Skip to content
Seafoam Labs

All versions since v2.3.3.4

All versions

v2.3.3.4

The following changes have been made:

New Setup screen will give dialogue confirmation for AUR . AppImage cleanup of bad desktop entries on sync from updates. AppImage improved path handling for custom paths and logic flows. Flatpak updating filter patterns. Read and add hook dirs from pacman.conf to libalpm.

Thank you for the first contribution @moutazhaq

v2.4.0.0

Shelly-ALPM v2.4.0.0 Release Notes

This release centers on a major CLI refactor, maturing AppImage/Flatpak support, and a new layer of PKGBUILD security analysis.

On the safety side, Shelly now actively inspects install scriptlets for dynamic code execution and post_install risks — the new PostInstallValidator scans resolved scriptlets for risky network/code-fetching tools (npm, npx, bun, pip, curl, wget, etc.) and flags dynamic command construction that can’t be statically reviewed, including command substitution ($(...), backticks), eval, ${!var} indirection, and decode-into-shell pipelines (e.g. base64 -d | sh). It even performs lightweight de-obfuscation (collapsing tricks like b''u''n, cur\l, and n"p"m) so deliberately hidden tool names are caught and escalated to Critical as a sign of malicious intent. Complementing this, the new HomographValidator defends against homograph/IDN spoofing in attacker-controlled fields (package names, dependencies, URLs, and AUR metadata) by detecting zero-width/bidi/control characters, mixed-script tokens (e.g. Latin mixed with Cyrillic/Greek), fullwidth/compatibility forms, and confusable “skeletons” that map look-alike Unicode onto ASCII (e.g. Cyrillic аa). Findings surface through the same PkgbuildReviewDialog security-status path so users can review them before installing.

Rounding out the CLI work, this release ships a pacman-style shortcode interface: a compact -<Type><Action><modifiers> syntax that translates familiar single-letter operations into Shelly’s full command surface, making the CLI feel native to anyone coming from pacman/yay.

🔑 Shortcode Examples

The first argument may be a shortcode of the form -<Type><Action>[modifiers], where the Type selects a domain (S = system/repo, A = AUR, F = Flatpak, I = AppImage, C = config, K = keyring, U = utility) and the Action/modifiers map to a verb and flags:

Terminal window
shelly -SIu firefox     # install firefox -u   (sync install, with upgrade)
shelly -SQad            # query -a -d          (query available, fetch details of exact match)
shelly -SRcr pkg        # remove pkg -c -r     (cascade + config removal) : The equivalent of `sudo pacman -Rns pkg`
shelly -AS ripgrep      # aur search zen-browser-bin
shelly -AI yay-bin      # aur install zen-browser-bin
shelly -FR org.app.Id   # flatpak uninstall org.app.Id
shelly -KV ABCD1234     # keyring recv ABCD1234
shelly -UC              # cache-clean

Invalid combinations are rejected with helpful errors (e.g. an unknown action lists valid actions for that type, and an unknown modifier lists the allowed modifiers), and in shortcode mode --ui-mode is used in place of -U.

✨ Highlights

  • New CLI Release with a substantial refactor and modernized command surface (#1059, #1103).
  • AppImage support maturing: updates now shown in the UI, eventing improvements, and fixes to desktop-entry handling (#1053, #1058, #1075, #1087, #1092).
  • Security additions: PKGBUILD review now shows security status, flags dynamic/post_install code execution, and detects potential homograph spoofing (#1099, #1100).
  • doas support added as an alternative privilege-elevation backend (#1078).

🚀 Features

  • Add doas support (#1078)
  • Add manual language selection in settings (#1056) — thanks @nyx1d
  • Add docs command, with printed command options and default cascade enabled (#1084, #1097)
  • Add Zsh completions for the Shelly CLI (#1090)
  • Show AppImage updates in the UI (#1058)
  • Add new version column to AUR update view (#1047)
  • Add maintainer and last-updated columns to AUR search output (#1071)
  • Add security status to PkgbuildReviewDialog (#1099)
  • Add HomographValidator to flag homograph spoofing in PKGBUILDs (#1100)

🛠 Improvements & Refactors

  • CLI refactor (#1059) and new CLI release (#1103)
  • Refactor CredentialManager and add ProcessExecutor service (#1066)
  • Convert PerformDownload to async and refactor call sites (#1079)
  • Skip provider selection when only one distinct option is available (#1070)
  • Replace --elevated flag in UpgradeAll with a UserIdentity-based approach (#1093, #1094)
  • Refactor question handling to remove obsolete ALPM-specific protocols (#1091)
  • Update file-size display to Megabytes and refactor progress-bar logic (#1082)
  • Simplify query (#1076) and remove the explore alias from query (#1085)
  • AppImage eventing and CLI output updates from the manager (#1087, #1092)
  • Flatpak output and UI element updates (#1049, #1080)
  • General small UI adjustments (#1046)
  • Remove unused config options and delete unused/unwanted code (#1081, #1086)

🐞 Bug Fixes

  • Fix AppImages creating an additional desktop entry (#1053)
  • Fix Flatpak upgrade bug and remote selection (#1054)
  • Fix Flatpak scrolling issue (#1061)
  • Various AppImage fixes (#1075)

