Feature #19528
closed`JSON.load` defaults are surprising (`create_additions: true`)
Description
I'm not sure if it was actually intended, but there's some tacit naming convention for serializers in Ruby to use load
and dump
as methods, likely inspired from Marshal
and YAML
.
Because of this it's extremely common to see code that uses JSON.load
expecting a simple, no surprise, and safe JSON parsing.
However that's JSON.parse
.
JSON.load
has this very surprising behavior (albeit perfectly documented), of de-serializing more complex types:
>> JSON.load('{ "json_class": "String", "raw": [72, 101, 108, 108, 111] }')
=> "Hello"
It's particularly weird because aside from the String
extension that is eagerly defined, for other types you have to require "json/add/core"
.
Seasoned Ruby developers know about this of course, and it is banned by various linters, but it keeps popping regularly in gems security releases and such.
Proposal¶
Assuming entirely removing this feature is not an option, I think json 2.x
should warn when this feature is actually being used, and json 3.x
should disable it by default and require users to explicitly use JSON.load(str, create_additions: true)
to keep the old behavior.