[dev] Removes dependency lock on Psych

.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --no-exclude-limit`
-# on 2026-04-22 15:46:09 UTC using RuboCop version 1.86.1.
+# on 2026-05-05 14:43:06 UTC using RuboCop version 1.86.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -301,12 +301,11 @@ Lint/UselessOr:
     - 'app/models/qcable/statemachine.rb'
     - 'app/models/ui_helper/summary.rb'
 
-# Offense count: 11
+# Offense count: 7
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes, Max.
 Metrics/AbcSize:
   Exclude:
     - 'app/controllers/api/v2/transfers_controller.rb'
-    - 'app/controllers/studies/information_controller.rb'
     - 'app/jobs/export_pool_xp_to_traction_job.rb'
     - 'app/models/accession_service/base_service.rb'
     - 'app/sample_manifest_excel/sample_manifest_excel/manifest_type_list.rb'
@@ -334,7 +333,7 @@ Metrics/CyclomaticComplexity:
     - 'app/models/accession_service/base_service.rb'
     - 'lib/limber/helper.rb'
 
-# Offense count: 19
+# Offense count: 18
 # Configuration parameters: CountComments, Max, CountAsOne, AllowedMethods, AllowedPatterns.
 Metrics/MethodLength:
   Exclude:
@@ -617,7 +616,7 @@ RSpec/BeforeAfterAll:
     - 'spec/sample_manifest_excel/worksheet_spec.rb'
     - 'spec/sequencescape_excel/worksheet_spec.rb'
 
-# Offense count: 342
+# Offense count: 330
 # Configuration parameters: Prefixes, AllowedPatterns.
 # Prefixes: when, with, without
 RSpec/ContextWording:
@@ -649,7 +648,6 @@ RSpec/ContextWording:
     - 'spec/models/barcode_spec.rb'
     - 'spec/models/broadcast_event/lab_event_spec.rb'
     - 'spec/models/broadcast_event/qc_assay_spec.rb'
-    - 'spec/models/bulk_submission_spec.rb'
     - 'spec/models/comment_spec.rb'
     - 'spec/models/illumina_htp/initial_stock_tube_purpose_spec.rb'
     - 'spec/models/location_report_form_spec.rb'
@@ -840,7 +838,7 @@ RSpec/ExampleWording:
     - 'spec/sequencescape_excel/validation_spec.rb'
     - 'spec/sequencescape_excel/worksheet_spec.rb'
 
-# Offense count: 27
+# Offense count: 26
 RSpec/ExpectInHook:
   Exclude:
     - 'spec/controllers/labwhere_receptions_controller_spec.rb'
@@ -1197,7 +1195,7 @@ RSpec/MultipleExpectations:
     - 'spec/views/labware/show_chromium_chip_spec.rb'
     - 'spec/views/samples/index_html_erb_spec.rb'
 
-# Offense count: 243
+# Offense count: 249
 # Configuration parameters: EnforcedStyle, IgnoreSharedExamples.
 # SupportedStyles: always, named_only
 RSpec/NamedSubject:

Gemfile

@@ -21,10 +21,6 @@ group :default do
   gem 'faraday-multipart'
   gem 'rest-client' # Deprecated, but still used in some places, replace with Faraday where possible
 
-  # Fix incompatibility with between Ruby 3.1 and Psych 4 (used for yaml)
-  # see https://stackoverflow.com/a/71192990
-  gem 'psych', '< 4'
-
   # State machine
   gem 'aasm'
   gem 'after_commit_everywhere', '~> 1.0' # Required by AASM
@@ -34,7 +30,7 @@ group :default do
 
   # Provides bulk insert capabilities
   gem 'activerecord-import'
-  gem 'record_loader', git: 'https://github.com/sanger/record_loader'
+  gem 'record_loader', git: 'https://github.com/sanger/record_loader', branch: 'sh51/psych-5'
 
   gem 'mysql2', platforms: :mri
   gem 'will_paginate'

Gemfile.lock

@@ -16,9 +16,11 @@ GIT
 
 GIT
   remote: https://github.com/sanger/record_loader
-  revision: 9e7481f4d2342f042ab13465962e5d6689863198
+  revision: cbd59574d1090a0a81a770478a6b4042fa882f6a
+  branch: sh51/psych-5
   specs:
-    record_loader (0.3.0)
+    record_loader (1.0.0)
+      psych (~> 5.0)
 
