ruby · hsbt · Feb 25, 2026 · Feb 25, 2026 · Feb 25, 2026 · Feb 25, 2026
diff --git a/Manifest.txt b/Manifest.txt
@@ -450,7 +450,6 @@ lib/rubygems/package/tar_writer.rb
 lib/rubygems/package_task.rb
 lib/rubygems/path_support.rb
 lib/rubygems/platform.rb
-lib/rubygems/psych_tree.rb
 lib/rubygems/query_utils.rb
 lib/rubygems/rdoc.rb
 lib/rubygems/remote_fetcher.rb

diff --git a/lib/rubygems.rb b/lib/rubygems.rb
@@ -647,9 +647,7 @@ def self.add_to_load_path(*paths)
   def self.load_yaml
     return if @yaml_loaded
 
-    require "psych"
-    require_relative "rubygems/psych_tree"
-
+    require_relative "rubygems/yaml_serializer"
     require_relative "rubygems/safe_yaml"
 
     @yaml_loaded = true

diff --git a/lib/rubygems/commands/specification_command.rb b/lib/rubygems/commands/specification_command.rb
@@ -147,7 +147,7 @@ def execute
       say case options[:format]
           when :ruby then s.to_ruby
           when :marshal then Marshal.dump s
-          else s.to_yaml
+          else Gem::YAMLSerializer.dump(s)
       end
 
       say "\n"

diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb
@@ -563,7 +563,9 @@ def self.dump_with_rubygems_yaml(content)
   def self.load_with_rubygems_config_hash(yaml)
     require_relative "yaml_serializer"
 
-    content = Gem::YAMLSerializer.load(yaml)
+    content = Gem::YAMLSerializer.load(yaml, permitted_classes: [])
+    return {} unless content.is_a?(Hash)
+
     deep_transform_config_keys!(content)
   end
 
@@ -597,7 +599,7 @@ def self.deep_transform_config_keys!(config)
         else
           v
         end
-      elsif v.empty?
+      elsif v.respond_to?(:empty?) && v.empty?
         nil
       elsif v.is_a?(Hash)
         deep_transform_config_keys!(v)

diff --git a/lib/rubygems/ext/cargo_builder.rb b/lib/rubygems/ext/cargo_builder.rb
@@ -227,10 +227,9 @@ def cargo_crate_name(cargo_dir, manifest_path, results)
       raise Gem::InstallError, "cargo metadata failed#{exit_reason}"
     end
 
-    # cargo metadata output is specified as json, but with the
-    # --format-version 1 option the output is compatible with YAML, so we can
-    # avoid the json dependency
-    metadata = Gem::SafeYAML.safe_load(output)
+    # cargo metadata output is specified as json
+    require "json"
+    metadata = JSON.parse(output)
     package = metadata["packages"].find {|pkg| normalize_path(pkg["manifest_path"]) == manifest_path }
     unless package
       found = metadata["packages"].map {|md| "#{md["name"]} at #{md["manifest_path"]}" }

diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
@@ -232,7 +232,7 @@ def add_checksums(tar)
 
     tar.add_file_signed "checksums.yaml.gz", 0o444, @signer do |io|
       gzip_to io do |gz_io|
-        Psych.dump checksums_by_algorithm, gz_io
+        gz_io.write Gem::YAMLSerializer.dump(checksums_by_algorithm)
       end
     end
   end

diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb
@@ -146,7 +146,7 @@ def spec
 
     begin
       @spec = Gem::Specification.from_yaml yaml
-    rescue Psych::SyntaxError
+    rescue StandardError
       raise Gem::Exception, "Failed to parse gem specification out of gem file"
     end
   rescue ArgumentError

diff --git a/lib/rubygems/psych_tree.rb b/lib/rubygems/psych_tree.rb
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
@@ -35,11 +35,19 @@ def self.aliases_enabled? # :nodoc:
     end
 
     def self.safe_load(input)
-      ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: @aliases_enabled)
+      Gem::YAMLSerializer.load(
+        input,
+        permitted_classes: PERMITTED_CLASSES,
+        permitted_symbols: PERMITTED_SYMBOLS,
+        aliases: aliases_enabled?
+      )
     end
 
     def self.load(input)
-      ::Psych.safe_load(input, permitted_classes: [::Symbol])
+      Gem::YAMLSerializer.load(
+        input,
+        permitted_classes: [::Symbol]
+      )
     end
   end
 end
diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
@@ -2454,25 +2454,7 @@ def to_spec
 
   def to_yaml(opts = {}) # :nodoc:
     Gem.load_yaml
-
-    # Because the user can switch the YAML engine behind our
-    # back, we have to check again here to make sure that our
-    # psych code was properly loaded, and load it if not.
-    unless Gem.const_defined?(:NoAliasYAMLTree)
-      require_relative "psych_tree"
-    end
-
-    builder = Gem::NoAliasYAMLTree.create
-    builder << self
-    ast = builder.tree
-
-    require "stringio"
-    io = StringIO.new
-    io.set_encoding Encoding::UTF_8
-
-    Psych::Visitors::Emitter.new(io).accept(ast)
-
-    io.string.gsub(/ !!null \n/, " \n")
+    Gem::YAMLSerializer.dump(self)
   end
 
   ##