Upgrade management dashboard for Garuda Linux
garuda-pilot is a local web dashboard that helps you understand and manage system upgrades on Garuda Linux (and other Arch-based distros). It runs as a local web server on your machine — no data leaves your system, no accounts needed.
Start it with poetry run garuda-pilot and open
http://127.0.0.1:8471 in your browser.
There is no systemd service — you run it when you want to review upgrades.
See all pending updates before upgrading, sorted by risk score. Each package gets a 0-100 risk score based on category (kernel, graphics, system), news mentions, security advisories, hardware context, and version bump magnitude.
checkupdates (from pacman-contrib)
and queries pacman -Si for package details.
Each pending package is scored 0-100 with multiple factors combined additively:
| Kernel package | +40 |
| Graphics (nvidia, vulkan, etc.) | +30 |
| System (systemd, glibc, etc.) | +25 |
| Mesa | +20 |
| Xorg / Wayland | +15 |
| Critical CVE (security.archlinux.org) | +35 |
| High CVE | +25 |
| Medium CVE | +15 |
| NVIDIA module loaded + kernel update | +30 |
| Mentioned in Arch news | +20 |
| Mentioned in Garuda news | +15 |
| Major version bump (e.g. 1.x → 2.x) | +15 |
| Flagged out-of-date on archlinux.org | +10 |
| High reverse dependency count (>10) | +10 |
| Trivial package (docs, fonts, themes) | capped at 5 |
| Patch-only update (same base version) | capped at 10 |
Labels: low 0-19, medium 20-39, high 40-59, critical 60-100
Every past pacman transaction is imported from /var/log/pacman.log and searchable.
Drill into any transaction to see what was upgraded, installed, downgraded, or removed.
/var/log/pacman.log on first startup.
Each transaction is stored in the local SQLite database.
Arch Linux and Garuda Linux news are fetched and displayed with automatic package name extraction. You can see which of your installed packages are mentioned in news articles, and "manual intervention" posts are prominently flagged.
Vulnerability advisories from the Arch Security Tracker, filterable by severity (Critical/High/Medium/Low) and status (Vulnerable/Fixed). Packages with active CVEs get security badges on the preview page.
Runs garuda-health (pre-installed on Garuda) to perform 25+ system checks:
orphan packages, failed systemd services, pacnew files, disk space, and more.
Results are stored as snapshots so you can track changes over time.
garuda-health locally and parses
its text output. Checks are categorized by severity (critical, high, low, info).
If fixable issues are found, a sudo garuda-health --fix command is suggested.
Detects your GPU vendor and loaded kernel modules at startup using lspci
and /proc/modules. This is used to flag dangerous combinations — for example,
a kernel update when the NVIDIA proprietary module is loaded.
lspci (from pciutils),
/proc/modules, uname -r.
No. garuda-pilot is read-only — it shows you what would be upgraded
and helps you assess the risk. You still run sudo pacman -Syu yourself.
It only fetches public data: Arch news RSS, Garuda forum RSS, Arch security advisories JSON, and Arch package metadata. It never uploads or sends any of your system information anywhere.
No. garuda-pilot is started manually when you want to review upgrades:
poetry run garuda-pilot. You can stop it with Ctrl+C.
By default at ~/.local/share/garuda-pilot/garuda-pilot.db (SQLite).
You can change this in ~/.config/garuda-pilot/config.toml.
News, security advisories, and Garuda forum posts are auto-refreshed when older than 2 hours. You can also click the Refresh button on each page to force a fetch. Package metadata from archlinux.org is fetched fresh on each preview refresh.
Yes — everything except the Health page (which requires garuda-health)
works on any Arch-based distro. The health page will show "not checked" if the tool is missing.
Packages like documentation, fonts, themes, locales, and shell completions that are unlikely to cause issues when upgraded. These are capped at a risk score of 5.
| Framework | Python 3.11+ / FastAPI (async) |
| Database | SQLite via aiosqlite (WAL mode) |
| Templates | Jinja2 with HTMX for dynamic updates |
| HTTP client | httpx (async, for RSS/JSON/API fetches) |
| Server | Uvicorn on 127.0.0.1:8471 (localhost only) |
| Dependencies | HTMX vendored locally — no CDN, works offline |
| Config | Optional TOML at ~/.config/garuda-pilot/config.toml |
Your upgrade history, news read states, health snapshots, and security data are stored in a local SQLite database. Use the button below to create a timestamped backup, or restore from a previous one.