Skip to content
Seafoam Labs

All versions since v2.3.2.1 Pride

All versions

v2.3.2.1 Pride

What’s Changed

  • Added a Pride Month Surprise

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.3.2.0...v2.3.2.1

v2.3.2.2

Shelly-ALPM v2.3.2.2

Release date: 2026-06-06

This release introduces drag-and-drop AppImage installation, CachyOS updater parity with downgrade support, a Shelly CLI implementation of pacman-key --populate used by going shelly-keys populate {keyring}, several UI/UX refinements, expanded translations (including new Japanese, German, and Hungarian locales), and important reliability fixes.

✨ New Features

  • Drag-and-drop AppImage installation — Added drag-and-drop functionality for installing AppImages. (#946 by @azdanov)
  • CachyOS updater parity — Brought the CachyOS updater path to feature parity. (#953 by @ZoeyErinBauer)
  • CachyOS archives downgrade command — Added a command to downgrade via CachyOS archives. This now automatically detects the repository of choice. (#954 by @azdanov)
  • shelly-keys populate CLI implementation — Created CLI support for populating gpg keyring. (#948 by @ZoeyErinBauer)
  • Selectable/copyable text in pop-ups — Made text in pop-ups select- and copy-able. (#909 by @VinnyQF)
  • Package size column sorting — Added sorting for package size columns. (#916 by @azdanov)
  • Arch news parsing — Parse Arch news from HTML to Markdown. (#942 by @azdanov)
  • --now flag support — Updated UnprivilegedOperationService to enable the --now flag for system operations. (#952 by @ZoeyErinBauer)
  • noConfirm handling — Handle the noConfirm flag in QuestionHandler to skip user input. (#956 by @ZoeyErinBauer)

🎨 UI / UX Improvements

  • Added loading state and improved the description box on the Recommend page. (#936 by @azdanov)
  • Improved the visual presentation of installed packages in the question dialog. (#933 by @azdanov)
  • Improved details expander box margins and alignment. (#935 by @azdanov)
  • Switched to Summary in ShellySearch for more compact rows. (#939 by @azdanov)
  • Fixed spacing and made the close button circular in GenericOverlay. (#924 by @azdanov)

🐛 Bug Fixes

  • Fixed failure of “upgrade all” with the upgrade list during partial failures. (#930 by @caroberrie)
  • Resolved downgrade issues. (#955 by @azdanov)
  • Changed db.lock to db.lck. (#922 by @utuhiro78)

🌐 Translations

  • Initial Japanese translation. (#912 by @utuhiro78)
  • Initial German (de_DE.po) translation. (#944, #950 by @Henry2o1o)
  • Added a Hungarian translation and updated a few older lines. (#923 by @Impostor0729)
  • Updated Polish translation. (#917 by @juliazero)
  • Updated Brazilian Portuguese (pt-BR) translations. (#910 by @VinnyQF)
  • Updated Catalan translation. (#932 by @dtalens)

🔧 Internal & Build

  • Refactored Program.cs to update the activation flow. (#914 by @azdanov)
  • Refactored the build job and added a CLI reference generation command. (#913 by @azdanov)
  • Bumped version to 2.3.2.2 across all projects and updated PKGBUILD files. (#957 by @ZoeyErinBauer)
  • Master mergebacks. (#904, #919 by @ZoeyErinBauer)

🎉 New Contributors

  • @utuhiro78 made their first contribution in #912

Full Changelog: v2.3.2.1...v2.3.2.2

More details available at the Shelly-ALPM changelog.

v2.3.2.3

What’s Changed

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.3.2.2...v2.3.2.3

v2.3.2.4

What’s Changed

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.3.2.3...v2.3.2.4

v2.3.2.5

What’s Changed

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.3.2.4...v2.3.2.5

v2.3.3.0 Imagine the AppImage

Release Notes v2.3.3.0

Highlights: Shelly grows more multilingual and more capable. This release adds three brand-new translations — Spanish, Chinese (Simplified), and an expanded Hungarian — alongside refreshed German and general localization updates. Under the hood, package management gets smarter with a new MarkCommand for setting install reasons, a PurifyPackages flag for clearing orphans, an AUR upgrade diff view in the UI, and a repository column in the upgrade summary. We also squashed a Wayland crash, fixed Flatpak addon installs, and refactored AppImage and AppStream handling.

