The popular AUR helper yay released version 13 on June 18 with new tools to help users detect risky packages. The update follows multiple waves of malware that compromised over 1,500 packages in the Arch User Repository.
yay now displays a timestamp showing how recently each package's PKGBUILD was last changed. This appears in search results, the yogurt prompt, and the upgrade menu.
Maintainer Jo Guerreiro said the timestamp serves only as an extra signal and does not indicate whether a package is safe or unsafe.
The release also introduces Lua-based hooks and configuration. Users can place a file at $XDG_CONFIG_HOME/yay/init.lua to script behaviors such as UpgradeSelect, AURPreInstall, and AURPostDownload.
These hooks allow automated checks before packages are installed. The update includes other fixes such as restored locale files and improved logging.