Homebrew 6.0.0 introduces mandatory tap trust and macOS 27 support

Homebrew has released version 6.0.0, marking a significant shift in how the package manager handles security and system integration. The update introduces a new tap trust mechanism that requires users to explicitly trust third-party taps before their code is evaluated or executed. This change aims to mitigate risks associated with malicious or compromised repositories, while official Homebrew taps remain trusted by default.

A core component of the release is the activation of the internal JSON API as the standard configuration. Previously an opt-in feature available since version 5.0.0 via the HOMEBREW_USE_INTERNAL_API variable, the API is now enabled by default and the variable has been deprecated. This modification consolidates metadata into a single download, reducing network traffic and accelerating update speeds.

Security protocols on Linux have been aligned with macOS standards through the introduction of sandboxing via Bubblewrap. The feature is enabled by default for developers, covering build, test, and post-install phases. This move brings Linux practices in line with existing macOS security measures, incorporating improvements to sandboxed install phases and executable hooks.

Performance enhancements are a key focus of the 6.0.0 release. Users can expect faster startup times due to reduced Ruby library loading, parallelised bottle tab fetching during upgrades, and a approximately 30 per cent increase in speed for the brew leaves command. These adjustments contribute to a more efficient overall experience for developers and system administrators.

The update also provides initial support for macOS 27, codenamed Golden Gate. Alongside these feature additions, Homebrew published three security advisories to address specific vulnerabilities. The release follows a trajectory of incremental improvements seen in versions 4.5.0 through 5.1.0, which expanded bundle support and Linux ARM64 compatibility.