Show HN: Homebrew 6.0.0

Today, I’m proud to announce Homebrew 6.0.0. The most significant changes since 5.1.0 are a new tap trust security mechanism, the new faster, smaller, default internal Homebrew JSON API, sandboxing on Linux, better defaults informed by our user survey, many brew bundle improvements, improved performance and initial support for macOS 27 (Golden Gate).

✨ Highlights since 5.1.0

🔐 Tap trust

Homebrew 6.0.0 introduces tap trust. A third-party tap can contain arbitrary, unsandboxed Ruby that runs on your machine, so Homebrew now requires taps (and tap-qualified formulae and casks) to be explicitly trusted before their code is evaluated or run. This reduces the risk from malicious or compromised taps while leaving the official Homebrew taps trusted by default. See the new Tap-Trust documentation for details.

• Homebrew enforces initial tap trust so untrusted taps are flagged before their code runs, trusts qualified tap items before install, stops auto-tapping untrusted taps, pins tap allow, forbid and trust lists to remotes and uses tap trust when evaluating all formulae and casks.
• brew tap gains commands for managing tap trust, can trust a tap by its remote URL, brew trust adds a --json=v1 flag and brew tap-info adds a trusted field.
• brew bundle honours the trusted: option and brew bundle dump records trusted bundle entries, marking custom-remote taps as trusted.
• docs.brew.sh has new pages, including Tap-Trust, explaining Homebrew’s new tap trust model, and Homebrew trusts taps in test-bot.

⚡ Default internal JSON API

The internal JSON API is now the default, advancing the smaller API that Homebrew re-enabled and turned on for developers recently. It combines all Homebrew’s metadata into a single download, so brew updates faster and talks to the network less. It was opt-in via HOMEBREW_USE_INTERNAL_API since 5.0.0; that variable is now deprecated (see below).

🐧 Linux sandbox

The Linux Bubblewrap sandbox aligns Linux with macOS, where build, test and postinstall phases already run sandboxed. It is on by default for developers, Homebrew moved its macOS sandbox logic to share code, improved Linux sandbox behaviour (with Homebrew/homebrew-core setting the sandbox env in CI), hardened sandboxed install phases, sandboxed cask executable hooks, allowed logs in the build sandbox, installed Bubblewrap on hosted Ubuntu and skips sandbox setup for syntax-only jobs.

⚙️ Better defaults

• Following our Homebrew user survey, we have made many changes based on the results. The most notable is making ask mode the default for developers, so brew install and brew upgrade show a dependency summary and confirmation prompt before making changes.
• Homebrew adds ask dependency plans and cask support, accepts one-key ask confirmations and aligns ask dry-run prompts.
• Homebrew fetches ask upgrades together, prints the ask upgrade summary sooner, skips the upgrade ask prompt when empty, adds a final brew upgrade summary and explains the upgrade metadata fetch.

📦 brew bundle

• brew bundle gains many improvements, most notably parallel formula installation that now runs jobs automatically by default, plus npm and krew extensions, wider cleanup support and, on Windows, winget support.
• Homebrew adds cleanup support to npm, cargo, go and uv extensions and asks before removing during cleanup.
• Homebrew runs brew bundle krew via kubectl-krew directly, respects CARGO_HOME and friends for cargo, adds a --describe flag to brew bundle add and tries mas install before falling back to mas get.
• Homebrew adds bundle type disable flags, improves check guidance and checks formula link status.
• Homebrew serialises formula locks, makes non-core DSLs a single file, removes description comments from brew bundle/remover and avoids parsing the output of brew services list.
• brew bundle performs npm installs more securely.

🏎️ Performance

Homebrew is faster across the board, with startup performance tweaks, a ~30% faster brew leaves, parallelised bottle tab fetching on upgrade and less work loading Ruby libraries at startup.

🍎 macOS 27 (Golden Gate)

Homebrew adds initial support for macOS 27 (Golden Gate).

🔮 Upcoming changes

• macOS 27 (Golden Gate) drops Intel support, so per our Support Tiers: in September 2026, macOS Intel x86_64 moves to Tier 3 with no CI support and no new bottles (binary packages) built for macOS Intel; in September 2027, macOS Intel x86_64 will be unsupported entirely and all related code deleted.
• The master to main migration begun in 4.6.0 continues: more repositories no longer update master, GitHub Actions warn @master users to migrate to @main and the sync-default-branches workflows are removed from Homebrew/homebrew-cask and Homebrew/homebrew-core.
• Casks that fail macOS Gatekeeper checks, deprecated in 5.0.0, remain on track to be disabled in September 2026.

🔒 Security

🚨 Security advisories

Homebrew published three security advisories:

• The POST download strategy bypassed the documented HTTPS-to-HTTP redirect protection by discarding the resolved URL (GHSA-7699-qf8c-q47m), fixed by enforcing secure redirects.
• Root code execution was possible via Git hooks in the macOS .pkg postinstall (GHSA-6689-q779-c33m), fixed by cleaning Homebrew git state and replacing the installer git directory.
• The macOS installer package trusted a user-controlled /var/tmp plist and could assign Homebrew ownership to a local attacker (GHSA-59v8-x8q4-px5c), fixed by tweaking the macOS .pkg package-user plist handling.

