Bug 2459200 - YAML::Syck produces corrupted YAML since 1.38
Summary: YAML::Syck produces corrupted YAML since 1.38
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: perl-YAML-Syck
Version: 43
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Paul Howarth
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/cpan-authors/YAML-...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-17 13:24 UTC by Yaroslav Fedevych
Modified: 2026-05-06 16:46 UTC (History)
3 users (show)

Fixed In Version: perl-YAML-Syck-1.45-1.fc45 perl-YAML-Syck-1.45-1.fc43
Clone Of:
Environment:
Last Closed: 2026-04-27 12:29:54 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Yaroslav Fedevych 2026-04-17 13:24:06 UTC
When producing a dump of a Perl hashref containing blessed references, in particular ones produced by the JSON family of modules, the YAML output is broken.


Actual output:

Source: {"a": true, "b": true, "c": 12143}

Decoded JSON: $VAR1 = {
          'b' => bless( do{\(my $o = 1)}, 'JSON::PP::Boolean' ),
          'a' => $VAR1->{'b'},
          'c' => 12143
        };

Dumped as YAML:
---
a: &1 !!perl/scalar:JSON::PP::Boolean 1
b: *1
!!perl/scalar:JSON::PP::Boolean c: 12143

Loaded from this YAML: $VAR1 = {
          'a' => \'1',
          'b' => $VAR1->{'a'},
          'SCALAR(0xaaaac865b678)' => '12143'
        };

I would expect YAML to look like:

---
a: &1 !!perl/scalar:JSON::PP::Boolean 1
b: *1
c: 12143


As you can see, these versions of YAML::Syck fail at round-trip consistency.

Reproducible: Always

Steps to Reproduce:
Install perl, perl-YAML-Syck, perl-Data-Dumper, perl-JSON-XS.

Run this and observe:

perl -MJSON::XS -MYAML::Syck -MData::Dumper -E 'my $s = '"'"'{"a": true, "b": true, "c": 12143}'"'"'; say "Source: $s"; my $x = decode_json($s); say "\nDecoded JSON: ", Dumper($x); my $y = Dump($x); say "Dumped as YAML:\n$y"; my $z = Load($y); say "Loaded from this YAML: ", Dumper($z);'

Actual Results:
---
a: &1 !!perl/scalar:JSON::PP::Boolean 1
b: *1
!!perl/scalar:JSON::PP::Boolean c: 12143

Loaded from this YAML: $VAR1 = {
          'a' => \'1',
          'b' => $VAR1->{'a'},
          'SCALAR(0xaaaac865b678)' => '12143'
        };


Expected Results:
---
a: &1 !!perl/scalar:JSON::PP::Boolean 1
b: *1
c: 12143

Additional Information:
The reason for this bug is merging of this pull request: https://github.com/cpan-authors/YAML-Syck/pull/131

One should note that YAML::Syck has seen lots of activity in the last months, but practically all of that activity was LLM-generated, and that includes tests.

This also affects EPEL 9.

Comment 1 Fedora Update System 2026-04-27 12:25:50 UTC
FEDORA-2026-ad036b0bd2 (perl-YAML-Syck-1.45-1.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-ad036b0bd2

Comment 2 Fedora Update System 2026-04-27 12:29:54 UTC
FEDORA-2026-ad036b0bd2 (perl-YAML-Syck-1.45-1.fc45) has been pushed to the Fedora 45 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 3 Fedora Update System 2026-04-27 13:31:44 UTC
FEDORA-2026-c63661a8df (perl-YAML-Syck-1.45-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-c63661a8df

Comment 4 Fedora Update System 2026-04-28 02:52:29 UTC
FEDORA-2026-c63661a8df has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-c63661a8df`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-c63661a8df

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2026-05-06 16:46:20 UTC
FEDORA-2026-c63661a8df (perl-YAML-Syck-1.45-1.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.