Shelly-ALPM v2.4.1.0 Release Notes
This release builds directly on the 2.4.0 line, hardening how Shelly talks to the
network and to the system, deepening dependency resolution, and continuing the CLI
refactor that began in 2.4.0.0. It also bundles a large batch of community
translations and a steady stream of UI polish across the AppImage, Flatpak, and grid
views.
🌐 Networking — Happy Eyeballs
Shelly's HTTP stack now uses a Happy Eyeballs-style connection strategy in
OptimizedClient. Instead of waiting on a single resolved address, Shelly resolves
every address for a host, prefers IPv4 first so a missing IPv6 route can never block a
working connection, and races the candidates with a fast 3-second per-address
fallback. Critically, it waits for the first connection to succeed rather than the
first to complete, so a quick "network is unreachable" failure on one path no longer
aborts a request that a slower path would have served. Address-connection fallback in
OptimizedClient was further tuned for reliability on mixed IPv4/IPv6 hosts.
🔒 Security — More risky tools, smarter privileges
The PostInstallValidator scriptlet scanner was expanded well beyond the original
list. It now recognizes risky network- and code-fetching tooling across a wide range
of ecosystems — JavaScript/Node (npm, npx, yarn, pnpm, bun, deno), Python
(pip, pipx, uv, poetry, conda/mamba), Ruby, Rust, Go, PHP, Perl, Haskell,
Lua, Nim, OCaml, Elixir/Erlang, C/C++ (conan, vcpkg), JVM build tools, .NET,
Swift, Julia, R — alongside downloaders (curl, wget, aria2c, lftp, rsync,
scp/sftp), container/orchestration tools (docker, podman, kubectl, helm,
snap, flatpak), and version managers (nvm, pyenv, asdf, and friends). These
findings continue to surface through the existing PKGBUILD security-review path so you
can review them before installing.
On the privilege side, command execution in the privileged and unprivileged
services was reworked, with Polkit detection added throughout ProcessExecutor,
XdgPaths, and AurPackageManager. Package searches and lookups now run as
unprivileged operations wherever possible, and a dedicated Polkit policy was
added for privileged Shelly CLI execution (with refined icon and prompt messaging).
📦 Package management — Providers & group queries
Shelly can now resolve virtual dependencies via providers, presenting a provider
selection when more than one package satisfies a dependency. The query command
gained a --group / -g option for searching package groups (it defaults to
searching available packages), making it easier to discover and inspect grouped
packages from the CLI.
🐚 CLI refactor continues
Console creation across the CLI now flows through a single ShellyConsoleFactory,
and RunShellyCommand and related execution paths in ProcessExecutor were
refactored for clarity and consistency. PKGBUILD parsing learned to surface local
source files, and Shelly now correctly reports when pacman hooks have run during
an operation.
🖥️ UI, AppImage & Flatpak
- New grid layouts for the update and manage views, with reworked grid-selection logic.
- An alternate install view and an animated intro page.
- Continued Flatpak UI improvements and better handling of Flatpak progress callbacks.
- AppImage fixes, including corrected Forgejo-hosted AppImage updates.
- Fixed the updates count not appearing in the UI.
- Desktop cache ownership fix and refined lockout-service behavior.
- Removed the obsolete fingerprint warning and related UI elements.
🌍 Translations
This release ships a large localization update: refreshed Japanese, French
(fr_FR), Turkish (tr_TR), German (de_DE) translations, a new Italian
translation, and additional automated localization passes.
What's Changed
- Master by @ZoeyErinBauer in #1118
- Merge Back by @caroberrie in #1122
- Alternate install view by @caroberrie in #1123
- Improve command execution in Privileged and Unprivileged services by @azdanov in #1131
- ownership of desktop cache fix. by @caroberrie in #1128
- adding grid for update and manage by @caroberrie in #1133
- Fix updates count not showing in UI by @azdanov in #1136
- Add Polkit detection in ProcessExecutor by @azdanov in #1137
- Refactor RunShellyCommand and related methods in ProcessExecutor by @azdanov in #1140
- Refactor package management to utilize unprivileged operations for package searches and retrievals by @azdanov in #1141
- Handle polkit in XdgPaths and AurPackageManager by @azdanov in #1143
- Appimage bug fix by @caroberrie in #1144
- Master backmerge by @caroberrie in #1146
- Flatpak updates by @caroberrie in #1145
- Bump version to 2.4.0.5 across all projects and PKGBUILD files. by @ZoeyErinBauer in #1147
- Update Japanese translation by @utuhiro78 in #1142
- Updating French (fr_FR) translations to Shelly GTK by @Landeli7 in #1129
- Fix Forgejo AppImage updates by @Renari in #1138
- Update tr_TR.po by @celonfix in #1050
- Add Polkit policy for privileged Shelly CLI execution by @azdanov in #1153
- Update icon_name in Polkit policies by @azdanov in #1155
- Update Polkit message for privileged Shelly CLI execution by @azdanov in #1156
- Refactor getuid in XdgPaths to use
LibraryImportby @azdanov in #1157 - Updating Flatpak ui by @caroberrie in #1149
- Update UI elements packages by @caroberrie in #1159
- Enhance CLI and UI with new features and documentation updates by @azdanov in #1161
- Remove fingerprint warning and related UI elements by @azdanov in #1162
- updating lockout service functionality to work without a prime from t… by @caroberrie in #1163
- updating logic around gridview selections by @caroberrie in #1165
- Add deployment step for Seafoam Labs website by @azdanov in #1168
- Happy eyeballs by @ZoeyErinBauer in #1169
- chore(l10n): update translations by @juliazero in #1024
- Refactor
Settings.csfor improved readability and maintainability by @ZoeyErinBauer in #1170 - Improve address connection fallback in
OptimizedClientand adjust ports by @ZoeyErinBauer in #1171 - i18n: Add Italian translation by @Mattyan89 in #1044
- Update de_DE.po by @Henry2o1o in #1088
- adding animation to the intro page. by @caroberrie in #1174
- updating flatpak ui elements by @caroberrie in #1175
- 1108 bug shelly does not show that pacman hooks have been ran by @ZoeyErinBauer in #1177
- Fix by @Henry2o1o in #1096
- Add support for parsing and displaying local source files in PKGBUILD by @ZoeyErinBauer in #1178
- fixing how enums are saved by @caroberrie in #1179
- updating how progress callbacks are handled in flatpak manager by @caroberrie in #1180
- Add
--groupoption toQuerycommand for package group searches by @ZoeyErinBauer in #1182 - Refactor to use
ShellyConsoleFactoryfor console creation by @ZoeyErinBauer in #1183 - Expand
restrictedCommandslist inPostInstallValidatorby @ZoeyErinBauer in #1184 - Add additional risky tools to
PostInstallValidatorby @azdanov in #1185 - Add support for resolving virtual dependencies via providers by @ZoeyErinBauer in #1191
- chore(l10n): update translations by @juliazero in #1186
- Bump version to 2.4.1.0 across all modules and update corresponding PKGBUILD files by @ZoeyErinBauer in #1192
- 2.4.1.0 Release by @ZoeyErinBauer in #1193
Contributors
A huge thank you to everyone who contributed to this release — 10 unique
contributors, 2 of them brand new to the project:
- @ZoeyErinBauer
- @caroberrie
- @azdanov
- @utuhiro78
- @Landeli7
- @Renari 🆕
- @celonfix
- @juliazero
- @Mattyan89 🆕
- @Henry2o1o
New Contributors
- @Renari made their first contribution in #1138
- @Mattyan89 made their first contribution in #1044
Full Changelog: v2.4.0.4...v2.4.1.0