🛡️ Other security improvements

• Homebrew filters sensitive environment variables during Ruby evaluations and defers HOMEBREW_* environment secrets to download time.
• Homebrew runs forbidden checks for casks and formulae before download and lets you require checksums for casks with HOMEBREW_CASK_OPTS_REQUIRE_SHA.
• Homebrew links to a shared security policy.

🗑️ Deprecations

• Homebrew deprecates default opt-ins.
• Homebrew deprecates now-default bundle and internal API environment variables such as HOMEBREW_BUNDLE_NO_SECRETS and HOMEBREW_USE_INTERNAL_API.
• Homebrew marks unused options for deprecation.
• Various other Homebrew 6.0.0 deprecations.
• Homebrew’s SBOM support is now opt-in with HOMEBREW_SBOM.

🎁 Features

🖥️ Casks

• Homebrew can pin casks and supports casks in brew missing.
• Homebrew adds AppImage support for Linux and implements a Linux freedesktop trash for casks.
• Homebrew improves cask upgrades by sharing upgrade download queues, moving upgrade summaries before fetch, adding a quit opt-out and reopening closed apps during upgrade.
• Homebrew improves auto_updates casks: improving how they update, refining the behaviour further, gating auto-updates behind opt-in and upgrading them when the bundle version is stale.
• cask adds a generate_completions_from_executable DSL artifact and includes resolved artifact targets in JSON output.
• Homebrew shows a cask version transition in per-cask upgrade output, skips valid cached cask fetches, speeds up cask backup copies and has caskroom use the user’s primary group on Linux.
• brew doctor and brew cleanup handle corrupt Caskroom directories.

💻 Operating system support

• Homebrew makes Linux cask requirements explicit, aligns cask macOS dependencies, supports bare depends_on :macos in casks, tracks macOS support explicitly and emits Linux variations for casks with Linux checksums.
• Homebrew adds a maximum macOS for cask dependencies. Homebrew/homebrew-cask adopts the new depends_on maximum_macos: syntax and fixes its macOS dependencies in Homebrew/homebrew-cask and Homebrew/homebrew-core.
• Homebrew adds M5 and M5 Pro/Max CPU recognition and caps the OCLP tier when macOS is outdated.
• Homebrew labels WSL analytics, shows the Windows build on WSL in brew config and moves the wsl? boolean from OS::Linux up to the OS module.

🚰 Taps

• Homebrew recognises more equivalent tap remote forms, ignoring a .git suffix when matching GitHub remotes and consolidating tap remote normalisation. (and more)
• Homebrew handles formulae and casks more uniformly across commands, installs explicitly requested taps and stops implicit tap installation.
• Homebrew uses worktrees for local core taps and blocks worktree updates.
• Homebrew shares full-name parsing helpers and uses full-name helpers for split names.

ℹ️ brew info and brew tap-info

• brew info output is clearer: more consistent and helpful, with a Binaries section listing executables, a clearer recursive runtime dependencies line, clearer same-named conflicts and shadowed formulae and a list versions JSON output.
• brew info shows installed state better: the upgrade target for outdated @-versioned formulae, installed dependents with --verbose, deprecated and disabled packages in install status, installed formulae resolved from the receipt’s tap with a shadowing warning, the installed version and an upgrade hint on the headline, other installed versions and an installed info inventory.
• brew info and brew tap-info skip the uninstalled marker when not a problem, show more tap info for packages and brew tap-info lists formulae and casks.
• brew which-formula shows install status and Homebrew shows quarantine script usage.

🆕 New commands, flags and output

• brew exec is a new command, like npx, that supports formulae environments.
• brew as-console-user is a new command for running Homebrew as the right user under MDM/root environments and brew update <formula> is aliased to upgrade.
• Homebrew tidies help and completions: omitting aliases from completions, hiding HOMEBREW_CASK_OPTS_* from help, hiding maintainer commands and hiding hide_from_man_page commands from brew commands.
• Homebrew avoids install warning annotations and warns when formula executables are shadowed on PATH.

🧊 Cooldowns, livecheck and bumping

• Homebrew adds download cooldowns for Bundler, RubyGems livecheck, npm and pip defaults, PyPI resource resolution and npm and PyPI in bump to avoid upstream supply-side security risks.
• Homebrew prints bump skip status, messages and errors and checks RubyGems licences.
• Homebrew respects livecheck throttle days in audit, adds livecheck throttling by days and speeds up the formula throttle days check.

⬇️ Downloads and fetching

• brew fetch --all-platforms fetches every variant, Homebrew prints download error details when using concurrency, preserves partial downloads on network errors, avoids cached manifest downloads and hints when a download is HTML, not a binary.
• Homebrew avoids redundant Caskroom chgrp.

