`rb/unsafe-deserialization`: YAML.load - false positive since Psych 4.0

[p-]

Description of the false positive

Good news: YAML.load got safer 😉

Since Psych 4.0 no arbitrary Ruby classes are instantiated when YAML.load is used. There's now a method called YAML.unsafe_load to get the old behavior back.
This change in behavior affects the rb/unsafe-deserialization query.

Sidenote:
Ruby 3.1 (released in December 2021) depends on Psych 4.0 by default. (Projects still can use older Psych versions by defining something like psych ~>3.0 in their Gemfiles.)

Following ideas:

• Add a note to unsafe deserialization results that concern YAML.load. E.g., "YAML.load is insecure in Psych versions before 4.0"
• Add a source for YAML.unsafe_load

[aibaars]

That's indeed great news. Thanks for reporting.