Today, I’m proud to announce Homebrew 6.0.0. The most significant changes since 5.1.0 are a new tap trust security mechanism, the new faster, smaller, default internal Homebrew JSON API, sandboxing on Linux, better defaults informed by our user survey, many brew bundle improvements, improved performance and initial support for macOS 27 (Golden Gate).

✨ Highlights since 5.1.0

🔐 Tap trust

Homebrew 6.0.0 introduces tap trust. A third-party tap can contain arbitrary, unsandboxed Ruby that runs on your machine, so Homebrew now requires taps (and tap-qualified formulae and casks) to be explicitly trusted before their code is evaluated or run. This reduces the risk from malicious or compromised taps while leaving the official Homebrew taps trusted by default. See the new Tap-Trust documentation for details.

• Homebrew enforces initial tap trust so untrusted taps are flagged before their code runs, trusts qualified tap items before install, stops auto-tapping untrusted taps, pins tap allow, forbid and trust lists to remotes and uses tap trust when evaluating all formulae and casks.
• brew tap gains commands for managing tap trust, can trust a tap by its remote URL, brew trust adds a --json=v1 flag and brew tap-info adds a trusted field.
• brew bundle honours the trusted: option and brew bundle dump records trusted bundle entries, marking custom-remote taps as trusted.
• docs.brew.sh has new pages, including Tap-Trust, explaining Homebrew’s new tap trust model, and Homebrew trusts taps in test-bot.

⚡ Default internal JSON API

The internal JSON API is now the default, advancing the smaller API that Homebrew re-enabled and turned on for developers recently. It combines all Homebrew’s metadata into a single download, so brew updates faster and talks to the network less. It was opt-in via HOMEBREW_USE_INTERNAL_API since 5.0.0; that variable is now deprecated (see below).

🐧 Linux sandbox

The Linux Bubblewrap sandbox aligns Linux with macOS, where build, test and postinstall phases already run sandboxed. It is on by default for developers, Homebrew moved its macOS sandbox logic to share code, improved Linux sandbox behaviour (with Homebrew/homebrew-core setting the sandbox env in CI), hardened sandboxed install phases, sandboxed cask executable hooks, allowed logs in the build sandbox, installed Bubblewrap on hosted Ubuntu and skips sandbox setup for syntax-only jobs.

⚙️ Better defaults

📦 brew bundle

• brew bundle gains many improvements, most notably parallel formula installation that now runs jobs automatically by default, plus npm and krew extensions, wider cleanup support and, on Windows, winget support.
• Homebrew adds cleanup support to npm, cargo, go and uv extensions and asks before removing during cleanup.
• Homebrew runs brew bundle krew via kubectl-krew directly, respects CARGO_HOME and friends for cargo, adds a --describe flag to brew bundle add and tries mas install before falling back to mas get.
• Homebrew adds bundle type disable flags, improves check guidance and checks formula link status.
• Homebrew serialises formula locks, makes non-core DSLs a single file, removes description comments from brew bundle/remover and avoids parsing the output of brew services list.
• brew bundle performs npm installs more securely.

🏎️ Performance

Homebrew is faster across the board, with startup performance tweaks, a ~30% faster brew leaves, parallelised bottle tab fetching on upgrade and less work loading Ruby libraries at startup.

🍎 macOS 27 (Golden Gate)

Homebrew adds initial support for macOS 27 (Golden Gate).

🔮 Upcoming changes

🔒 Security

🚨 Security advisories

Homebrew published three security advisories:

🛡️ Other security improvements

🗑️ Deprecations

🎁 Features

🖥️ Casks

💻 Operating system support

🚰 Taps

ℹ️ brew info and brew tap-info

🆕 New commands, flags and output

🧊 Cooldowns, livecheck and bumping

⬇️ Downloads and fetching

🛎️ Services

🧪 Formulae and packaging

🪜 Install steps framework

• The install steps framework expresses common postinstall, preflight and postflight behaviour as ordered, literal-only DSL data that is exposed through the JSON APIs. Where a formula or cask only does simple file preparation, it no longer needs to download and evaluate a Ruby file at install time. Homebrew adds formula install steps, cask install steps, an audit for formula install steps, install step rebuild actions, rebuild step methods, rebuild step RuboCop checks and an audit of cask flight step conversions; homebrew/core and homebrew/cask adopt the new DSLs (post_install_steps, postinstall and flight steps). In homebrew/core and homebrew/cask this covers a large share of post_install and *flight blocks (creating directories, touching markers, moving and symlinking files), with more operation types planned.

🔀 Other changes

🧹 Internals, typing and refactors

🛠️ Continuous integration and developer tooling

📚 Documentation

Finally:

• Homebrew is a non-profit project run entirely by volunteers, not employees. We need your funds to pay for software, hardware and hosting around continuous integration and future improvements to the project. Every donation will be spent on making Homebrew better for our users. Please consider a regular donation through GitHub Sponsors, OpenCollective and Patreon.
• Homebrew/brew has no open issues at the time of writing 🎉.
• Homebrew has a brand new brew.sh homepage style.
• BrewUI is Homebrew’s upcoming official graphical interface. It’s not ready for general use yet.
• The brew-rs experiment in moving parts of Homebrew’s Ruby frontend to Rust has concluded: benchmarks showed Homebrew’s Rust frontend only ahead on narrow, already-cached bottle fetches, not on representative full installs (pouring bottles, linking, writing metadata and health checks), so the performance focus has moved back to Ruby and to starting useful network and disk I/O sooner. We’ve added an FAQ entry explaining all of this. Our numbers come from honest, fully-compatible comparisons. Not all unofficial Homebrew frontends seem to apply the same rigor to their benchmarks, compatability or security: your mileage with those may vary.
• Homebrew is increasingly a “package manager for everywhere”: Homebrew is recommended in Microsoft’s Windows Developer Config for WSL comfort, works well on Bazzite and now supports winget in brew bundle as a Windows-only feature.
• The Homebrew team is aware of the supply-side security issues with other package managers. We’ve taken various steps to mitigate these risks for our users, some existing (e.g. macOS sandboxing, human review on all changes, environment filtering, all package maintainers are Homebrew maintainers), some new (e.g. Linux sandboxing, sandboxing reads of sensitive locations, cooldown from riskier ecosystems). We will continue to monitor the supply-side security landscape and take further steps as needed. See the new Supply Chain Security documentation we’ve added for details.
• Homebrew has documented the principles behind our AI and LLM usage rules in a new Responsible AI Usage page.
• Homebrew has joined the Open Source Resistance and you should too.

Thanks to all our hard-working volunteer maintainers, contributors, sponsors and supporters for getting us this far.