🛎️ Services

• Homebrew starts systemd timers for services, creates service path directories automatically (with Homebrew/homebrew-core adopting the new service path creation logic) and audits redundant service path setup.
• brew services no longer fails to load with --sudo-service-user.

🧪 Formulae and packaging

• Homebrew adds the VCS revision as scm_revision in the tab, supports in-repository patch files, supports CPS metadata directories and includes patches in formula to_hash.
• Homebrew respects installed dependents during autoremove and cross-checks autoremove candidates against formula definitions.

🪜 Install steps framework

• The install steps framework expresses common postinstall, preflight and postflight behaviour as ordered, literal-only DSL data that is exposed through the JSON APIs. Where a formula or cask only does simple file preparation, it no longer needs to download and evaluate a Ruby file at install time. Homebrew adds formula install steps, cask install steps, an audit for formula install steps, install step rebuild actions, rebuild step methods, rebuild step RuboCop checks and an audit of cask flight step conversions; homebrew/core and homebrew/cask adopt the new DSLs (post_install_steps, postinstall and flight steps). In homebrew/core and homebrew/cask this covers a large share of post_install and *flight blocks (creating directories, touching markers, moving and symlinking files), with more operation types planned.

🔀 Other changes

• brew vulns is a new Homebrew tap and subcommand that checks installed packages for known vulnerabilities 🔒.
• Homebrew warns for Nix-managed Homebrew.

🧹 Internals, typing and refactors

• Homebrew replaces brew which-update, uses an AST for source rewrites and enforces public API visibility and docs.
• Homebrew reworks command parsing: parser subcommand scaffolding, converting the bundle, services and remaining subcommands, scoping subcommand option constraints and usage help, and no longer restricting global options to subcommands.
• Homebrew limits Sorbet runtime defaults and limits recursive Sorbet in test-bot.

🛠️ Continuous integration and developer tooling

• The Ubuntu 24.04 CI migration flagged in 5.1.0 for 6.0.0 has now landed, raising the Linux baseline.
• Homebrew annotates test-bot dependency impact, closes API-created issues that do not match a template and closes incomplete PRs.
• Homebrew’s setup-homebrew GitHub Action defaults to the stable tag and trusts taps on non-stable brew.
• brew lgtm covers tap audits and formula tests and Homebrew works around a non-writable cache for lgtm commands in brew.sh.
• workflows/docker builds Ubuntu 26.04 images and test disables return false handling.

📚 Documentation

• Homebrew’s documentation improves: the Rosetta cask support policy, unsupported multi-user setups, notability requirements, -full formula guidance, upstream expectations and lifecycle requests, the new auto_updates behaviour and a consolidated deprecation policy.
• Homebrew clarifies compatibility_version guidance and Homebrew/homebrew-core backfills compatibility_version 1. This will help reduce the number of formulae that need upgraded by brew upgrade over time.

Finally:

• Homebrew is a non-profit project run entirely by volunteers, not employees. We need your funds to pay for software, hardware and hosting around continuous integration and future improvements to the project. Every donation will be spent on making Homebrew better for our users. Please consider a regular donation through GitHub Sponsors, OpenCollective and Patreon.
• Homebrew/brew has no open issues at the time of writing 🎉.
• Homebrew has a brand new brew.sh homepage style.
• BrewUI is Homebrew’s upcoming official graphical interface. It’s not ready for general use yet.
• The brew-rs experiment in moving parts of Homebrew’s Ruby frontend to Rust has concluded: benchmarks showed Homebrew’s Rust frontend only ahead on narrow, already-cached bottle fetches, not on representative full installs (pouring bottles, linking, writing metadata and health checks), so the performance focus has moved back to Ruby and to starting useful network and disk I/O sooner. We’ve added an FAQ entry explaining all of this. Our numbers come from honest, fully-compatible comparisons. Not all unofficial Homebrew frontends seem to apply the same rigor to their benchmarks, compatability or security: your mileage with those may vary.
• Homebrew is increasingly a “package manager for everywhere”: Homebrew is recommended in Microsoft’s Windows Developer Config for WSL comfort, works well on Bazzite and now supports winget in brew bundle as a Windows-only feature.
• The Homebrew team is aware of the supply-side security issues with other package managers. We’ve taken various steps to mitigate these risks for our users, some existing (e.g. macOS sandboxing, human review on all changes, environment filtering, all package maintainers are Homebrew maintainers), some new (e.g. Linux sandboxing, sandboxing reads of sensitive locations, cooldown from riskier ecosystems). We will continue to monitor the supply-side security landscape and take further steps as needed. See the new Supply Chain Security documentation we’ve added for details.
• Homebrew has documented the principles behind our AI and LLM usage rules in a new Responsible AI Usage page.
• Homebrew has joined the Open Source Resistance and you should too.

Thanks to all our hard-working volunteer maintainers, contributors, sponsors and supporters for getting us this far.