Yay 13.0 has been released as a major update to the popular AUR helper for Arch Linux, following a recent AUR security incident involving malicious packages.
Importantly, the update does not alter how the AUR functions or guarantee package safety. Instead, it provides users with additional tools to inspect, filter, and automate the review process before installing or upgrading packages.
A key addition is the display of PKGBUILD last-modification times. Yay now shows how recently an AUR package’s PKGBUILD was modified in search results, yogurt, and upgrade menus. While recent changes are not inherently suspicious and older ones are not necessarily safe, the timestamp offers users another factor to consider during review.
For example, yay now displays age markers, such as hours or days since the PKGBUILD was last updated, when searching or upgrading AUR packages. A notably relevant feature, given recent security concerns, as users are paying closer attention to package changes and maintainer activity.
Another major change in yay 13.0 is support for Lua configuration. Yay can now load an init.lua file from $XDG_CONFIG_HOME/yay/init.lua, typically ~/.config/yay/init.lua. Existing config.json files remain supported, but Lua configuration can override these settings. Command-line flags continue to take precedence.
Moreover, one new hook, UpgradeSelect, runs during yay -Syu after upgrades are calculated and before the package exclusion menu appears. It can automatically exclude specific packages from upgrades, such as AUR packages with recently modified PKGBUILDs.
Yay 13.0 also introduces AURPreInstall and AURPostDownload hooks. AURPreInstall runs after PKGBUILD repositories are fetched but before clean, diff, edit, or build steps, making it useful for checks based on PKGBUILD content. AURPostDownload runs after makepkg --verifysource, allowing hooks to access both the PKGBUILD repository and downloaded source files before installation proceeds.
The release also exposes additional package information to hooks, including AUR package maintainer data, and adds support for search-filter and post-install hooks. These features allow users to create custom checks for recently changed packages, maintainer changes, new submissions, source URLs, or other metadata.
Yay maintainer stated the goal is to avoid “security theater,” noting that automated checks are helpful but should not replace human review of build files.
For additional details, see the changelog or the release announcement. Yay 13.0 is now available as an update in the AUR for Arch users.
Great news