phamleduy04 / yahoo-stock-api Goto Github PK
View Code? Open in Web Editor NEW💰 NPM package to get stock and historical price from finance.yahoo.com
Home Page: https://www.npmjs.com/package/yahoo-stock-api
License: MIT License
💰 NPM package to get stock and historical price from finance.yahoo.com
Home Page: https://www.npmjs.com/package/yahoo-stock-api
License: MIT License
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-35948 | High | 9.8 | undici-5.8.0.tgz | Direct | 5.8.2 | ❌ |
CVE-2022-35949 | High | 9.8 | undici-5.8.0.tgz | Direct | undici - 5.8.2 | ❌ |
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
undici is an HTTP/1.1 client, written from scratch for Node.js.=< [email protected]
users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type
header. Example: import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, })
The above snippet will perform two requests in a single request
API call: 1) http://localhost:3000/
2) http://localhost:3000/foo2
This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.
Publish Date: 2022-08-15
URL: CVE-2022-35948
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35948
Release Date: 2022-08-15
Fix Resolution: 5.8.2
Step up your Open Source Security Game with Mend here
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.8.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
undici is an HTTP/1.1 client, written from scratch for Node.js.undici
is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname
option of undici.request
. If a user specifies a URL such as http://127.0.0.1
or //127.0.0.1
js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"})
Instead of processing the request as http://example.org//127.0.0.1
(or http://example.org/http://127.0.0.1
when http://127.0.0.1 is used
), it actually processes the request as http://127.0.0.1/
and sends it to http://127.0.0.1
. If a developer passes in user input into path
parameter of undici.request
, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in [email protected]
. The best workaround is to validate user input before passing it to the undici.request
call.
Publish Date: 2022-08-12
URL: CVE-2022-35949
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35949
Release Date: 2022-08-12
Fix Resolution: undici - 5.8.2
Step up your Open Source Security Game with Mend here
With version 2.2.0 I get this error.
Version 2.1.3 works fine.
Error: Cannot find module '/Users/manu/Coding/Typescript/stocks_scripts/node_modules/yahoo-stock-api/dist/index.js'. Please verify that the package.json has a valid "main" entry
at tryPackage (node:internal/modules/cjs/loader:415:19)
at Function.Module._findPath (node:internal/modules/cjs/loader:665:18)
at Function.Module._resolveFilename (node:internal/modules/cjs/loader:1034:27)
at Function.Module._resolveFilename.sharedData.moduleResolveFilenameHook.installedValue [as _resolveFilename] (/Users/manu/Coding/Typescript/stocks_scripts/node_modules/@cspotcode/source-map-support/source-map-support.js:811:30)
at Function.Module._load (node:internal/modules/cjs/loader:901:27)
at Module.require (node:internal/modules/cjs/loader:1115:19)
at require (node:internal/modules/helpers:130:18)
at Object.<anonymous> (/Users/manu/Coding/Typescript/stocks_scripts/src/repo.ts:1:23)
at Module._compile (node:internal/modules/cjs/loader:1233:14)
at Module.m._compile (/Users/manu/Coding/Typescript/stocks_scripts/node_modules/ts-node/src/index.ts:1618:23) {
code: 'MODULE_NOT_FOUND',
path: '/Users/manu/Coding/Typescript/stocks_scripts/node_modules/yahoo-stock-api/package.json',
requestPath: 'yahoo-stock-api'
}
error Command failed with exit code 1.
For add contributors xD
Response value in getSymbol()
function should be return number instead of string on some field like bid
, ask
, dayRange
, ...
Fix marketCap
field, should be a big number instead of a float.
Response:
{
error: false,
currency: 'USD',
response: {
updated: 1664826582407,
previousClose: 138.2,
open: 138.21,
bid: '142.84 x 900',
ask: '142.85 x 1000',
dayRange: '137.68 - 143.07',
fiftyTwoWeekRange: '129.04 - 182.94',
volume: 96040272,
avgVolume: 78897638,
marketCap: 2.293,
beta: 1.23,
peRatio: 23.59,
eps: 6.05,
earningsDate: 'Oct 26, 2022 - Oct 31, 2022',
forwardDividendYield: '0.92 (0.67%)',
exDividendDate: 'Aug 05, 2022',
oneYearTargetEst: 183.5
}
}
New response:
{
error: false,
currency: 'USD',
response: {
updated: 1664826526353,
previousClose: 138.2,
open: 138.21,
bid: { value: 142.8, shares: 900 },
ask: { value: 142.81, shares: 1000 },
dayRange: { low: 137.68, high: 143.07 },
fiftyTwoWeekRange: { low: 129.04, high: 182.94 },
volume: 95821008,
avgVolume: 78897638,
marketCap: 2293000000000,
beta: 1.23,
peRatio: 23.59,
eps: 6.05,
earningsDate: { start: 1666760400, end: 1667192400 },
forwardDividend: 0.92,
forwardYield: 0.67,
exDividendDate: 1659675600,
oneYearTargetEst: 183.5
}
}
Hi,
Is it also possible to load ratios like P/FCF, P/E, current ratio, quick ratio... or self-define ratios ?
