Major changes and deprecations since 5.0.0:

• brew bundle manages Rust Cargo packages from Brewfiles, uv tools and Flatpak remotes or apps.
• brew bundle fetches downloads in parallel before install, auto-taps formulae and casks from external taps, uses mas get for better fresh Apple ID handling, sets HOMEBREW_INSIDE_BUNDLE and adds --no-secrets for safer environment inspection.
• brew version-install creates, extracts and installs older formula versions in one step.
• Homebrew publishes an unversioned Homebrew.pkg installer URL and uses Portable Ruby 4.0.1 with Ruby 4.0.
• Homebrew adds ffmpeg-full, imagemagick-full, automatic linking for versioned or -full keg-only formulae when the unversioned sibling is absent and stricter rejection of dependencies on *-full formulae.
• Homebrew deprecates Formula#needs and needs :openmp, option :cxx11 and option :universal and other APIs scheduled for the normal release-cycle removals.

Upcoming changes:

• Homebrew plans the Ubuntu 24.04 CI migration for 5.2.0, which is expected to raise the Linux baseline to glibc 2.39 and libstdc++ 6.0.33.
• Homebrew continues the master to main migration introduced in 4.6.0; some repositories stop updating master in 5.1.0 and the remaining compatibility branches are scheduled for removal in 5.2.0 in favour of main.

Homebrew’s other changes since 5.0.0 worth highlighting are the following:

• brew services supports nice priorities for services.
• brew services sets ThrottleInterval for LaunchAgents and LaunchDaemons on macOS.
• brew sh --ruby opens a shell with Homebrew’s bundled Ruby and Bundler preconfigured.
• brew shellenv uses simpler shell detection and is easier to override when auto-detection is wrong.
• brew lgtm is recommended in the PR template before submitting changes and brew lgtm --online covers checks that need network access.
• brew --taps prints Homebrew’s taps directory.
• brew source jumps straight to a formula’s source repository.
• brew tap-info exits with a failure status for unknown taps, which makes scripting more reliable.
• brew edit auto-taps Homebrew/core or Homebrew/cask when API-known formulae or casks are edited on tapless installs.
• brew config on macOS reports the detected Metal toolchain version.
• brew info marks installed and uninstalled formulae or casks more clearly.
• brew search labels deprecated and disabled formulae and casks directly in search results.
• brew outdated respects HOMEBREW_UPGRADE_GREEDY_CASKS.
• brew doctor warns early when Linux glibc is older than the upcoming CI baseline.
• brew uninstall refuses to uninstall casks that other installed casks depend on and keeps going when one requested formula or cask fails.
• brew upgrade and brew reinstall keep working through individual name-resolution failures instead of stopping early.
• Homebrew requires AI-assistance disclosure in PRs, documents preferred AI and LLM usage in contributions and ships a CLAUDE.md guide alongside AGENTS.md.
• Homebrew GitHub Actions include cache-homebrew-prefix for prefix caching in CI..
• Homebrew GitHub Actions include setup-ruby for Ruby setup through Homebrew in CI.
• Homebrew preserves WSL_DISTRO_NAME, which keeps CLI tools launched from WSL behaving correctly.
• Homebrew shows a progress bar for concurrent downloads.
• Homebrew audits better distinguish true self-submissions from other new-formula submissions.
• Homebrew allows dashes anywhere in tap names, not just after the homebrew- prefix.
• Homebrew auto-bumps resources within formulae that have explicit livecheck blocks.
• Homebrew points issue reporters to GitHub Discussions sooner when issues are not the best fit and updates contributor guidance on when to open discussions, PRs and issues.
• Homebrew checks SSSE3 support more clearly on Linux x86_64 when Homebrew requires it.
• Homebrew falls back to simpler output on dumb terminals, which avoids garbled progress display in shells such as Emacs.
• Homebrew keeps custom HOMEBREW_CURLRC paths through brew update.
• Homebrew points unsupported older macOS releases to MacPorts instead of unsupported Homebrew installs.
• Homebrew removes legacy migration code for the old linuxbrew repository, removes the remaining automatic migration logic for old linuxbrew-core formulae and removes more obsolete linuxbrew-core migration entries.
• Homebrew uses the correct Portable Ruby URLs for custom HOMEBREW_ARTIFACT_DOMAIN mirrors and uses the correct mirror links when building brew mirror URLs.
• Homebrew guides contributors toward the modern command API as more legacy CLI parser fallback paths are removed.
• Homebrew contributor guidance tells LLM-assisted contributors to run the repository’s own ./bin/brew so local checks match CI more closely.
• Homebrew reuses cached API data for up to 7 days in more places, reducing needless refreshes.
• Homebrew lets old installed casks that still contain removed DSL such as appcast uninstall or upgrade again and filters broken Caskroom metadata out of installed-cask listings.
• Homebrew closes cleanup lockfiles properly, avoiding a file descriptor leak.
• Homebrew caching-proxy docs cover the Formulae API as well as bottles.
• Homebrew cask acceptance docs explain the notability bar for self-submitted casks more clearly and state that dropping support for current macOS versions can lead to rejection.
• Homebrew support-tier docs state that outdated macOS developer tools count as Tier 2 and brew doctor uses clearer wording about when to report issues from Tier 2 configurations.
• Homebrew formulae can use simpler shell-completion helpers, including a predefined :cobra format and a built-in :typer format.
• Homebrew audits revision and compatibility_version changes more strictly, which helps catch ABI mistakes earlier.
• Homebrew linkage checks fail indirect linkage problems more consistently, which helps catch broken dependencies earlier.
• Homebrew std_npm_args disables package scripts by default, reducing exposure to malicious npm install hooks.
• Homebrew container registry users can omit the Docker authentication header by setting HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN=none.

