Yay 13.0 adds Lua hooks, PKGBUILD age visibility, and new automation tools following recent concerns over AUR package security.<\/h5>\n\n\n\n
By Bobby Borisov<\/p>\n\n\n\n Yay 13.0 has been released as a major update to the popular AUR helper for Arch Linux, following a recent AUR security incident<\/a> involving malicious packages.<\/p>\n\n\n\n Importantly, the update does not alter how the AUR functions or guarantee package safety. Instead, it provides users with additional tools to inspect, filter, and automate the review process before installing or upgrading packages.<\/p>\n\n\n\n A key addition is the display of For example, yay now displays age markers, such as hours or days since the PKGBUILD was last updated, when searching or upgrading AUR packages. A notably relevant feature, given recent security concerns, as users are paying closer attention to package changes and maintainer activity.<\/p>\n\n\n\n Another major change in yay 13.0 is support for Lua configuration. Yay can now load an Moreover, one new hook, Yay 13.0 also introduces The release also exposes additional package information to hooks, including AUR package maintainer data, and adds support for search-filter and post-install hooks. These features allow users to create custom checks for recently changed packages, maintainer changes, new submissions, source URLs, or other metadata.<\/p>\n\n\n\n Yay maintainer stated the goal is to avoid \u201csecurity theater,\u201d noting that automated checks are helpful but should not replace human review of build files.<\/p>\n\n\n\n For additional details, see the changelog<\/a> or the release announcement<\/a>. Yay 13.0 is now available<\/a> as an update in the AUR for Arch users.<\/p>\n","protected":false},"excerpt":{"rendered":" Yay update which allows you to update regular repo files and packages from the Arch User Repository, AUR. I’ve taken to looking up the packages and manually reviewing the diffs of the pkgbuild files. https:\/\/linuxiac.com\/yay-13-0-adds-new-review-and-automation-features\/ Yay 13.0 adds Lua hooks, PKGBUILD age visibility, and new automation tools following recent concerns over AUR package security. By […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-17606","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17606","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=17606"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17606\/revisions"}],"predecessor-version":[{"id":17607,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/17606\/revisions\/17607"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=17606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=17606"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=17606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"After](\"https:\/\/cdn.shortpixel.ai\/spai\/q_lossy+ret_img+to_auto\/linuxiac.com\/wp-content\/uploads\/2026\/06\/yay13-1024x576.jpg\")
<\/figure>\n\n\n\nPKGBUILD<\/code> last-modification times. Yay now shows how recently an AUR package\u2019s PKGBUILD<\/code> was modified in search results, yogurt, and upgrade menus. While recent changes are not inherently suspicious and older ones are not necessarily safe, the timestamp offers users another factor to consider during review.<\/p>\n\n\n\n![\"Yay](\"https:\/\/cdn.shortpixel.ai\/spai\/q_lossy+ret_img+to_auto\/linuxiac.com\/wp-content\/uploads\/2026\/06\/yay13-app.jpg\")
<\/a>init.lua<\/code> file from $XDG_CONFIG_HOME\/yay\/init.lua<\/code>, typically ~\/.config\/yay\/init.lua<\/code>. Existing config.json<\/code> files remain supported, but Lua configuration can override these settings. Command-line flags continue to take precedence.<\/p>\n\n\n\nUpgradeSelect<\/code>, runs during yay -Syu<\/code> after upgrades are calculated and before the package exclusion menu appears. It can automatically exclude specific packages from upgrades, such as AUR packages with recently modified PKGBUILDs.<\/p>\n\n\n\nAURPreInstall<\/code> and AURPostDownload<\/code> hooks. AURPreInstall<\/code> runs after PKGBUILD<\/code> repositories are fetched but before clean, diff, edit, or build steps, making it useful for checks based on PKGBUILD<\/code> content. AURPostDownload<\/code> runs after makepkg --verifysource<\/code>, allowing hooks to access both the PKGBUILD<\/code> repository and downloaded source files before installation proceeds.<\/p>\n\n\n\n