🐚 Features

  • Show diff in the UI during AUR upgrade (#985, closes #907)
  • Add MarkCommand to set install reason for packages (explicit, depends) (#1005)
  • Implement PurifyPackages flag to remove orphaned packages (#1004)
  • Add repository column to UpgradeCommand package summary table (#967)
  • Add TryRenderWireFrame to decode and log structured wireframe events (#968)
  • Add Spanish translation (#999)
  • New Chinese (Simplified) translation (#838)
  • New text segments added to the Hungarian translation (#994)
  • Aur preventions for the post_install attack as well as a framework for handling further PKGBUILD review tool implementation (#996)

⚡ Improvements

  • Remove AppStream as an optional dependency, replaced by Shelly icon stream (#961)
  • Refactor AUR package management logic (#965)
  • Refactor BottomBarRegion for improved readability and add _asciiOn… (#966)
  • AppImage refactor (#984)
  • Improve Tray handling and prevent multiple instances of notifications (#987)
  • Set Homogeneous property to ensure consistent sizing (#974)
  • Flatpak permissions handling (#1006)
  • Update translations (l10n) (#1000)
  • Update de_DE.po German translation (#998)

🐞 Bug Fixes

  • Schedule Recommend UI updates on the GTK main thread to fix Wayland crash (#971)
  • Fix addons installation issue in FlatpakInstallCommand (#991)
  • Fix wrong references in rd.xml (#1007)

🔧 Maintenance

  • Bump version to 2.3.3.0 across all projects and update PKGBUILD files (#1008)
  • Dev merge back (#995)
  • Master merge back (#997)
  • Release 2.3.3.0 (#1009)

Changes since v2.3.2.5

This release brings 24 merged pull requests and three new contributors, with broad internationalization gains (Spanish, Chinese, Hungarian, German) and substantial package-management features in MarkCommand, PurifyPackages, the AUR upgrade diff view, and AppImage/AppStream refactors.

Full Changelog: v2.3.2.5…v2.3.3.0

Contributors

  • @azdanov
  • @caroberrie
  • @ZoeyErinBauer
  • @VinnyQF
  • @Impostor0729
  • @Henry2o1o
  • @juliazero
  • @artemkaVG (new)
  • @tigce2 (new)
  • @llmj-zts (new)

New Contributors 🎉

A warm welcome to our three first-time contributors:

  • @artemkaVG — Wayland crash fix for Recommend UI updates (#971)
  • @tigce2 — Spanish translation (#999)
  • @llmj-zts — Chinese (Simplified) translation (#838)

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.3.2.5…v2.3.3.0

v2.3.3.1

What’s Changed

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.3.3.0...v2.3.3.1

v2.3.3.2

What’s Changed

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.3.3.1...v2.3.3.2

v2.3.3.3

What’s Changed

  • Flatpak Download bug fix.
  • Appimage progress callback and appimage bug fixes.

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.3.3.2...v2.3.3.3

v2.3.3.4

The following changes have been made:

New Setup screen will give dialogue confirmation for AUR . AppImage cleanup of bad desktop entries on sync from updates. AppImage improved path handling for custom paths and logic flows. Flatpak updating filter patterns. Read and add hook dirs from pacman.conf to libalpm.

Thank you for the first contribution @moutazhaq

v2.4.0.0

Shelly-ALPM v2.4.0.0 Release Notes

This release centers on a major CLI refactor, maturing AppImage/Flatpak support, and a new layer of PKGBUILD security analysis.

On the safety side, Shelly now actively inspects install scriptlets for dynamic code execution and post_install risks — the new PostInstallValidator scans resolved scriptlets for risky network/code-fetching tools (npm, npx, bun, pip, curl, wget, etc.) and flags dynamic command construction that can’t be statically reviewed, including command substitution ($(...), backticks), eval, ${!var} indirection, and decode-into-shell pipelines (e.g. base64 -d | sh). It even performs lightweight de-obfuscation (collapsing tricks like b''u''n, cur\l, and n"p"m) so deliberately hidden tool names are caught and escalated to Critical as a sign of malicious intent. Complementing this, the new HomographValidator defends against homograph/IDN spoofing in attacker-controlled fields (package names, dependencies, URLs, and AUR metadata) by detecting zero-width/bidi/control characters, mixed-script tokens (e.g. Latin mixed with Cyrillic/Greek), fullwidth/compatibility forms, and confusable “skeletons” that map look-alike Unicode onto ASCII (e.g. Cyrillic аa). Findings surface through the same PkgbuildReviewDialog security-status path so users can review them before installing.