Finally:

• Homebrew simplified its governance model, cleaned up the related docs and updated references to the current Lead Maintainers.
• Homebrew is running a short user survey to help inform future development.
• Homebrew accepts donations through GitHub Sponsors, OpenCollective and Patreon.

Homebrew thanks all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Major changes and deprecations since 4.6.0:

• HOMEBREW_DOWNLOAD_CONCURRENCY=auto is set by default. This enables parallel downloads by default for all users. It can be disabled by setting HOMEBREW_DOWNLOAD_CONCURRENCY=1. Concurrent downloads now have progress reporting. We expect there may be a long-tail of issues, please report them!
• Homebrew has promoted Linux ARM64/AArch64 to Tier 1 support.
• Casks without codesigning are deprecated. We will disable all Homebrew/homebrew-cask casks that fail Gatekeeper checks in September 2026.
• Homebrew now provides official macOS 26 (Tahoe) support. Homebrew’s future macOS support is noted in our Support Tiers document at https://docs.brew.sh/Support-Tiers#future-macos-support.
  • In September (or later) 2026, Homebrew will not run on macOS Catalina 10.15 and earlier and macOS Intel x86_64 will move to Tier 3, dropping CI support and no additional bottles (binary packages) will be built for macOS Intel.
  • In September (or later) 2027, Homebrew will not run on macOS Big Sur 11 on Apple Silicon or at all on Intel x86_64.
• HOMEBREW_USE_INTERNAL_API allows opt-in to the new, smaller internal Homebrew JSON API. This will become the default behaviour in a later version of Homebrew. Please consider opting-in now and reporting any issues you encounter.
• --no-quarantine and --quarantine flags have been deprecated as Homebrew does not wish to easily provide circumvention to macOS security features.
• Various other deprecations/disables/removals.