Library home page: https://registry.npmjs.org/undici/-/undici-5.23.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in (undici version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2024-30260 | Low | 3.9 | undici-5.23.0.tgz | Direct | undici - 5.28.4,6.11.1 | ❌ |
CVE-2024-24758 | Low | 3.9 | undici-5.23.0.tgz | Direct | 5.28.3 | ❌ |
CVE-2023-45143 | Low | 3.5 | undici-5.23.0.tgz | Direct | 5.26.2 | ❌ |
CVE-2024-30261 | Low | 2.6 | undici-5.23.0.tgz | Direct | undici - 5.28.4,6.11.1 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Library home page: https://registry.npmjs.org/undici/-/undici-5.23.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch()
, but did not clear them for undici.request()
. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Publish Date: 2024-04-04
URL: CVE-2024-30260
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m4v8-wqvr-p9f7
Release Date: 2024-04-04
Fix Resolution: undici - 5.28.4,6.11.1
Step up your Open Source Security Game with Mend here
Library home page: https://registry.npmjs.org/undici/-/undici-5.23.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authentication
headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-02-16
URL: CVE-2024-24758
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-24758
Release Date: 2024-02-16
Fix Resolution: 5.28.3
Step up your Open Source Security Game with Mend here
Library home page: https://registry.npmjs.org/undici/-/undici-5.23.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie
headers. By design, cookie
headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
Publish Date: 2023-10-12
URL: CVE-2023-45143
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wqq4-5wpv-mx2g
Release Date: 2023-10-12
Fix Resolution: 5.26.2
Step up your Open Source Security Game with Mend here
Library home page: https://registry.npmjs.org/undici/-/undici-5.23.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity
option passed to fetch()
, allowing fetch()
to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Publish Date: 2024-04-04
URL: CVE-2024-30261
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9qxr-qj54-h672
Release Date: 2024-04-04
Fix Resolution: undici - 5.28.4,6.11.1
Step up your Open Source Security Game with Mend here
Ông có link document của yahoo finance ko cho tôi xin với. Tôi đang cần để viết Java
Hi, thanks for work.
Please add a little documentation or better readme.
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-32210 | High | 7.7 | undici-5.0.0.tgz | Direct | 5.5.1 | ❌ |
An HTTP/1.1 client, written from scratch for Node.js
Library home page: https://registry.npmjs.org/undici/-/undici-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/undici/package.json
Dependency Hierarchy:
Found in base branch: master
undici 4.8.2 before 5.5.1 is vulnerable to MITM. Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.
Publish Date: 2022-06-02
URL: CVE-2022-32210
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-pgw7-wx7w-2w33
Release Date: 2022-06-02
Fix Resolution: 5.5.1
Step up your Open Source Security Game with Mend here
Library home page: https://registry.npmjs.org/undici/-/undici-5.15.0.tgz
CVE | Severity | CVSS | Dependency | Type | Fixed in (undici version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2023-24807 | High | 7.5 | undici-5.15.0.tgz | Direct | undici - 5.19.1 | ❌ |
CVE-2023-23936 | Medium | 6.5 | undici-5.15.0.tgz | Direct | undici - 5.19.1 | ❌ |
Library home page: https://registry.npmjs.org/undici/-/undici-5.15.0.tgz
Dependency Hierarchy:
Found in base branch: master
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set()
and Headers.append()
methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize()
utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Publish Date: 2023-02-16
URL: CVE-2023-24807
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r6ch-mqf9-qc9w
Release Date: 2023-02-16
Fix Resolution: undici - 5.19.1
Step up your Open Source Security Game with Mend here
Library home page: https://registry.npmjs.org/undici/-/undici-5.15.0.tgz
Dependency Hierarchy:
Found in base branch: master
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host
HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host
string before passing to undici.
Publish Date: 2023-02-16
URL: CVE-2023-23936
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5r9g-qh6m-jxff
Release Date: 2023-02-16
Fix Resolution: undici - 5.19.1
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.