Feature #19528
closed
`JSON.load` defaults are surprising (`create_additions: true`)
Description
I'm not sure if it was actually intended, but there's some tacit naming convention for serializers in Ruby to use load and dump as methods, likely inspired from Marshal and YAML.
Because of this it's extremely common to see code that uses JSON.load expecting a simple, no surprise, and safe JSON parsing.
However that's JSON.parse.
JSON.load has this very surprising behavior (albeit perfectly documented), of de-serializing more complex types:
>> JSON.load('{ "json_class": "String", "raw": [72, 101, 108, 108, 111] }')
=> "Hello"
It's particularly weird because aside from the String extension that is eagerly defined, for other types you have to require "json/add/core".
Seasoned Ruby developers know about this of course, and it is banned by various linters, but it keeps popping regularly in gems security releases and such.
Proposal¶
Assuming entirely removing this feature is not an option, I think json 2.x should warn when this feature is actually being used, and json 3.x should disable it by default and require users to explicitly use JSON.load(str, create_additions: true) to keep the old behavior.
Updated by 
Updated by 
Updated by 
Updated by 
Updated by