Skip to content

aur-scan 1.0.3

Choose a tag to compare

View all tags
@HxHippy HxHippy released this 13 Jun 23:01
· 69 commits to main since this release
v1.0.3
This tag was signed with the committer’s verified signature.
HxHippy HxHippy
GPG key ID: 1132BF893C33FB51
Verified
Learn about vigilant mode.
7aae5c0
This commit was signed with the committer’s verified signature.
HxHippy HxHippy
GPG key ID: 1132BF893C33FB51
Verified
Learn about vigilant mode.

aur-scan 1.0.3

Fixed — false negative in aur-scan check (important)

The check command fetched each AUR package into a temporary directory, then
dropped the handle (deleting the clone) before scanning it. Every fetched
node errored with "IO error: No such file or directory" and the command reported
no findings — so packages with real issues looked clean. This affected the
default gate mode of the shell integration; the race-free install path and
the system audit were not affected.

Reproduced and verified: before the fix, check google-chrome reported clean;
after, it correctly surfaces its HIGH findings.

Thanks to Rafael Lucio (@Disklo) for the report and fix (#4).

Added — fish shell integration

install/integration.fish wraps paru/yay for fish users, matching the
bash/zsh behavior (gate + race-free install mode, scan-fail abort, bypass
shortcuts). Audited against the existing integrations for parity.

Verify

git verify-tag v1.0.3

Contributors

Disklo
Assets 2
Loading