“`html

Homebrew 6.0.0: Tap Trust, Faster API, Linux Sandboxing, and macOS 27 Support

Key Takeaways:

The Tap Trust Security Mechanism

The headline security feature of Homebrew 6.0.0 is the tap trust mechanism, documented in full at docs.brew.sh/Tap-Trust. A third-party tap can contain arbitrary, unsandboxed Ruby code that executes on your machine during formula evaluation. Before 6.0.0, Homebrew would evaluate this code without asking whether you actually trusted the source. This created a supply-chain risk: a compromised or malicious tap could execute code during brew install or even brew tap.

Default Internal JSON API: Faster Updates, Less Network

Homebrew 6.0.0 makes the internal JSON API the default for all users. This API combines all of Homebrew’s metadata into a single download, so brew update completes faster and makes fewer network requests. It was opt-in via the HOMEBREW_USE_INTERNAL_API environment variable since version 5.0.0. That variable is now deprecated, and users who set it explicitly can safely remove it from their shell configuration.

The performance improvements are measurable and compound across common workflows. The brew leaves command runs approximately 30% faster, as confirmed by Homebrew team’s benchmarking. Bottle tab fetching during upgrade is now parallelized, meaning that when multiple bottles need to be fetched, downloads happen concurrently rather than sequentially. Ruby library loading at startup does less work, reducing the time before any brew command starts executing. Startup performance tweaks were applied across the board, including optimizations to how Homebrew loads its core libraries.

These improvements compound in practice. A typical brew update followed by brew upgrade feels noticeably faster, especially on machines with slower network connections. The single-download metadata approach reduces the number of HTTP requests during update from dozens to one, which matters for CI environments and developers on metered connections. The internal API was first introduced as an opt-in feature in Homebrew 5.0.0, then progressively improved and enabled for developers before becoming a universal default in 6.0.0.

Linux Sandboxing With Bubblewrap

Homebrew 6.0.0 introduces a Linux sandbox using Bubblewrap. This aligns Linux with macOS, where build, test, and postinstall phases already run sandboxed using Apple’s Seatbelt sandbox. The Linux sandbox is on by default for developers, matching macOS behavior where isolation is applied automatically.

Homebrew moved its macOS sandbox logic to shared code, so both platforms benefit from the same sandbox architecture. The Linux implementation covers several areas:

Cask executable hooks run sandboxed, preventing malicious cask installers from modifying system files.
Install phases are hardened with sandbox restrictions that limit filesystem and network access.
Logs are allowed within the build sandbox so debugging information is still accessible.
Bubblewrap is installed automatically on hosted Ubuntu CI runners, making the sandbox smooth in automated environments.
Homebrew skips sandbox setup for syntax-only jobs to avoid unnecessary overhead when no actual builds occur.

This is a meaningful change for Linux and WSL users who run Homebrew for development environments. Previously, a malicious formula could modify system files during the build phase on Linux. Now, builds run in an isolated environment with restricted filesystem and network access. For WSL users specifically, Homebrew 6.0.0 also labels WSL analytics separately and shows the Windows build version in brew config, providing better visibility into the environment.

The shared sandbox code between macOS and Linux means that improvements to sandboxing on one platform benefit the other. The Homebrew team invested in refactoring existing macOS sandbox logic into a shared module, then built the Linux Bubblewrap implementation on top of that foundation. This architectural decision reduces maintenance burden and ensures feature parity going forward.

Security Advisories and Patches in 6.0.0

Homebrew published three security advisories alongside the 6.0.0 release, each addressing a distinct vulnerability class. These advisories were coordinated with fixes that ship in the 6.0.0 release itself.

Advisory	GHSA ID	Vulnerability	Fix
Download redirect bypass	GHSA-7699-qf8c-q47m	The POST download strategy bypassed documented HTTPS-to-HTTP redirect protection by discarding the resolved URL.	Enforcing secure redirects so that HTTP-to-HTTPS downgrades are rejected.
Root code execution via Git hooks	GHSA-6689-q779-c33m	Root code execution was possible via Git hooks in the macOS .pkg postinstall script.	Cleaning Homebrew git state and replacing the installer git directory to remove any pre-existing hooks.
Installer plist hijack	GHSA-59v8-x8q4-px5c	The macOS installer package trusted a user-controlled /var/tmp plist and could assign Homebrew ownership to a local attacker.	Tweaking macOS .pkg package-user plist handling to validate the plist source.

Beyond these advisories, Homebrew 6.0.0 includes several additional security hardening measures. It filters sensitive environment variables during Ruby evaluations, preventing secrets from leaking through formula code. It defers HOMEBREW_* environment secrets to download time, reducing the window in which credentials are exposed in memory. It runs forbidden checks for casks and formulae before download, blocking known-bad packages before any network transfer occurs. And it lets users require checksums for casks with HOMEBREW_CASK_OPTS_REQUIRE_SHA, enforcing integrity verification on all cask downloads.

The redirect bypass advisory (GHSA-7699-qf8c-q47m) is particularly notable. Homebrew’s POST download strategy had documented protection against HTTPS-to-HTTP redirect downgrades, but the implementation discarded the resolved URL during redirect handling, effectively bypassing the protection. An attacker who could intercept or redirect the download connection could force a downgrade to unencrypted HTTP, enabling man-in-the-middle attacks on downloaded binaries. The fix enforces secure redirect checking at every hop.