Other changes since 4.6.0 I’d like to highlight are the following:

• brew bundle supports installing go packages in Brewfile. brew bundle --no-go and HOMEBREW_BUNDLE_DUMP_NO_GO will opt-out of this behaviour.
• brew bundle defaults the global Brewfile location to the user configuration directory.
• brew bump-*-pr will automatically tap core taps if needed.
• brew doctor skips the disclaimer when --quiet is passed.
• brew doctor warns on a pkg-config macOS SDK version mismatch.
• brew mcp-server provides more development commands.
• brew search --alpine searches Alpine Linux packages.
• brew services supports keep_alive systemctl services with Restart=on-failure.
• brew info --sizes shows the sizes of each formula and cask.
• brew audit will do online checks for Codeberg repositories.
• brew lgtm runs multiple style checks in one command.
• brew release now runs the release workflow and uploads artifacts. This means Homebrew/brew now uses immutable releases.
• brew style --changed checks style on all changed files in a repository or tap.
• Homebrew/homebrew-test-bot, Homebrew/homebrew-portable-ruby and Homebrew/command-not-found were imported into Homebrew/brew. This means all Homebrew external commands have now been moved into primary repositories (Homebrew/brew, Homebrew/homebrew-core or Homebrew/homebrew-cask).
• /usr/local prefix replacement is more selective to increase the number of relocatable bottles.
• launchctl service removal sudo failures are non-fatal.
• CGO_ENABLED is enabled by default on ARM64 Linux.
• pkgconf will be reinstalled automatically on a macOS version mismatch.
• rubydoc.brew.sh has been redirected to docs.brew.sh/rubydoc.
• head Git URLs always require a branch name.
• HOMEBREW_FORBIDDEN_CASK_ARTIFACTS allows selectively blocking cask install methods.
• HOMEBREW_DEVELOPER is required when installing formulae from paths.
• Formula’s compatibility_version DSL will help us reduce the number of upgrades needed in future.
• Formula’s no_linkage DSL will help stricter linkage detection and avoid issues.
• Formulae can be migrated to casks within the same tap.
• Linux’s host libstdc++ (instead of gcc) is used for automatically determining if a brewed gcc dependency is needed.
• Homebrew will avoid downloading JSON API files multiple times per run.
• Homebrew no longer provides CI for macOS Ventura in Homebrew/core.
• Homebrew’s Linux CI uses GCC 12.
• Homebrew will not run on macOS Mojave and older.
• Homebrew prefers LLVM’s clang over gcc on macOS.
• Homebrew defaults to -O2 with gcc.
• Dependencies are resolved correctly when installing older bottles.
• Casks are better supported and have better usability on Linux.

Finally:

• We have clarified our stance on adult content in Homebrew formulae and casks.
• We have loosened our criteria for accepting software into Homebrew.
• Homebrew accepts donations through GitHub Sponsors, OpenCollective and Patreon. If you can afford it, please consider donating.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Major changes and deprecations since 4.5.0:

• HOMEBREW_DOWNLOAD_CONCURRENCY is a new environment variable that allows opt-in to Homebrew’s new download concurrency support. We recommend using HOMEBREW_DOWNLOAD_CONCURRENCY=auto as a starting point. This will become the default behaviour in a later version of Homebrew (with an opt-out).
• Homebrew provides preliminary macOS 26 (Tahoe) support. It will be officially supported after Apple’s public release.
• brew mcp-server is an MCP server for Homebrew and is available in Homebrew by default.
• Miscellaneous additional code deprecations, disables and removals scheduled for Homebrew 4.6.

