Seafoam-Labs/Shelly-ALPM v2.4.0.0

on GitHub

Shelly-ALPM v2.4.0.0 Release Notes

This release centers on a major CLI refactor, maturing AppImage/Flatpak support, and a new layer of PKGBUILD security analysis.

On the safety side, Shelly now actively inspects install scriptlets for dynamic code execution and post_install risks — the new PostInstallValidator scans resolved scriptlets for risky network/code-fetching tools (npm, npx, bun, pip, curl, wget, etc.) and flags dynamic command construction that can't be statically reviewed, including command substitution ($(...), backticks), eval, ${!var} indirection, and decode-into-shell pipelines (e.g. base64 -d | sh). It even performs lightweight de-obfuscation (collapsing tricks like b''u''n, cur\l, and n"p"m) so deliberately hidden tool names are caught and escalated to Critical as a sign of malicious intent. Complementing this, the new HomographValidator defends against homograph/IDN spoofing in attacker-controlled fields (package names, dependencies, URLs, and AUR metadata) by detecting zero-width/bidi/control characters, mixed-script tokens (e.g. Latin mixed with Cyrillic/Greek), fullwidth/compatibility forms, and confusable "skeletons" that map look-alike Unicode onto ASCII (e.g. Cyrillic а → a). Findings surface through the same PkgbuildReviewDialog security-status path so users can review them before installing.

Rounding out the CLI work, this release ships a pacman-style shortcode interface: a compact -<Type><Action><modifiers> syntax that translates familiar single-letter operations into Shelly's full command surface, making the CLI feel native to anyone coming from pacman/yay.

🔑 Shortcode Examples

The first argument may be a shortcode of the form -<Type><Action>[modifiers], where the Type selects a domain (S = system/repo, A = AUR, F = Flatpak, I = AppImage, C = config, K = keyring, U = utility) and the Action/modifiers map to a verb and flags:

shelly -SIu firefox     # install firefox -u   (sync install, with upgrade)
shelly -SQad            # query -a -d          (query available, fetch details of exact match)
shelly -SRcr pkg        # remove pkg -c -r     (cascade + config removal) : The equivalent of `sudo pacman -Rns pkg`
shelly -AS ripgrep      # aur search zen-browser-bin
shelly -AI yay-bin      # aur install zen-browser-bin
shelly -FR org.app.Id   # flatpak uninstall org.app.Id
shelly -KV ABCD1234     # keyring recv ABCD1234
shelly -UC              # cache-clean

Invalid combinations are rejected with helpful errors (e.g. an unknown action lists valid actions for that type, and an unknown modifier lists the allowed modifiers), and in shortcode mode --ui-mode is used in place of -U.

✨ Highlights

• New CLI Release with a substantial refactor and modernized command surface (#1059, #1103).
• AppImage support maturing: updates now shown in the UI, eventing improvements, and fixes to desktop-entry handling (#1053, #1058, #1075, #1087, #1092).
• Security additions: PKGBUILD review now shows security status, flags dynamic/post_install code execution, and detects potential homograph spoofing (#1099, #1100).
• doas support added as an alternative privilege-elevation backend (#1078).

🚀 Features

• Add doas support (#1078)
• Add manual language selection in settings (#1056) — thanks @nyx1d
• Add docs command, with printed command options and default cascade enabled (#1084, #1097)
• Add Zsh completions for the Shelly CLI (#1090)
• Show AppImage updates in the UI (#1058)
• Add new version column to AUR update view (#1047)
• Add maintainer and last-updated columns to AUR search output (#1071)
• Add security status to PkgbuildReviewDialog (#1099)
• Add HomographValidator to flag homograph spoofing in PKGBUILDs (#1100)

🛠 Improvements & Refactors

• CLI refactor (#1059) and new CLI release (#1103)
• Refactor CredentialManager and add ProcessExecutor service (#1066)
• Convert PerformDownload to async and refactor call sites (#1079)
• Skip provider selection when only one distinct option is available (#1070)
• Replace --elevated flag in UpgradeAll with a UserIdentity-based approach (#1093, #1094)
• Refactor question handling to remove obsolete ALPM-specific protocols (#1091)
• Update file-size display to Megabytes and refactor progress-bar logic (#1082)
• Simplify query (#1076) and remove the explore alias from query (#1085)
• AppImage eventing and CLI output updates from the manager (#1087, #1092)
• Flatpak output and UI element updates (#1049, #1080)
• General small UI adjustments (#1046)
• Remove unused config options and delete unused/unwanted code (#1081, #1086)

🐞 Bug Fixes

• Fix AppImages creating an additional desktop entry (#1053)
• Fix Flatpak upgrade bug and remote selection (#1054)
• Fix Flatpak scrolling issue (#1061)
• Various AppImage fixes (#1075)

🌐 Localization

• Update de-DE.po (#1089) — thanks @Henry2o1o

📦 Maintenance / Versioning

• Merge Dev into master and master back-merge (#1040, #1041)
• Update UI elements in Flatpak (#1049)
• Bump version to 2.3.3.5 across all projects and PKGBUILD files (#1101)
• Bump version to 2.4.0.0 across all projects and PKGBUILD files (#1102)

Contributors to Shelly-ALPM v2.4.0.0

• @caroberrie — #1040, #1041, #1046, #1049, #1053, #1054, #1058, #1061, #1075, #1080, #1081, #1086, #1087, #1092
• @ZoeyErinBauer — #1059, #1070, #1071, #1076, #1078, #1079, #1082, #1090, #1091, #1093, #1094, #1100, #1101, #1102, #1103
• @azdanov — #1066, #1084, #1085, #1097, #1099
• @Terrabade — #1047
• @nyx1d — #1056 (first contribution 🎉)
• @Henry2o1o — #1089

👋 New Contributors

• @nyx1d made their first contribution in #1056

Full Changelog: v2.3.3.4...v2.4.0.0