Rounding out the CLI work, this release ships a pacman-style shortcode interface: a compact -<Type><Action><modifiers> syntax that translates familiar single-letter operations into Shelly’s full command surface, making the CLI feel native to anyone coming from pacman/yay.

🔑 Shortcode Examples

The first argument may be a shortcode of the form -<Type><Action>[modifiers], where the Type selects a domain (S = system/repo, A = AUR, F = Flatpak, I = AppImage, C = config, K = keyring, U = utility) and the Action/modifiers map to a verb and flags:

Terminal window
shelly -SIu firefox     # install firefox -u   (sync install, with upgrade)
shelly -SQad            # query -a -d          (query available, fetch details of exact match)
shelly -SRcr pkg        # remove pkg -c -r     (cascade + config removal) : The equivalent of `sudo pacman -Rns pkg`
shelly -AS ripgrep      # aur search zen-browser-bin
shelly -AI yay-bin      # aur install zen-browser-bin
shelly -FR org.app.Id   # flatpak uninstall org.app.Id
shelly -KV ABCD1234     # keyring recv ABCD1234
shelly -UC              # cache-clean

Invalid combinations are rejected with helpful errors (e.g. an unknown action lists valid actions for that type, and an unknown modifier lists the allowed modifiers), and in shortcode mode --ui-mode is used in place of -U.

✨ Highlights

  • New CLI Release with a substantial refactor and modernized command surface (#1059, #1103).
  • AppImage support maturing: updates now shown in the UI, eventing improvements, and fixes to desktop-entry handling (#1053, #1058, #1075, #1087, #1092).
  • Security additions: PKGBUILD review now shows security status, flags dynamic/post_install code execution, and detects potential homograph spoofing (#1099, #1100).
  • doas support added as an alternative privilege-elevation backend (#1078).

🚀 Features

  • Add doas support (#1078)
  • Add manual language selection in settings (#1056) — thanks @nyx1d
  • Add docs command, with printed command options and default cascade enabled (#1084, #1097)
  • Add Zsh completions for the Shelly CLI (#1090)
  • Show AppImage updates in the UI (#1058)
  • Add new version column to AUR update view (#1047)
  • Add maintainer and last-updated columns to AUR search output (#1071)
  • Add security status to PkgbuildReviewDialog (#1099)
  • Add HomographValidator to flag homograph spoofing in PKGBUILDs (#1100)

🛠 Improvements & Refactors

  • CLI refactor (#1059) and new CLI release (#1103)
  • Refactor CredentialManager and add ProcessExecutor service (#1066)
  • Convert PerformDownload to async and refactor call sites (#1079)
  • Skip provider selection when only one distinct option is available (#1070)
  • Replace --elevated flag in UpgradeAll with a UserIdentity-based approach (#1093, #1094)
  • Refactor question handling to remove obsolete ALPM-specific protocols (#1091)
  • Update file-size display to Megabytes and refactor progress-bar logic (#1082)
  • Simplify query (#1076) and remove the explore alias from query (#1085)
  • AppImage eventing and CLI output updates from the manager (#1087, #1092)
  • Flatpak output and UI element updates (#1049, #1080)
  • General small UI adjustments (#1046)
  • Remove unused config options and delete unused/unwanted code (#1081, #1086)

🐞 Bug Fixes

  • Fix AppImages creating an additional desktop entry (#1053)
  • Fix Flatpak upgrade bug and remote selection (#1054)
  • Fix Flatpak scrolling issue (#1061)
  • Various AppImage fixes (#1075)

🌐 Localization

  • Update de-DE.po (#1089) — thanks @Henry2o1o

📦 Maintenance / Versioning

  • Merge Dev into master and master back-merge (#1040, #1041)
  • Update UI elements in Flatpak (#1049)
  • Bump version to 2.3.3.5 across all projects and PKGBUILD files (#1101)
  • Bump version to 2.4.0.0 across all projects and PKGBUILD files (#1102)

Contributors to Shelly-ALPM v2.4.0.0

  • @caroberrie — #1040, #1041, #1046, #1049, #1053, #1054, #1058, #1061, #1075, #1080, #1081, #1086, #1087, #1092
  • @ZoeyErinBauer — #1059, #1070, #1071, #1076, #1078, #1079, #1082, #1090, #1091, #1093, #1094, #1100, #1101, #1102, #1103
  • @azdanov — #1066, #1084, #1085, #1097, #1099
  • @Terrabade — #1047
  • @nyx1d — #1056 (first contribution 🎉)
  • @Henry2o1o — #1089