Other changes since 4.5.0 I’d like to highlight are the following:

• All repositories in the Homebrew organisation, including e.g. Homebrew/brew, Homebrew/homebrew-cask and Homebrew/homebrew-core, now use main as their default branch.
• All casks submitted in Homebrew/homebrew-cask must be signed. We have not yet completed the process of disabling/removing those that aren’t but this will happen at some point in the future.
• Homebrew prohibits non-ASCII characters in URLs.
• Homebrew now allows users in Tier 2/3 to file some types of issues.
• Homebrew’s .pkg and official/shell installers will now add Homebrew to the default PATH if possible.
• Third-party Homebrew GitHub Packages mirrors that do not require authentication now work as expected.
• HOMEBREW_FORBID_CASKS is a new environment variable that forbids all casks.
• HOMEBREW_VERIFY_ATTESTATIONS must be explicitly set again, even for HOMEBREW_DEVELOPERs.
• brew no longer copies across zeroed environment-variable values.
• brew resets the sudo timestamp later so it’s not done by e.g. brew --prefix or brew shellenv but remains done by e.g. brew install.
• brew --debug output is a bit quieter by default.
• brew bundle no longer uses the brew tap --force-auto-update option as it was removed.
• brew bundle better handles cask renames for brew bundle and brew bundle dump.
• brew bundle refers to “formulae” rather than “brews” for consistency with other parts of Homebrew.
• brew bundle add will create a Brewfile if it doesn’t exist.
• brew cleanup doesn’t warn when loading a renamed cask.
• brew install outputs a better error message when there are tap conflicts.
• brew install --ask will also prompt before installing casks.
• brew uninstall won’t suggest deleting configuration files that belong to other formulae.
• brew update displays descriptions for new formulae and casks.
• brew update will migrate taps from master to main when necessary.
• brew pin returns a non-zero exit code if pinning formulae that are not installed.
• brew sh and brew bundle sh use more of the user’s configuration but provide a custom prompt.
• brew audit ensures that official formula and cask names don’t conflict.
• brew deps outputs a warning when runtime dependencies are not used (so results may be inconsistent or confusing).
• env_script_all_files in formulae won’t overwrite existing files.

Finally:

• Homebrew is now on Bluesky.
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Major changes and deprecations since 4.4.0:

brew bundle and brew services

• The documentation for Homebrew Bundle, brew bundle and Brewfile has been hugely improved. It also documents the many new brew bundle features and changes in this release.
• brew bundle and brew services are built-in commands instead of being provided by an external tap.
• brew bundle (exec|env|sh) no longer filter the user’s environment (like other brew commands do)
• brew services supports passing multiple formulae
• Brewfiles have a version_file: DSL that allows brew bundle to write to e.g. a .ruby-version file based on the installed version
• brew bundle no longer includes ${HOMEBREW_PREFIX}/bin in the $PATH by default. You can do this in your Brewfile with ENV["PATH"] = "#{HOMEBREW_PREFIX}/bin:#{ENV["PATH"]}".

Linux casks

• Some Homebrew casks are supported on Linux. Right now these are mostly fonts and those with Linux binaries. Some casks will never be available on Linux, such as those for macOS-specific software. The Homebrew Linux fonts cask tap has been deprecated as a result.
• brew bump-cask-pr allows bumping multi-platform casks on Linux

Support Tiers

• Homebrew has three documented Support Tiers plus Unsupported. Tier 1, previously called “supported”, is where you’ll get bottles/binary packages and we have CI coverage.
• brew doctor links to Support Tiers
• brew doctor checks for OpenCore Legacy Patcher
• Clarify that the OpenCore Legacy Patcher is Tier 2 or 3

ARM64 Linux

• Homebrew provides a Portable Ruby for ARM64 Linux. This is the first step towards hopefully being able to provide Tier 1 support for ARM64 Linux in the future.
• Homebrew refers to ARM64 Linux, not AArch64 Linux (for consistency with macOS)
• Homebrew publishes some ARM64 Docker images

Ruby

• Homebrew provides Portable Ruby 3.4.3. It also requires Ruby >=3.4 to run.
• Homebrew has enabled Bootsnap by default. This should make repeated invocations of brew much faster.