 GIT
   remote: https://github.com/sanger/sanger_barcode_format.git
@@ -377,7 +379,9 @@ GEM
       pry (>= 0.13, < 0.17)
     pry-rails (0.3.11)
       pry (>= 0.13.0)
-    psych (3.3.4)
+    psych (5.3.1)
+      date
+      stringio
     public_suffix (7.0.5)
     puma (7.2.0)
       nio4r (~> 2.0)
@@ -588,6 +592,7 @@ GEM
       rbtree
       set (~> 1.0)
     ssrf_filter (1.2.0)
+    stringio (3.2.0)
     syntax_tree (6.3.0)
       prettier_print (>= 1.2.0)
     syntax_tree-haml (4.0.3)
@@ -715,7 +720,6 @@ DEPENDENCIES
   prettier_print
   pry-byebug
   pry-rails
-  psych (< 4)
   puma
   rack-acceptable
   rack-cors

app/models/broadcast_event.rb

@@ -19,7 +19,7 @@ class BroadcastEvent < ApplicationRecord
   # https://api.rubyonrails.org/classes/ActiveRecord/Inheritance/ClassMethods.html
   validates :sti_type, presence: true
 
-  serialize :properties, coder: YAML
+  serialize :properties, coder: YAML, yaml: { permitted_classes: [ActionController::Parameters] }
   self.inheritance_column = 'sti_type'
 
   broadcast_with_warren

app/models/request_type/validator.rb

@@ -104,7 +104,14 @@ def valid_options
 
   belongs_to :request_type, optional: false
   validates :request_option, :valid_options, presence: true
-  serialize :valid_options, coder: YAML
+  serialize :valid_options, coder: YAML, yaml: {
+    permitted_classes: [
+      Range,
+      RequestType::Validator::ArrayWithDefault,
+      RequestType::Validator::FlowcellTypeValidator,
+      RequestType::Validator::LibraryTypeValidator
+    ]
+  }
 
   delegate :include?, to: :valid_options
 

app/models/submission/request_options_behaviour.rb

@@ -7,7 +7,14 @@ class HashWrapper
     def self.load(hash_yaml)
       return hash_yaml if hash_yaml.nil?
 
-      YAML.load(hash_yaml)
+      YAML.safe_load(hash_yaml,
+                     aliases: true,
+                     permitted_classes: [
+                       ActiveSupport::HashWithIndifferentAccess,
+                       ActiveSupport::TimeWithZone,
+                       ActiveSupport::TimeZone,
+                       Time
+                     ])
     end
 
     def self.dump(hash)
@@ -28,22 +35,20 @@ def request_options=(options)
     super
   end
 
+  private
+
   def check_request_options
     check_multipliers_are_valid
   end
-  private :check_request_options
 
-  # rubocop:todo Metrics/PerceivedComplexity, Metrics/AbcSize
-  def check_multipliers_are_valid # rubocop:todo Metrics/CyclomaticComplexity
+  def check_multipliers_are_valid # rubocop:disable Metrics/CyclomaticComplexity
     multipliers = request_options.try(:[], :multiplier)
     return if multipliers.blank? # We're ok with nothing being specified!
 
     # TODO[xxx]: should probably error if they've specified a request type that isn't being used
-    errors.add(:request_options, 'negative multiplier supplied') if multipliers.values.map(&:to_i).any?(&:negative?)
-    errors.add(:request_options, 'zero multiplier supplied') if multipliers.values.map(&:to_i).any?(&:zero?)
+    multiplier_values = multipliers.values.map(&:to_i)
+    errors.add(:request_options, 'negative multiplier supplied') if multiplier_values.any?(&:negative?)
+    errors.add(:request_options, 'zero multiplier supplied') if multiplier_values.any?(&:zero?)
     false unless errors.empty?
   end
-
-  # rubocop:enable Metrics/AbcSize, Metrics/PerceivedComplexity
-  private :check_multipliers_are_valid
 end

app/sequencescape_excel/sequencescape_excel/helpers.rb

@@ -5,7 +5,8 @@ module SequencescapeExcel
   # Helpers
   module Helpers
     def load_file(folder, filename)
-      YAML.load_file(Rails.root.join(folder, "#{filename}.yml")).with_indifferent_access
+      file_path = Rails.root.join(folder, "#{filename}.yml")
+      YAML.safe_load_file(file_path, permitted_classes: [Symbol], aliases: true).with_indifferent_access
     end
   end
 end

config/default_records/asset_shapes/default_records.yml

@@ -62,8 +62,8 @@ Fluidigm192:
   sizes: [192]
 
