After Recent AUR Security Scare, Yay 13.0 Adds New Review and Automation Features
Skip to content
No results
Search
Menu
After Recent AUR Security Scare, Yay 13.0 Adds New Review and Automation Features<br>Yay 13.0 adds Lua hooks, PKGBUILD age visibility, and new automation tools following recent concerns over AUR package security.
ByBobby Borisov<br>OnJune 17, 2026<br>3 Comments
Yay 13.0 has been released as a major update to the popular AUR helper for Arch Linux, following a recent AUR security incident involving malicious packages.
Importantly, the update does not alter how the AUR functions or guarantee package safety. Instead, it provides users with additional tools to inspect, filter, and automate the review process before installing or upgrading packages.
A key addition is the display of PKGBUILD last-modification times. Yay now shows how recently an AUR package’s PKGBUILD was modified in search results, yogurt, and upgrade menus. While recent changes are not inherently suspicious and older ones are not necessarily safe, the timestamp offers users another factor to consider during review.
For example, yay now displays age markers, such as hours or days since the PKGBUILD was last updated, when searching or upgrading AUR packages. A notably relevant feature, given recent security concerns, as users are paying closer attention to package changes and maintainer activity.
Yay 13.0 AUR Helper
Another major change in yay 13.0 is support for Lua configuration. Yay can now load an init.lua file from $XDG_CONFIG_HOME/yay/init.lua, typically ~/.config/yay/init.lua. Existing config.json files remain supported, but Lua configuration can override these settings. Command-line flags continue to take precedence.
Moreover, one new hook, UpgradeSelect, runs during yay -Syu after upgrades are calculated and before the package exclusion menu appears. It can automatically exclude specific packages from upgrades, such as AUR packages with recently modified PKGBUILDs.
Yay 13.0 also introduces AURPreInstall and AURPostDownload hooks. AURPreInstall runs after PKGBUILD repositories are fetched but before clean, diff, edit, or build steps, making it useful for checks based on PKGBUILD content. AURPostDownload runs after makepkg --verifysource, allowing hooks to access both the PKGBUILD repository and downloaded source files before installation proceeds.
The release also exposes additional package information to hooks, including AUR package maintainer data, and adds support for search-filter and post-install hooks. These features allow users to create custom checks for recently changed packages, maintainer changes, new submissions, source URLs, or other metadata.
Yay maintainer stated the goal is to avoid “security theater,” noting that automated checks are helpful but should not replace human review of build files.
For additional details, see the changelog or the release announcement. Yay 13.0 is now available as an update in the AUR for Arch users.
Tell others:
Share on X (Twitter)
Share on Reddit
Share on Facebook
Share on Threads
Share on Bluesky
Share on Telegram
Share on LinkedIn
Share on Hacker News
Bobby Borisov
Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.
3 Comments
kal
June 18, 2026 at 1:02 am
People who use aur deserve to be infested with malware.
Reply
Rick
June 18, 2026 at 1:00 am
I will never use aur since it will continue to be a major security concern and is not worth the risk. They need to get rid of it since there are much safer options.
Reply
Josef
June 17, 2026 at 11:43 pm
Great news
Reply
Leave a ReplyCancel Reply<br>Your email address will not be published. Required fields are marked *
Name
Add Comment *
Save my name and email in this browser for the next time I comment.<br>Post Comment
Trending
Linux Kernel 7.1 Released with Rewritten NTFS Support
Alpine Linux 3.24 Brings COSMIC Desktop to Its Community Repository
Yserver Is a New X11 Server for Linux Written from Scratch in Rust
Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages
Microsoft Secure Boot Key Expiration Affects Linux Ecosystem
SUPPORT ME
Enjoy the article?<br>Just $2 and a moment of your time keep my Linux writing going 24/7. Please be kind and contribute a cup .
Related Posts
Determinate Nix Adds Seven-Day Nixpkgs Cooldown After AUR Malware Scare<br>June 16, 2026
Arch Linux Blocks New AUR Registrations Amid Malware Cleanup<br>June 15, 2026<br>5 Comments
Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages<br>June 11, 2026<br>2 Comments
Yay 12.6 AUR Helper Lands After Six Months with Smarter Search<br>June 7, 2026