Deprecations

• Homebrew 4.5’s various deprecations/disables/removals
• The Ubuntu 18 Docker image has been removed

Other changes since 4.4.0 I’d like to highlight are the following:

• brew install --ask and HOMEBREW_ASK allow viewing the packages, dependencies and sizes in a prompt before installation
• brew install --skip-link allows installation without running brew link
• brew update-if-needed provides a much faster possible replacement for brew update that does nothing if no auto-update is required
• brew install --as-dependency allows installation of formulae as dependencies rather than “on request”
• brew allows being run by root in podman containers
• HOMEBREW_TEMP defaults to /var/tmp on Linux, assuming it exists, is readable and is writable
• brew install --cask produces fewer GitHub Actions warnings
• Homebrew supports GCC 15
• brew pyenv-sync creates major version symlinks to fix pyenv support
• The Homebrew macOS .pkg installer will upgrade existing installations
• HOMEBREW_UPGRADE_GREEDY_CASKS allows specifying a list of casks that should always be upgraded with --greedy
• Formulae can include PowerShell (pwsh) or clap completions.
• @@HOMEBREW_PREFIX@@ can be replaced with the value of HOMEBREW_PREFIX in external patches
• brew alias and brew unalias commands are part of Homebrew/brew rather than an external tap
• brew edit and brew bundle edit look for VSCode variants, e.g. Cursor
• brew bump* can bump synced formulae together
• brew *env-sync has a HOMEBREW_ENV_SYNC_STRICT mode for stricter version handling
• In formulae and casks, deprecate!/disable! support specifying replacement software and can specify replacement type
• brew bump-* only warns, rather than errors, on duplicate PRs for non-official taps
• brew verify allows verifying package attributions
• brew audit flags pkg-config dependencies in core tap. We have fully moved to using pkgconf in Homebrew/homebrew-core instead.
• Formulae allow using Sequoia’s jq instead of Homebrew’s
• brew config prints the current Homebrew/brew branch
• Homebrew’s Tabs/INSTALL_RECEIPT.json include the bottle_rebuild in runtime_dependencies
• Homebrew will use macOS’s new lockf where available
• Homebrew’s CI is no longer running brew tests on macOS 13. It was too slow and we’re dropping macOS 13 support later this year.

Finally:

• Homebrew has switched to SSH-based Git commit signing
• Homebrew has provided FAQs about their relationship with Workbrew
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

As part of this change, we will be rotating our @BrewTestBot’s key. This rotation should not affect most users, but you may notice it if you currently manually verify git commits from Homebrew/brew, Homebrew/homebrew-core, or similar.

Once all repositories have been transitioned, we will revoke the old PGP key to prevent unintended future use:

• Main key: 3C76C3F1E573FA9E
• Signing subkey: 82D7D104050B0F0F

The new SSH signing key has the following public half:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0QzQJ6gl6Yxru0QrSaDRNatiHajcKxDu9lxQrFl8Nw

Users can also discover this signing key programmatically through GitHub’s REST API:

$ gh api /users/BrewTestBot/ssh_signing_keys
[
  {
    "id": 475371,
    "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0QzQJ6gl6Yxru0QrSaDRNatiHajcKxDu9lxQrFl8Nw",
    "title": "BREWTESTBOT_SSH_SIGNING_KEY",
    "created_at": "2025-02-03T17:50:27.377+01:00"
  }
]

We understand that the community will, rightly, have questions. You’ll find some answers below. This relationship is mutually beneficial: Workbrew employees work on Homebrew during working hours, and Workbrew sponsors Homebrew on GitHub Sponsors. Workbrew’s founders care deeply about the success and independence of Homebrew.

Homebrew itself is and will always remain open source and free (as in speech and beer 🍺).

Homebrew and Workbrew FAQs

How are Homebrew and Workbrew related?

Homebrew is an open source project and part of the non-profit Open Source Collective run by unpaid volunteers (bar a small $300/month stipend for opted-in active maintainers).

Workbrew is a product (with paid tiers) and company run by founders and employees.

At the time of writing, some of Homebrew and Workbrew’s leadership overlap (@MikeMcQuaid, @mozzadrella) and Workbrew employs some Homebrew maintainers (@Bo98, @carlocab).