👋 New Contributors

  • @nyx1d made their first contribution in #1056

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.3.3.4...v2.4.0.0

v2.4.0.1

Bug Fix

  • –no-confirm now works as intended on upgrade all

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.4.0.0...v2.4.0.1

v2.4.0.2

Bug Fixes

  • Oopsie we forgot to update the tray service

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.4.0.1...v2.4.0.2

v2.4.0.3

What’s Changed

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.4.0.2...v2.4.0.3

v2.4.0.4

What’s Changed

  • Correct Version selection pop up
  • Fix install + upgrade UI path

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.4.0.3...v2.4.0.4

v2.4.1.0 Latest

Shelly-ALPM v2.4.1.0 Release Notes

This release builds directly on the 2.4.0 line, hardening how Shelly talks to the network and to the system, deepening dependency resolution, and continuing the CLI refactor that began in 2.4.0.0. It also bundles a large batch of community translations and a steady stream of UI polish across the AppImage, Flatpak, and grid views.

🌐 Networking — Happy Eyeballs

Shelly’s HTTP stack now uses a Happy Eyeballs-style connection strategy in OptimizedClient. Instead of waiting on a single resolved address, Shelly resolves every address for a host, prefers IPv4 first so a missing IPv6 route can never block a working connection, and races the candidates with a fast 3-second per-address fallback. Critically, it waits for the first connection to succeed rather than the first to complete, so a quick “network is unreachable” failure on one path no longer aborts a request that a slower path would have served. Address-connection fallback in OptimizedClient was further tuned for reliability on mixed IPv4/IPv6 hosts.

🔒 Security — More risky tools, smarter privileges

The PostInstallValidator scriptlet scanner was expanded well beyond the original list. It now recognizes risky network- and code-fetching tooling across a wide range of ecosystems — JavaScript/Node (npm, npx, yarn, pnpm, bun, deno), Python (pip, pipx, uv, poetry, conda/mamba), Ruby, Rust, Go, PHP, Perl, Haskell, Lua, Nim, OCaml, Elixir/Erlang, C/C++ (conan, vcpkg), JVM build tools, .NET, Swift, Julia, R — alongside downloaders (curl, wget, aria2c, lftp, rsync, scp/sftp), container/orchestration tools (docker, podman, kubectl, helm, snap, flatpak), and version managers (nvm, pyenv, asdf, and friends). These findings continue to surface through the existing PKGBUILD security-review path so you can review them before installing.

On the privilege side, command execution in the privileged and unprivileged services was reworked, with Polkit detection added throughout ProcessExecutor, XdgPaths, and AurPackageManager. Package searches and lookups now run as unprivileged operations wherever possible, and a dedicated Polkit policy was added for privileged Shelly CLI execution (with refined icon and prompt messaging).

📦 Package management — Providers & group queries

Shelly can now resolve virtual dependencies via providers, presenting a provider selection when more than one package satisfies a dependency. The query command gained a --group / -g option for searching package groups (it defaults to searching available packages), making it easier to discover and inspect grouped packages from the CLI.

🐚 CLI refactor continues

Console creation across the CLI now flows through a single ShellyConsoleFactory, and RunShellyCommand and related execution paths in ProcessExecutor were refactored for clarity and consistency. PKGBUILD parsing learned to surface local source files, and Shelly now correctly reports when pacman hooks have run during an operation.

🖥️ UI, AppImage & Flatpak

  • New grid layouts for the update and manage views, with reworked grid-selection logic.
  • An alternate install view and an animated intro page.
  • Continued Flatpak UI improvements and better handling of Flatpak progress callbacks.
  • AppImage fixes, including corrected Forgejo-hosted AppImage updates.
  • Fixed the updates count not appearing in the UI.
  • Desktop cache ownership fix and refined lockout-service behavior.
  • Removed the obsolete fingerprint warning and related UI elements.

🌍 Translations

This release ships a large localization update: refreshed Japanese, French (fr_FR), Turkish (tr_TR), German (de_DE) translations, a new Italian translation, and additional automated localization passes.

What’s Changed

Contributors

A huge thank you to everyone who contributed to this release — 10 unique contributors, 2 of them brand new to the project:

  • @ZoeyErinBauer
  • @caroberrie
  • @azdanov
  • @utuhiro78
  • @Landeli7
  • @Renari 🆕
  • @celonfix
  • @juliazero
  • @Mattyan89 🆕
  • @Henry2o1o

New Contributors

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.4.0.4...v2.4.1.0

© 2026 Seafoam LabsShelly Chel