Security Update Rails (CVE-2022-32224)

Updating rails with the secrurity update CVE-2022-32224, "Possible RCE escalation bug with Serialized Columns in Active Record".
can cause troubles in rails projects. (I had several project that has issues with this fix).
https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017

The main change is that the YAML loader is using safe_load to parse the string. Most classes aren't supported anymore.
Several essential classes have been removed.

To support my Spree Commerce rails projects, I've had to add the following initializer.

ActiveRecord::Base.yaml_column_permitted_classes += [BigDecimal, Symbol]

Other projects requried the HasWithIndifferentAccess

ActiveRecord::Base.yaml_column_permitted_classes += [ ActiveSupport::HashWithIndifferentAccess]

Please try to keep the number of supported classes.
I personally prefer to use JSON for new projects. Because it's simple and clean.

Derailed benchmark not running on production environment

We're running a large rails application, with a lot of request.
Since our upgrade to FreeBSD 13 the live environment is leaking memory in our ruby on rails app.
(FreeBSD 12 version of the jail didn't leak)

This application uses an NFS mount to store (a lot) of client specific files.

Running derailed_benchmark live didn't work. (Pressing ctrl+t, I noticed there were a lof of NFS locks)

In the file
derailed_benchmarks-2.1.1/lib/derailed_benchmarks/load_tasks.rb

it adds '.' to the loadpath. Which causes the production environment to complete iterate over all directories. Which 'hangs', because we have a very big active-strorage directory.

Workaround is to remove the '.' file

#    %W{ . lib test config }.each do |file|
    %W{ lib test config }.each do |file|
      $LOAD_PATH << File.expand_path(file)
    end