Maan, I waarned you. But you had to do it.
Hope just it’s not your Thinkpad 
There is also mupdf within [extra] as well as mupdf-gl which just uses OpenGL as an backend, also in [extra]. No AUR needed and the list of dependencies isn’t that long. Also, no (outdated) GTK3 UI, no java-slothtime required.
Much lighter. But I’ve got the tendency to just use my browser instead of a dedidcated pdf viewer/editor.
Actually, it doesn’t look like there are any required AUR dependencies if I am reading that screenshot correctly.
When you see something like: “nss(nss-hgAUR)” it means it will use nss from the repos but also can be fulfilled by nss-hg from AUR.
Well the way I see it (could be totally wrong but anyway).
The package at hand has been submitted to the AUR at the end of april, some time before the whole “incident” toke place.
So let us assume the dependencies are only to be found in the AUR.
So the dependencies are from around the same date , or earlier, then the package.
It is possible one (or more) of this dependicies have been compromised, or even the package itself.
So wouldn’t this mean the problem is much bigger then just something like less then 2000 (as far as I know) malicious packages ?
The devil is in the details.
If you check that list of dependencies, there is only one Java-runtime listed as a dependency requirement. And there are plenty of different java-runtimes available that would fulfill that dependency, a huge number of alternative java-runtimes within the AUR. But also some within the official repositories.
In short, the java-runtime could be ( jre10AUR, OR one of the many different alternatives , OR jre8-openjdk ). You won’t need all of them. In doubt, jre-openjdk should be the latest release.
If you check the whole list, every dependency of JOPDF could be fulfilled by means of the official repositories.
Therefore, no worries. It’s only the package JOPDF itself which is within the AUR.
Last but not least:
You also should keep in mind that the malware campaign lastest from June 9th until June 12th. And mostly updates within that time are problematic, but the malware injections have been addressed appropriatel0y by rolling back the malicious commits, more or less directly after detection or shortly thereafter.
Personally, I’m already back to normal since yesterday. There hasn’t been a 3rd wave. I have cleaned up a little, checked my system numerous times, reduced the number of packages from the AUR with no traces of any infections. And now traur is installed and would report something suspicious.
Well yes I guess this was more or less the point I was trying to make, people tend to overreact when things like this are going on.
This thread is both a goldmine and very long
Is there any way of having a post or something with a list of apps that we can add too, what they do, and votes?
I know there are websites for this, but I never trust them not to have vested interests
Just a thought
Not sure if you mean sometthing like this (for the AUR)
Not really, I mean recommendations from this list, or from this forum users.
Some peoples junk is another persons gold. 
Don’t ignore the popularity and vote metrics of the AUR.
Unfortunately, only a portion of users that are using the AUR are even participating in those. Therefore you won’t find huge numbers there. But this is representative for the Users that have registered an AUR account.
In this specific forum, this thread is based on infrequent findings of regular users. Which may not address a portion of users in the slightest. It’s not really practical to compose an recommendation lists that is specific to this forum. Which is also only a portion of EndeavourOS users in the end. Depending on the choices of DE/WM flavour, there could be totally different recommendations. Some extend the scope of software by the addition of flatpaks, appimages or snaps. Some won’t touch them at all and are using only the official repositories and avoid the use of the AUR. Especially due to the recent malware campaign. Others do use the ChaoticAUR to avoid longer compile times.
Long story short, you’ll have to dig for yourself. Or you simply ask “I need this kind of software, offering this kind of features. what can you recommend.” And it’s up to you to make your own choice, based on the (hopefully) several recommendations.
But sure, If you really want the recommendations of predominantly male guys that are already past their mid-life crisis. Sure. I can definitely can give an definite answer to all of your questions with: “It depends.”
If that doesn’t satisfy your request. Check alternativeto.org for the commercial software solution you’ld like to use on linux. And if there is a linux variant among the results. You’ll only need to identify the one which does meet your requirements.
Use at your own risk. . . that’s the bottom line. It put’s the user in the driver’s seat.
Rich 
https://archlinux.org/packages/extra/x86_64/audacious/
Music player that can be set to look like WinAmp and uses WinAmp themes
I installed ClamAV (extras) and ClamUI from Flathub and it works great. The ClamUI dev only offers flatpak or compile from source as install options.
Just understand it hasn’t seen an update since 2024
True, yet, it’s only the GUI, the underlying program is clamav, last update is March 2026 and the signatures are rolling.
There’s also ClamUI, which was mentioned a few posts above here.
at AUR it’s mentioned - Licenses: LicenseRef-EULA, means proprietary?
Looks like their website is made with AI, why would anyone spam (9-times) with same jopdf-linux-amd64_setup.deb download link on single page 
I ended up using clamdscan with multiscan option targeted on critical directories. Made an alias with it.