Is Workbrew in control of Homebrew?

No. Homebrew has an independent governance structure that can only be changed through a supermajority of votes cast. Homebrew’s Project Leadership Committee (PLC) restricts any employer (including Workbrew) from holding more than 2 seats on the PLC.

Additionally, on the code side, Homebrew is BSD-2 licensed with no CLA and >10,000 contributors.

In practice, this means that neither Homebrew or Workbrew could relicense Homebrew without >10,000 people agreeing to it (or their code being rewritten) which is essentially impossible.

Is Workbrew going to make us pay for Homebrew?

No. Only Homebrew could decide to do this and we have no plans to do so. Workbrew includes Homebrew and charges money for certain Workbrew plans - as permitted by Homebrew’s license - but cannot ever make Homebrew not open source.

Did Homebrew know this was coming?

Yes. Workbrew kept Homebrew’s leadership, maintainers and membership in the loop from early in the company’s conception. We’re very grateful for this transparency.

Major changes and deprecations since 4.3.0:

• macOS Sequoia (15) is officially supported by Homebrew.
• Newly installed casks have install receipts (INSTALL_RECEIPT.json files).
• macOS Monterey (12) is no longer supported by Homebrew and no longer a CI target for Homebrew.
• External commands in the old, non-AbstractCommand style are deprecated and should be migrated to AbstractCommand.
• Disabled packages output the date when they will be disabled.
• url do blocks are deprecated for casks.
• An Ubuntu 24.04 Docker image was added.
• The Ubuntu 18.04 Homebrew Docker image is deprecated.
• brew tab is a new command for editing tab information.
• Setting Homebrew’s boolean environment variables to falsey values is deprecated.
• Homebrew no longer supports building with GCC 4.9, 5 and 6.
• The usual cycle of deprecations, disables and code removals.

Other changes since 4.3.0 I’d like to highlight are the following:

• Homebrew uses Ruby 3.3.5.
• brew upgrade --cask --quiet is quieter.
• brew outdated assumes the --greedy flag was passed when HOMEBREW_UPGRADE_GREEDY is set.
• brew install --cask --adopt only cares if the cask doesn’t auto-update.
• brew search --desc and brew desc --search use the JSON API’s data for description searches.
• brew autoremove does not remove formulae that were built from source.
• Homebrew will rewrite node shebangs on installation (mirroring python and perl).
• brew install will prioritise homebrew-cask casks over non-Homebrew organisation formulae.
• brew info will show size information for bottles.
• brew list has new --poured-from-bottle and --built-from-source flags.
• brew shellenv will set XDG_DATA_DIRS on Linux.
• brew typecheck supports using Sorbet for typechecking in taps.
• HOMEBREW_NO_BUILD_ERROR_ISSUES is a new environment variable that prevents Homebrew from searching for relevant GitHub issues on a build error.
• brew search allows searching with @ and + characters.
• A homebrew/brew:master Docker image was added.

Finally:

• Homebrew’s 501c3 OpenCollective is empty. We are only using our 501c6 OpenCollective.
• In case you missed it, Homebrew had a 2023 security audit that was released in July.
• Homebrew had a Summer 2024 Hackathon in July which focused on implementing the results of the security audit and improving performance of many parts of Homebrew.
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

You can read Trail of Bits’ blog post on the audit here and find the full public report here.

Homebrew’s maintainers and Project Leadership Commitee would like to thank Open Technology Fund and Trail of Bits for sponsoring and running this engagement. Our partnership directly improves the security of Homebrew and open source software in general.

Scope: Homebrew/brew, Homebrew/actions, Homebrew/formulae.brew.sh, Homebrew/homebrew-test-bot.

