitted classes. The code checks for both "!ruby/object:Gem::Requirement" and "!ruby/object:Gem::Version::Requirement" (line 299), but Gem::Version::Requirement is listed separately in PERMITTED_CLASSES. Verify that this is intentional and that the handling is correct for both cases.

[Copilot]

The condition obj.empty? on line 79 checks for empty strings to force quoting, but this check comes after checking for newlines. However, the order of checks matters - an empty string won't match the newline check, so this is fine. But consider that the regex /^[!*&:@%]/ and other special character checks might not cover all YAML special cases. For example, strings starting with ? or - followed by space might also need quoting depending on context.

Suggested change

	elsif quote || obj.empty? || obj =~ /^[!*&:@%]/ || obj =~ /^-?\d+(\.\d+)?$/ || obj =~ /^[<>=-]/ ||
	elsif quote || obj.empty? || obj =~ /^[!*&:@%]/ || obj =~ /^-?\d+(\.\d+)?$/ || obj =~ /^[<>=-]/ ||
	obj =~ /^\?/ || obj =~ /^-(\s|$)/ ||

[Copilot]

The inline array parsing logic val =~ /^\[(.*)\]$/ with val == "[]" ? [] : [$1.strip] is overly simplistic. It treats any non-empty bracketed content as a single-element array rather than properly parsing comma-separated values. For example, "[a, b, c]" would be parsed as a single-element array containing the string "a, b, c" instead of a three-element array. This doesn't match standard YAML inline array syntax.

Suggested change

	elsif val == "false"
	inner = $1.strip
	return [] if inner.empty?
	inner.split(/\s*,\s*/).reject(&:empty?).map { |element| unquote_simple(element) }

[Copilot]

In the hash parsing logic, when a value is empty and followed by an array, the code calls parse_any(lines, indent, ...) (line 205), but when followed by other content, it calls parse_any(lines, indent + 1, ...) (line 207). This inconsistency could lead to incorrect indentation handling. The logic should consistently determine the expected indentation level for nested content based on whether it's an array or hash, not based on arbitrary checks.

[Copilot]

This is a complete rewrite of the YAML parsing and serialization logic, replacing the battle-tested Psych library with a custom implementation. However, there appear to be no dedicated tests for the YAMLSerializer module itself. The existing tests (like test_to_yaml in test_gem_specification.rb) may provide some coverage, but a parser of this complexity requires comprehensive unit tests covering edge cases, error handling, various YAML constructs, and round-trip serialization. Consider adding a dedicated test file test_gem_yaml_serializer.rb with extensive test coverage.

[Copilot]

The Time dumping format uses %Y-%m-%d %H:%M:%S.%N Z which outputs nanoseconds with 9 digits. However, the parsing code in unquote_simple uses a simple regex /^\d{4}-\d{2}-\d{2}/ and Time.parse(val) which may not correctly handle the nanosecond precision. This could lead to loss of precision in round-trip serialization/deserialization. Consider using a more consistent format or ensuring the parser can handle the full precision.

Suggested change

	" #{obj.utc.strftime("%Y-%m-%d %H:%M:%S.%N Z")}\n"
	utc = obj.utc
	" #{utc.strftime("%Y-%m-%d %H:%M:%S")}.#{format("%06d", utc.usec)} Z\n"

[Copilot]

Symbol is listed in PERMITTED_CLASSES but there's no corresponding handler in convert_any for "!ruby/object:Symbol" tags. If a YAML document contains an explicitly tagged Symbol object, it will pass the security check (lines 227-228, 191-192, 152-153) but won't be properly converted to a Symbol object - it will be returned as a hash with a :tag key. Consider either removing Symbol from PERMITTED_CLASSES (since symbols are typically parsed directly from :symbol syntax) or adding proper Symbol conversion logic.

[Copilot]

The logic for this pend statement is inverted. The test should be skipped when YAMLSerializer IS loaded (since this PR replaces Psych with YAMLSerializer). Currently, the test is only skipped when YAMLSerializer is defined, but since it's now always loaded via Gem.load_yaml, this test will always be skipped. The condition should be checking if Psych is NOT loaded instead, or the entire pend line should be removed since YAMLSerializer is now the default.

Suggested change

	pend "Psych is not loaded" if defined?(Gem::YAMLSerializer)
	assert_predicate Gem::SafeYAML, :aliases_enabled?
	assert_equal({ "a" => "a", "b" => "a" }, Gem::SafeYAML.safe_load("a: &a a\nb: *a\n"))
	end
	def test_aliases_disabled
	pend "Psych is not loaded" if defined?(Gem::YAMLSerializer)
	pend "Psych is not loaded" unless defined?(Psych)
	assert_predicate Gem::SafeYAML, :aliases_enabled?
	assert_equal({ "a" => "a", "b" => "a" }, Gem::SafeYAML.safe_load("a: &a a\nb: *a\n"))
	end
	def test_aliases_disabled
	pend "Psych is not loaded" unless defined?(Psych)

[Copilot]

The infinite loop protection mechanism that shifts a line when no progress is made could silently swallow parse errors. If parse_any fails to consume any lines (returning nil or empty result), the loop shifts a line and continues, potentially losing data. Consider adding error logging or raising an exception when this fallback is triggered, or at minimum document why silent skipping is acceptable.

Suggested change

	if lines.size == before_count && lines.any?
	if lines.size == before_count && lines.any?
	warn "Gem::YAMLSerializer.load: skipping unparseable line #{lines.first.inspect} because it could not be parsed" if defined?(warn)

[Copilot]

The parse_block_scalar function only handles the "-" modifier (chomping) but YAML block scalars support other modifiers like "+" (keeping final newlines) and numeric indentation indicators (e.g., "|2"). The current implementation will treat "|+" or "|2" as unrecognized modifiers and won't apply the correct semantics, potentially leading to incorrect parsing of multiline strings. Consider implementing full block scalar modifier support or documenting the limitations.