Show HN: Homebrew 6.0.0
Points and comments are a snapshot, not live.
Homebrew 6.0.0 adds tap trust security, makes the internal JSON API default, and brings Linux sandboxing to parity with macOS.
Homebrew 6.0.0 introduces tap trust, requiring third-party taps to be explicitly trusted before their code runs, reducing risk from malicious or compromised taps. The internal JSON API becomes the default, combining all metadata into a single download for faster updates and less network traffic. Linux now gets Bubblewrap sandboxing for build, test, and postinstall phases, aligning with macOS behavior. The release improves brew bundle with parallel formula installation, npm and krew extensions, and Windows winget support. Ask mode is now default for developers, showing dependency summaries and confirmation prompts. Three security advisories were published and fixed: POST download strategy redirect bypass, root code execution via Git hooks in macOS installers, and untrusted plist handling. macOS 27 (Golden Gate) support is added; Intel x86_64 moves to Tier 3 in September 2026 with no new CI or binary packages.
What commenters are saying
Users reported auto-update behavior changes for casks with auto_updates: true in 6.0.0, which now upgrade by default unless HOMEBREW_NO_UPGRADE_AUTO_UPDATES_CASKS is set. One user asked about in-Brewfile tap trust syntax; the answer is brew tap/recipe with trusted: true. Discussion centered on package manager philosophy: some users switched to Mise or MacPorts to avoid mandatory upgrades and aggressive hardware deprecation cycles. One user requested global cooldowns for supply chain attack mitigation; Homebrew maintainers clarified that cooldowns exist for specific ecosystems (Bundler, RubyGems, npm, pip) but a global cooldown would be counterproductive since human review and CI testing already occur before shipping. The maintainer described actual human review as PR review of CI results and diffs, not line-by-line code inspection.