🌐 Localization

  • Update de-DE.po (#1089) — thanks @Henry2o1o

📦 Maintenance / Versioning

  • Merge Dev into master and master back-merge (#1040, #1041)
  • Update UI elements in Flatpak (#1049)
  • Bump version to 2.3.3.5 across all projects and PKGBUILD files (#1101)
  • Bump version to 2.4.0.0 across all projects and PKGBUILD files (#1102)

Contributors to Shelly-ALPM v2.4.0.0

  • @caroberrie — #1040, #1041, #1046, #1049, #1053, #1054, #1058, #1061, #1075, #1080, #1081, #1086, #1087, #1092
  • @ZoeyErinBauer — #1059, #1070, #1071, #1076, #1078, #1079, #1082, #1090, #1091, #1093, #1094, #1100, #1101, #1102, #1103
  • @azdanov — #1066, #1084, #1085, #1097, #1099
  • @Terrabade — #1047
  • @nyx1d — #1056 (first contribution 🎉)
  • @Henry2o1o — #1089

👋 New Contributors

  • @nyx1d made their first contribution in #1056

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.3.3.4...v2.4.0.0

v2.4.0.1

Bug Fix

  • –no-confirm now works as intended on upgrade all

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.4.0.0...v2.4.0.1

v2.4.0.2

Bug Fixes

  • Oopsie we forgot to update the tray service

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.4.0.1...v2.4.0.2

v2.4.0.3

What’s Changed

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.4.0.2...v2.4.0.3

v2.4.0.4

What’s Changed

  • Correct Version selection pop up
  • Fix install + upgrade UI path

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.4.0.3...v2.4.0.4

v2.4.1.0 Latest

Shelly-ALPM v2.4.1.0 Release Notes

This release builds directly on the 2.4.0 line, hardening how Shelly talks to the network and to the system, deepening dependency resolution, and continuing the CLI refactor that began in 2.4.0.0. It also bundles a large batch of community translations and a steady stream of UI polish across the AppImage, Flatpak, and grid views.

🌐 Networking — Happy Eyeballs

Shelly’s HTTP stack now uses a Happy Eyeballs-style connection strategy in OptimizedClient. Instead of waiting on a single resolved address, Shelly resolves every address for a host, prefers IPv4 first so a missing IPv6 route can never block a working connection, and races the candidates with a fast 3-second per-address fallback. Critically, it waits for the first connection to succeed rather than the first to complete, so a quick “network is unreachable” failure on one path no longer aborts a request that a slower path would have served. Address-connection fallback in OptimizedClient was further tuned for reliability on mixed IPv4/IPv6 hosts.

🔒 Security — More risky tools, smarter privileges

The PostInstallValidator scriptlet scanner was expanded well beyond the original list. It now recognizes risky network- and code-fetching tooling across a wide range of ecosystems — JavaScript/Node (npm, npx, yarn, pnpm, bun, deno), Python (pip, pipx, uv, poetry, conda/mamba), Ruby, Rust, Go, PHP, Perl, Haskell, Lua, Nim, OCaml, Elixir/Erlang, C/C++ (conan, vcpkg), JVM build tools, .NET, Swift, Julia, R — alongside downloaders (curl, wget, aria2c, lftp, rsync, scp/sftp), container/orchestration tools (docker, podman, kubectl, helm, snap, flatpak), and version managers (nvm, pyenv, asdf, and friends). These findings continue to surface through the existing PKGBUILD security-review path so you can review them before installing.

On the privilege side, command execution in the privileged and unprivileged services was reworked, with Polkit detection added throughout ProcessExecutor, XdgPaths, and AurPackageManager. Package searches and lookups now run as unprivileged operations wherever possible, and a dedicated Polkit policy was added for privileged Shelly CLI execution (with refined icon and prompt messaging).

📦 Package management — Providers & group queries

Shelly can now resolve virtual dependencies via providers, presenting a provider selection when more than one package satisfies a dependency. The query command gained a --group / -g option for searching package groups (it defaults to searching available packages), making it easier to discover and inspect grouped packages from the CLI.

🐚 CLI refactor continues

Console creation across the CLI now flows through a single ShellyConsoleFactory, and RunShellyCommand and related execution paths in ProcessExecutor were refactored for clarity and consistency. PKGBUILD parsing learned to surface local source files, and Shelly now correctly reports when pacman hooks have run during an operation.

🖥️ UI, AppImage & Flatpak

  • New grid layouts for the update and manage views, with reworked grid-selection logic.
  • An alternate install view and an animated intro page.
  • Continued Flatpak UI improvements and better handling of Flatpak progress callbacks.
  • AppImage fixes, including corrected Forgejo-hosted AppImage updates.
  • Fixed the updates count not appearing in the UI.
  • Desktop cache ownership fix and refined lockout-service behavior.
  • Removed the obsolete fingerprint warning and related UI elements.

🌍 Translations

This release ships a large localization update: refreshed Japanese, French (fr_FR), Turkish (tr_TR), German (de_DE) translations, a new Italian translation, and additional automated localization passes.

What’s Changed

Contributors

A huge thank you to everyone who contributed to this release — 10 unique contributors, 2 of them brand new to the project:

  • @ZoeyErinBauer
  • @caroberrie
  • @azdanov
  • @utuhiro78
  • @Landeli7
  • @Renari 🆕
  • @celonfix
  • @juliazero
  • @Mattyan89 🆕
  • @Henry2o1o

New Contributors

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.4.0.4...v2.4.1.0

© 2026 Seafoam LabsShelly Chel