High Vulnerability message from NPM

[whoiscarlo]

So I got this error report after install yahoo-finance for the first time and then running npm audit fix. Seems like something I should worry about no?

npm audit report

string Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/536 No fix available node_modules/string yahoo-finance Depends on vulnerable versions of string node_modules/yahoo-finance

2 high severity vulnerabilities

Some issues need review, and may require choosing a different dependency.

[gadicc]

Hey @whoiscarlo, thanks for reporting.

Unfortunately some of these warnings are often completely irrelevant - like in this case. Maybe that's why GitHub's dependabot didn't flag this one for us.

In short: it's warning on the danger of passing untrusted user input to two particular methods in the string package: underscore and unescapeHTML. We don't use either of these methods in this package. There's no "fixed" version of string to upgrade to, the advice is to simply not pass untrusted user input to these two methods. Which we didn't do in the first place. So the only way to remove this [completely irrelevant] warning is for us to stop using the package, which we rely on for legitimate needs.

PS If you've just installed the package for the first time, checkout out our v2 beta on the README, which uses the new API we'll be using moving forward.

[whoiscarlo]

@gadicc awesome thank you for the reply! I did try using the V2 but ran into issues with it while using Angular 11. I just submitted the issue.

Thank you for all of your work and effort. I'm still fairly new to web development, but if I can help out in anyway let me know!

[gadicc]

Hey @whoiscarlo, awesome, thanks for that. To be honest, just opening issues for things you notice is a big help since a lot of people just give up or struggle silently without us ever knowing. So keep it up :D (will respond to the other issue over there)