In principle, I think this is a good idea. However, in order to pull this off without making assumptions of the underlying YAML parser, wouldn’t you need to do something along the lines of multi_json to detect/load the desired YAML library, and then inject a different patch accordingly? (Or is this targeting psych only?) That would seem a bit heavy to be part of Rails core IMO, but perhaps it would be acceptable as a dependency gem?

Maybe you could release a new security bulletin without any actual new release just asking people using Psych to add the safe_yaml to the Gemfile. Maybe you could even release a new version of Rails that would generate new Rails apps with that gem in the Gemfile.