← 返回日报
略读 预计 5 分钟

yay v13 and the AURpocalypse

摘要

文章介绍 entity["software","yay","Arch Linux AUR helper"] v13 的主要变化:强调从“增加功能与安全检查”转向“可扩展性与脚本化”,引入 Lua 配置(init.lua)与 hooks 机制,用于在升级选择、AUR 安装前后等流程中插入逻辑。同时新增 PKGBUILD 最后修改时间提示,帮助用户判断包是否近期变动,从而辅助审查。 作者讨论了所谓 “AURpocalypse” 背景下社区对自动检测与安全扫描的需求,但强调避免“安全戏剧化”,认为自动检查应辅助而非替代人工审查。配置加载优先级为 CLI > init.lua > config.json。整体目标是让 yay 更易被 UI 工具与脚本扩展,同时保持核心安装流程简洁。

荐读理由

在设计工具或工作流系统时,可以借鉴该实现中“核心流程保持稳定 + 在关键节点通过 Lua hooks 注入过滤与决策逻辑”的结构,把扩展能力从主系统剥离,从而在不增加核心复杂度的前提下支持可组合的自动化与规则定制。

原文

Wednesday, June 17, 2026

yay v13 and the AURpocalypse

Authors

  • avatar

  • Name

  • Jo Guerreiro

  • Twitter

In yay-v12, I did mention it might have been the biggest update in the last five years. It was the biggest update to yay's core, architecture and code. But this v13 release might be the biggest change in your experience with yay.

For a long time, I've wanted yay to become more extensible, easier to wrap around for UI projects, more friendly towards the people that I love, the tinkerers, the ricers, those that look at something and feel the opportunity for missing beauty.

This comes at a great friction of wanting to keep yay lean, unadorned and maintainable. Although every configuration option brings value, they also introduce a new surface for bugs, a new surface for edge cases and a new surface for maintenance.

So we come to extensible hooks. Not only the fire-and-forget type but ones that can have a real change in experience. A lot of the changes in yay v12 related to pluggable interfaces and generic abstractions over AUR and repo packages had a singular goal in mind: grpc plugins. A known pattern in the go space and used in vault, terraform, grafana... But they're cumbersome to setup, yay's own binary size also increased a lot from it and when implemented they're usually big extensions, small monoliths shipped next to a big monolith, not small addons that can be shared and reused.

If there is something I've seen this past few days is that we have a community that wants to script. I've lost track of the bash scripts I've reviewed following the AURpocalypse. Turns out for these types of automations we already have a great language and framework of thinking around it. Lua and neovim. What yay v13 brings are small extensible hooks in a language that is very pleasant (and I miss awesomewm, which was configurable in lua).

AURpocalypse

It is not the AURpocalypse. The AUR is working within its established trust model. Changes can be done to submission, popularity calculation and orphaned package adoption submission but the arch user repository is a source of community produced content, like GitHub or the latest AI coding harness that asks you to curl | sh something off their domain.

To all of the archlinux crew, thank you for taking time off your personal lives to mitigate the impact of this incident, your work is much appreciated and valued.

There have been many feature requests in yay's issue tracker following asking for package scanning for npm install yyy, delayed time updates, maintainer change tracking...

The next wave of malware will be in another form, another delivery method, with all detection scanning fed into its generation cycle as "iterate until it is not detected".

To ensure releases of yay are well tested, have time to go through some community validation and the core "I can install a package" stays minimal and intact, the release process will not be fast enough to keep up.

I want to avoid security theater: checks can help, but they should complement, not replace, build file review. That does not mean that we should not do anything against the threats we do know or that we shouldn't make reviews easier.

This release is very motivated by attempting to make it easier to review packages, and to automate some of the checks that can be done without human intervention.

Display PKGBUILD Last Modification Time

yay will now display how long since the last modification of the PKGBUILD occured. A package which has been recently modified is not a reason to avoid it, but it is a reason to be more careful and review the PKGBUILD before installing. Likewise, a package that has not been modified in a long time is not a reason to trust it, but it is a reason to be more confident that it has been reviewed by the community. Thank you @rebelonion for this contribution.

