ranaroussi · ValueRaider · Apr 16, 2026 · Feb 16, 2026 · Feb 16, 2026 · Jan 28, 2026
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -62,8 +62,14 @@ body:
   - type: textarea
     id: debug-log
     attributes:
-      label: "Debug log from yf.enable_debug_mode()"
-      description: "Run code with debug logging enabled - `yf.enable_debug_mode()` - and post the full output. Context: https://github.com/ranaroussi/yfinance/tree/main#logging"
+      label: "Debug log with debug logging enabled"
+      description: |
+        Enable debug logging, reproduce the issue, then paste the full output:
+
+            import yfinance as yf
+            yf.config.debug.logging = True
+
+        Context: https://ranaroussi.github.io/yfinance/advanced/logging.html
     validations:
       required: true
 

diff --git a/.github/workflows/auto_close_default_issues.yml b/.github/workflows/auto_close_default_issues.yml
@@ -6,9 +6,12 @@ on:
 jobs:
   check-template:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Check if issue uses custom template
-        uses: actions/github-script@v8
+        # Verify: curl -s "https://api.github.com/repos/actions/github-script/commits?sha=v8&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const issue = context.payload.issue;

diff --git a/.github/workflows/deploy_doc.yml b/.github/workflows/deploy_doc.yml
@@ -10,13 +10,19 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
 
     steps:
     - name: Check out the repository
-      uses: actions/checkout@v6
+      # Verify: curl -s "https://api.github.com/repos/actions/checkout/commits?sha=v6&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      # Verify: curl -s "https://api.github.com/repos/actions/setup-python/commits?sha=v6&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: '3.x'
 
@@ -35,7 +41,8 @@ jobs:
         ls -l -R doc/_build/html
 
     - name: Deploy to GitHub Pages
-      uses: peaceiris/actions-gh-pages@v4
+      # Verify: curl -s "https://api.github.com/repos/peaceiris/actions-gh-pages/commits?sha=v4&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+      uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_branch: documentation

diff --git a/.github/workflows/pyright.yml b/.github/workflows/pyright.yml
@@ -10,13 +10,19 @@ on:
 jobs:
   pyright:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v6
+      # Verify: curl -s "https://api.github.com/repos/actions/checkout/commits?sha=v6&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      # Verify: curl -s "https://api.github.com/repos/actions/setup-python/commits?sha=v6&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
 
     - name: Install dependencies
       run: |

diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
@@ -9,13 +9,19 @@ on:
 
 jobs:
   deploy:
-
     runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      contents: read
 
     steps:
-    - uses: actions/checkout@v6
+    # Verify: curl -s "https://api.github.com/repos/actions/checkout/commits?sha=v6&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
     - name: Set up Python
-      uses: actions/setup-python@v6
+      # Verify: curl -s "https://api.github.com/repos/actions/setup-python/commits?sha=v6&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: '3.x'
     - name: Install dependencies

diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml
@@ -8,8 +8,14 @@ on:
 jobs:
   ruff:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
-      - uses: astral-sh/ruff-action@v3
+      # Verify: curl -s "https://api.github.com/repos/actions/checkout/commits?sha=v6&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      # Verify: curl -s "https://api.github.com/repos/astral-sh/ruff-action/commits?sha=v3&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+      - uses: astral-sh/ruff-action@4919ec5cf1f49eff0871dbcea0da843445b837e6 # v3
         with:
           args: check --ignore E702 . --exclude yfinance/pricing_pb2.py
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,25 @@
+name: zizmor
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - name: Checkout
+        # Verify: curl -s "https://api.github.com/repos/actions/checkout/commits?sha=v6&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        # Verify: curl -s "https://api.github.com/repos/zizmorcore/zizmor-action/commits?sha=v0.5.2&until=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ')&per_page=1" | jq -r '.[0].sha'
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,36 @@
 Change Log
 ===========
 
+1.2.2
+-----
+Forgot to merge in #2695 and #2718 for release 1.2.1
+
+Features:
+- Add Currency to Analysis Data #2739
+Fixes:
+- Fix TypeError in history() when API returns None/malformed #2703
+- Fix thread-safety in download() with mutex lock #2718
+- Fix/fill devidends #2695
+Maintenance:
+- Refactor QueryBase to use typed Operator #2731
+Docs:
+- Fix/history period docstring #2709
+- chore: minor doc fixes #2716
+- docs: fix dev branch install command #2733
+
+1.2.1
+-----
+Force curl_cffi>=0.15, because CVE #2743
+Preserve currency in dividends #2695
+Improve download() thread-safety #2718
+
+1.2.0
+-----
+Features:
+- update exchange maps for equities and mutual funds. #2685
+Fixes:
+- handle Pandas to_numpy() returning read-only #2697
+
 1.1.0
 -----
 Features:

diff --git a/doc/source/advanced/logging.rst b/doc/source/advanced/logging.rst
@@ -8,4 +8,4 @@ If debugging, you can switch to debug mode with custom formatting using:
 .. code-block:: python
 
    import yfinance as yf
-   yf.enable_debug_mode()
+   yf.config.debug.logging = True
diff --git a/doc/source/advanced/multi_level_columns.rst b/doc/source/advanced/multi_level_columns.rst
@@ -9,5 +9,5 @@ multi-level column names downloaded with yfinance? <https://stackoverflow.com/qu
 