 StripTubeColumn:
-  horizontal_ratio: 1,
-  vertical_ratio: 8,
+  horizontal_ratio: 1
+  vertical_ratio: 8
   description_strategy: Sequential
   sizes: [8]
 

config/initializers/accession.rb

@@ -9,5 +9,5 @@
 end
 
 # add ena requirement fields here
-ena_requirement_fields = YAML.load_file('config/ena_requirement_fields.yml')
+ena_requirement_fields = YAML.safe_load_file('config/ena_requirement_fields.yml')
 Rails.application.config.ena_requirement_fields = ena_requirement_fields.with_indifferent_access

config/initializers/failure_reasons.rb

@@ -1,2 +1,2 @@
 # frozen_string_literal: true
-FAILURE_REASONS = YAML.load(File.open("#{Rails.root}/config/failure_reasons.yml"))
+FAILURE_REASONS = YAML.safe_load_file("#{Rails.root}/config/failure_reasons.yml")

config/initializers/flipper.rb

@@ -2,7 +2,7 @@
 require 'yaml'
 require 'flipper/adapters/active_record'
 
-FLIPPER_FEATURES = YAML.load_file('./config/feature_flags.yml')
+FLIPPER_FEATURES = YAML.safe_load_file('./config/feature_flags.yml')
 
 Rails.application.configure do
   ## Memoization ensures that only one adapter call is made per feature per request.

config/initializers/phi_x.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 
-phi_x_config = YAML.load_file('config/phi_x.yml')
+phi_x_config = YAML.safe_load_file('config/phi_x.yml')
 Rails.application.config.phi_x = phi_x_config.with_indifferent_access

config/initializers/process_locale_files_with_erb.rb

@@ -4,7 +4,7 @@ module I18n
   module Backend
     module Base
       def load_yml(filename)
-        YAML.load(ERB.new(File.read(filename)).result)
+        YAML.unsafe_load(ERB.new(File.read(filename)).result)
       end
     end
   end

config/initializers/psych.rb

@@ -1,22 +1,6 @@
 # frozen_string_literal: true
 
 Rails.application.configure do
-  # Fix for Psych::DisallowedClass: Tried to load unspecified class
-  config.active_record.yaml_column_permitted_classes =
-    Array(config.active_record.yaml_column_permitted_classes) +
-    %w[
-      Symbol
-      ActiveSupport::HashWithIndifferentAccess
-      ActiveSupport::TimeWithZone
-      ActiveSupport::TimeZone
-      HashWithIndifferentAccess
-      RequestType::Validator::ArrayWithDefault
-      RequestType::Validator::LibraryTypeValidator
-      RequestType::Validator::FlowcellTypeValidator
-      ActionController::Parameters
-      Set
-      Range
-      FieldInfo
-      Time
-    ]
+  # Allow YAML columns to contain HashWithIndifferentAccess objects by default
+  ActiveRecord.yaml_column_permitted_classes += [ActiveSupport::HashWithIndifferentAccess]
 end

db/seeds/0001_snp_plate_purposes.rb

@@ -51,7 +51,7 @@
 EOS
 
 YAML
-  .load(plate_purposes)
+  .unsafe_load(plate_purposes)
   .each do |plate_purpose|
     attributes =
       plate_purpose.reverse_merge(

lib/accession.rb

@@ -24,7 +24,8 @@ module Accession
   # @see ftp://ftp.sra.ebi.ac.uk/meta/xsd/ Schema definitions
   module Helpers
     def load_file(folder, filename)
-      YAML.load_file(Rails.root.join(folder, "#{filename}.yml")).with_indifferent_access
+      file_path = Rails.root.join(folder, "#{filename}.yml")
+      YAML.safe_load_file(file_path, permitted_classes: [Symbol]).with_indifferent_access
     end
   end