The Git hooks advisory (GHSA-6689-q779-c33m) affected the macOS installer package. During postinstall, the .pkg script would run with root privileges, and if a malicious Git hook was present in Homebrew’s repository state, that hook would execute as root. The fix involves cleaning Homebrew’s git state and replacing the installer git directory entirely, ensuring no pre-existing hooks can execute during installation.

brew Bundle Improvements and Ask Mode

Homebrew 6.0.0 ships substantial improvements to brew bundle, the declarative dependency management feature. The most impactful change is parallel formula installation, which now runs jobs automatically by default. This means brew bundle installs multiple formulae concurrently rather than sequentially, significantly reducing total installation time for projects with many dependencies.

The bundle system also gains new extensions. brew bundle now supports npm for JavaScript project dependencies and krew for Kubernetes plugin management. On Windows, winget support was added, making Homebrew’s bundle system more useful in mixed-platform environments. Cleanup support was extended to npm, cargo, go, and uv extensions, so unused dependencies can be pruned across multiple package ecosystems from a single command.

A major usability change is ask mode becoming the default for developers. Following results from a Homebrew user survey, brew install and brew upgrade now show a dependency summary and confirmation prompt before making changes. Ask mode supports one-key confirmations (press a single key to approve), aligned dry-run prompts that show what would change without actually making changes, and fetches upgrades together for batch processing rather than one at a time.

Other notable bundle improvements include a --describe flag for brew bundle add that lets users annotate why each dependency was added, bundle type disable flags for excluding certain package types during restore, improved check guidance that gives clearer output when the bundle state does not match the Brewfile, and more secure npm installs that avoid running lifecycle scripts from untrusted packages.

macOS 27 Golden Gate Support and Intel Phase-Out

Homebrew 6.0.0 adds initial support for macOS 27 (Golden Gate). More significantly, it formalizes the end-of-life timeline for Intel Mac support within Homebrew.

macOS 27 drops Intel support entirely, and Homebrew’s support tiers reflect this transition. The timeline is definitive:

Date	Change	Impact
September 2026	macOS Intel x86_64 moves to Tier 3	No CI support, no new bottles (binary packages) built for macOS Intel.
September 2027	macOS Intel x86_64 becomes unsupported	All related Intel code deleted from Homebrew repositories.

This phase-out has practical implications for developers still on Intel Macs. After September 2026, new formula versions will not have pre-built binary bottles for Intel, meaning every install or upgrade will require compilation from source. This increases installation time and requires that build dependencies be present on the system. After September 2027, Homebrew will not run on Intel Macs at all, and all Intel-specific code paths will be removed from the codebase.

Casks that fail macOS Gatekeeper checks remain on track to be disabled in September 2026, continuing the deprecation path begun in Homebrew 5.0.0. The master-to-main migration that started in 4.6.0 also continues: more repositories no longer update the master branch, and GitHub Actions now warn users of @master references to migrate to @main. The sync-default-branches workflows have been removed from core and cask repositories.

Homebrew 6.0.0 also adds recognition for Apple’s M5 and M5 Pro/Max CPUs, ensuring accurate hardware detection on the latest Apple Silicon machines. This matters because Homebrew uses CPU architecture information to select the correct bottle variants and to apply appropriate optimization flags during compilation.

How to Upgrade to Homebrew 6.0.0

Upgrading to Homebrew 6.0.0 is straightforward for existing users. Run the standard update and upgrade sequence:

brew update
brew upgrade

The brew update command fetches the latest version of Homebrew itself, which will pull in version 6.0.0 from the official repository. After upgrading, you can verify the version with brew config and check that the internal JSON API is active. The HOMEBREW_USE_INTERNAL_API variable is deprecated and no longer needs to be set.

For users upgrading from versions earlier than 5.1.0, the release notes on Homebrew’s official blog provide a complete changelog. The deprecation notice also marks several now-default environment variables as deprecated, including HOMEBREW_BUNDLE_NO_SECRETS and HOMEBREW_USE_INTERNAL_API. Users who set these explicitly can safely remove them from their shell configuration.

After upgrading, review your tapped repositories. Third-party taps that were added before 6.0.0 will need explicit trust via brew trust <tap> before their formulae can be installed. Run brew tap-info --json=v1 to audit which taps are trusted and which are not. The Homebrew team also recommends reviewing the Tap-Trust documentation to understand the new security model and how it affects your workflow.

Homebrew 6.0.0 represents a significant shift in the package manager’s security posture. Between the tap trust mechanism, three patched advisories, Linux sandboxing, and environment variable filtering, this release addresses attack vectors that have existed for years. For teams that rely on Homebrew in CI/CD pipelines or shared development environments, upgrading and auditing tap trust should be a priority.

“`

Sources and References

This article was researched using a combination of primary and supplementary sources:

Supplementary References

These sources provide additional context, definitions, and background information to help clarify concepts mentioned in the primary source.

Homebrew 6.0.0: Enhanced Security and Performance Features