Shell Dep Version 46 Hot [RECOMMENDED]

The most critical dependency for GNOME Shell 46 is Mutter 46 (the window manager). Version 46 brought a major refactor of the renderer and input handling.

Execute your usual build or test suite. Monitor for the new hot cache logs (they appear in green with a 🔥 emoji).

This means the binary’s signature is older than the max_sig_age (default 30 days). It still works, but you’ll see a warning. To silence, increase the age limit in .shell-dep.toml: shell dep version 46 hot

[hot]
max_sig_age_days = 60

Version 46 was quietly rolled into the Windows 11 24H2 preview channel and Windows Server 2025 Cumulative Update 3. According to the release notes (KB5049876—later marked as "covert engineering change"), the major shifts include:

The "hot" designation explicitly means: This version supports live, in-memory patching of the DEP policy without rebooting or restarting shell processes. In previous versions (44, 45), updating DEP rules required a full system restart or, at minimum, an sfc /scannow followed by a shell restart. The most critical dependency for GNOME Shell 46

With Version 46 Hot, Microsoft claims zero-downtime reconfiguration of DEP rules for running process trees.

Upgrading is straightforward, but because of the cache and lockfile changes, do not do this on a Friday afternoon without testing. Version 46 was quietly rolled into the Windows

The "hot" capability sounds like a benefit—and in many ways it is. Datacenter operators can update shell-level memory protections during peak hours. However, three major issues have emerged:

Because the patch is applied in-memory, a rollback to Version 45 requires a full reboot anyway. "Hot" is a one-way street. Several admins on r/sysadmin have termed it a "hot mess" version.

The real-time shell call tracing in Version 46 Hot triggers behavioral detections in CrowdStrike, SentinelOne, and Defender for Endpoint (before tuning). Specifically, sdepsvc.exe accessing the token of lsass.exe via a hot patch is flagged as T1003.001 (LSASS credential dumping). It’s a false positive—but one that can automatically quarantine a domain controller if not whitelisted.