yay -Ss brave
aur/pi-skill-brave-search-git r24.75d32a3-1 (+0 0.00) [18d13h]
    Pi coding agent skill for Brave Search web search and content extraction
aur/suave 2.0-1 (+1 0.00) [2805d5h]
    Sport Utility Assault Vehicle Extreme. Drive very small, but very brave tank.
aur/brave-extension-bitwarden-git 2026.2.0.r21100.g0f113e2-1 (+1 0.00) [94d22h]
    Bitwarden browser extension for Brave
aur/brave-beta-bin 1.92.120-1 (+55 0.44) [4d14h]
    Web browser that blocks ads and trackers by default (beta binary release).
aur/brave-origin-beta-bin 1.92.120-1 (+14 8.77) [4d15h]
    The minimalist browser from the makers of Brave (beta binary release).
aur/brave-nightly-bin 1.93.67-1 (+42 1.10) [6h17m]
    Web browser that blocks ads and trackers by default (nightly binary release).
aur/brave-origin-nightly-bin 1.93.67-1 (+20 10.69) [6h39m]
    The minimalist browser from the makers of Brave (nightly binary release).
aur/brave-origin-bin 1:1.91.172-1 (+20 17.41) [3d5h]
    The minimalist browser from the makers of Brave (binary release).
aur/brave-bin 1:1.91.172-1 (+1010 23.90) [3d5h]
    Web browser that blocks ads and trackers by default (binary release)
extra/python-adblock 0.6.0-5 (1.3 MiB 6.8 MiB)
    Brave's adblock library in Python

Last modification tags will display on search, yogurt and upgrade menus.

:: Synchronizing package databases...
 core downloading...
 extra downloading...
:: Searching AUR for updates...
:: Searching databases for updates...
:: 14 packages to upgrade/install.
 5  core/procps-ng                4.0.6-1    -> 4.0.6-2
 4  extra/git-delta               0.19.2-1   -> 0.19.2-2
 3  extra/github-cli              2.93.0-1   -> 2.94.0-1
 2  extra/python-tqdm             4.68.1-1   -> 4.68.2-1
 1  aur/yay                       12.5.7-1   -> 12.6.0-1 [8d4h]
==> Packages to exclude: (eg: "1 2 3", "1-3", "^4" or repo name)
 -> Excluding packages may cause partial upgrades and break systems
==>

Lua configuration support

yay can now load configuration and hooks from init.lua, which makes it much easier to automate checks and package-flow decisions. If no init.lua file exists, no lua is executed.

config.json will still be loaded, but init.lua can override any option. CLI flags still take priority over both init.lua and config.json.

init.lua will be loaded from $XDG_CONFIG_HOME/yay/init.lua (typically ~/.config/yay/init.lua).

Options can be set through yay.opt:

yay.opt.bottom_up = true
yay.opt.sort_by = ""

Lua hook support

Lua hooks can be registered for different events in the yay flow. Lua API Documentation will be kept up to date at https://jguer.github.io/yay/lua.html.

Here are some examples of hooks that can be registered:

Upgrade selection hook (UpgradeSelect)

This runs during yay -Syu, after upgrades are computed and before the native exclude menu. Hooks can return package names to exclude.

As an example, we're using the hook to skip recently modified AUR PKGBUILDs.

yay.create_autocmd("UpgradeSelect", {
    desc = "skip recently modified AUR upgrades",
    callback = function(event)
        local exclude = {}
        local recent_cutoff = os.time() - (3 * 24 * 60 * 60)

        for _, pkg in ipairs(event.data.upgrades) do
            if pkg.repository == "aur" and pkg.last_modified >= recent_cutoff then
                table.insert(exclude, pkg.name)
            end
        end

        return { exclude = exclude, skip_menu = false }
    end,
})

A more complete example with logging is available here

Multiple hooks can be registered for the same event. In this case, exclude lists are unioned across hooks. If any hook returns skip_menu = true, yay skips the native package selection menu.

AUR pre-install and post-download hooks

AURPreInstall and AURPostDownload run once per package base, but at different moments in the AUR install flow.

  • AURPreInstall: runs right after PKGBUILD repos are fetched, before clean/diff/edit menus or any build work.

  • AURPostDownload: runs later, after makepkg --verifysource, meaning it has access to both the PKGBUILD repo and source files. It still runs before compatibility checks, PGP import prompts, and install.

Use AURPreInstall to stop early based on PKGBUILD content, and use AURPostDownload when your decision depends on verified/downloaded sources.

yay.create_autocmd("AURPreInstall", {
    desc = "block forbidden sources",
    callback = function(event)
        if event.data.pkgbuild:match("forbidden.example") then
            yay.abort(event.match .. ": forbidden source URL")
        end
    end,
})

AURPostDownload receives the same payload shape as AURPreInstall, with event = "AURPostDownload".

Summary

yay v13 introduces PKGBUILD last-update visibility in search and upgrade menus, and Lua-based hooks which allow you to change how yay filters and presents packages.

Information on the new lua APIs is available on https://jguer.github.io/yay/lua.html. A ready-to-copy template lives in the yay repository docs at doc/init.lua.

Other hook examples are available in the yay repository such as basic install logging, skipping recently modified AUR packages, checking for maintainer changes, and hiding newly submitted AUR packages from search.

Please share your feedback and ideas on GitHub on the APIs, and integrations you'd like to build but can't.

Now get out there and build, build, build.

Discuss on X

Lobsters · 4 赞 · 1 评 讨论 → 阅读原文 →

这条对你有帮助吗?