 The answer discusses:
 
-- How to correctly read the the multi-level columns after saving the dataframe to a csv with `pandas.DataFrame.to_csv`
+- How to correctly read the multi-level columns after saving the dataframe to a csv with `pandas.DataFrame.to_csv`
 - How to download single or multiple tickers into a singledataframe with single level column names and a ticker column
diff --git a/doc/source/reference/index.rst b/doc/source/reference/index.rst
@@ -27,7 +27,7 @@ The following are the publicly available classes, and functions exposed by the `
 - :attr:`EquityQuery <yfinance.EquityQuery>`: Class to build equity query filters.
 - :attr:`FundQuery <yfinance.FundQuery>`: Class to build fund query filters.
 - :attr:`screen <yfinance.screen>`: Run equity/fund queries.
-- :attr:`enable_debug_mode <yfinance.enable_debug_mode>`: Function to enable debug mode for logging.
+- :attr:`config.debug.logging <yfinance.config>`: Enable verbose debug logging (``yf.config.debug.logging = True``).
 - :attr:`set_tz_cache_location <yfinance.set_tz_cache_location>`: Function to set the timezone cache location.
 
 .. toctree::

diff --git a/meta.yaml b/meta.yaml
@@ -1,5 +1,5 @@
 {% set name = "yfinance" %}
-{% set version = "1.1.0" %}
+{% set version = "1.2.2" %}
 
 package:
   name: "{{ name|lower }}"
@@ -15,7 +15,7 @@ build:
   script: "{{ PYTHON }} -m pip install . --no-deps --ignore-installed -vv "
 
 requirements:
-  # curl_cffi 0.14 has major problems, see their Github
+  # curl_cffi < 0.15 has a CVE
   host:
     - pandas >=1.3.0
     - numpy >=1.16.5
@@ -27,7 +27,7 @@ requirements:
     - frozendict >=2.3.4
     - beautifulsoup4 >=4.11.1
     - html5lib >=1.1
-    - curl_cffi >=0.7,<0.14
+    - curl_cffi >=0.15
     - peewee >=3.16.2
     - pip
     - python
@@ -43,7 +43,7 @@ requirements:
     - frozendict >=2.3.4
     - beautifulsoup4 >=4.11.1
     - html5lib >=1.1
-    - curl_cffi >=0.7,<0.14
+    - curl_cffi >=0.15
     - peewee >=3.16.2
     - python
 

diff --git a/requirements.txt b/requirements.txt
@@ -10,7 +10,7 @@ peewee>=3.16.2
 requests_cache>=1.0
 requests_ratelimiter>=0.3.1
 scipy>=1.6.3
-# curl_cffi 0.14 has major problems, see their Github
-curl_cffi>=0.7,<0.14
+# curl_cffi < 0.15 has a CVE
+curl_cffi>=0.15
 protobuf>=3.19.0
 websockets>=13.0
diff --git a/setup.py b/setup.py
@@ -59,12 +59,11 @@
     platforms=['any'],
     keywords='pandas, yahoo finance, pandas datareader',
     packages=find_packages(exclude=['contrib', 'docs', 'tests', 'examples']),
-    # curl_cffi 0.14 has major problems, see their Github
     install_requires=['pandas>=1.3.0', 'numpy>=1.16.5',
                       'requests>=2.31', 'multitasking>=0.0.7',
                       'platformdirs>=2.0.0', 'pytz>=2022.5',
                       'frozendict>=2.3.4', 'peewee>=3.16.2',
-                      'beautifulsoup4>=4.11.1', 'curl_cffi>=0.7,<0.14',
+                      'beautifulsoup4>=4.11.1', 'curl_cffi>=0.15',
                       'protobuf>=3.19.0', 'websockets>=13.0'],
     extras_require={
         'nospam': ['requests_cache>=1.0', 'requests_ratelimiter>=0.3.1'],

diff --git a/yfinance/version.py b/yfinance/version.py
@@ -1 +1 @@
-version = "1.1.0"
+version = "1.2.2"