Findings by severity:

• High: 0
• Medium: 14
• Low: 2
• Informational: 7
• Undetermined: 2

Mitigation & acknowledgement:

1. Path traversal during file caching
   • Status: Fixed
2. Sandbox escape via string injection
   • Status: Fixed
3. Allow default rule in sandbox configuration is overly permissive
   • Status: Fixed
4. Special characters are allowed in package names and versions
   • Status: Acknowledged
5. Use of weak cryptographic digest in Formulary namespaces
   • Status: Fixed
6. Extraction is not sandboxed
   • Status: Acknowledged
7. Use of ldd on untrusted inputs
   • Status: Fixed
8. Formulas allow for external resources to be downloaded during the install step
   • Status: In Progress
9. Use of Marshal
   • Status: Fixed
10. Lack of sandboxing on Linux
    • Status: Acknowledged
11. Sandbox escape through domain socket pivot on macOS
    • Status: In Progress
12. Formula privilege escalation through sudo
    • Status: Fixed
13. Formula loading through SFTP, SCP, and other protocols
    • Status: Fixed
14. Sandbox allows changing permissions for important directories
    • Status: Fixed
15. Homebrew supports only end-of-life versions of Ruby
    • Status: Fixed
16. Path traversal during bottling
    • Status: Fixed
17. FileUtils.rm_rf does not check if files are deleted
    • Status: In Progress
18. Use of pull_request_target in GitHub Actions workflows
    • Status: Fixed: 1, 2.
19. Use of unpinned third-party workflow
    • Status: Fixed across the codebase via multiple PR’s.
20. Unpinned dependencies in formulae.brew.sh
    • Status: Fixed
21. Use of RSA for JSON API signing
    • Status: Acknowledged. Ed25519 was not an option when this was introduced. The next key reroll will use Ed25519.
22. Bottles beginning “-“ can lead to unintended options getting passed to rm
    • Status: Fixed
23. Code injection through inputs in multiple actions
    • Status: Fixed across the codebase via multiple PR’s.
24. Use of PGP for commit signing
    • Status: Acknowledged. Plans to remove the bot account using PGP have been established.
25. Unnecessary domain separation between signing key and key ID
    • Status: Acknowledged. Will be resolved with the next key reroll.

Background

Since 2019, Homebrew’s maintainers meet annually for the “Annual General Meeting” in Brussels, Belgium. At AGM’s inception, Brussels was deemed a convenient location for the predominantly European team to coincide with the free FOSDEM conference. Since then, the global distribution of the core team has expanded.

At the same time, maintenance issues related to performance (the not-so-glamorous tasks of running a mature project that the whole world relies upon) and the remaining pieces of the Trail of Bits Security Audit needed to be completed.

The Project Leadership Team decided to undertake an experiment: our first North American in-person event, thematically focused and with an application process.

Of the 16 applications, 12 participants were accepted.

Event design + impact

On the first day of the three-day event, Project Leader Mike McQuaid gave a presentation about how to triage and measure the highest-impact performance-related issues:

From there, participants tackled high-priority issues, raising pull requests in the dedicated Slack channel to ensure speedy reviews.

Participants worked synchronously and co-located over three days, with standup around 9:30am and departing at 5:00pm. Dinners were optional but provided opportunities for additional discussion:

Impact

Participants made significant progress in the following areas:

• Security Issues: Several contributors focused on fixing security vulnerabilities highlighted in the Trail of Bits Homebrew audits, such as sandboxing improvements, GitHub Actions security, and privilege escalation prevention.
• Performance Enhancements: Efforts were made to speed up operations like concurrent downloads and repository handling, resulting in significant gains.

Outcomes

In addition to the direct impact participants had by shipping code, there’s some evidence that this in-person gathering may have increased the capacity of maintainers in areas of security and performance, which will ultimately benefit the project in the future:

1 = least likely, 5 = most likely

While the event seemed successful to us as organizers, we also wanted to hear from the participants themselves as part of our evaluation.

Event evaluation

Overall, the hackathon received positive feedback:

• Organizational Success: Participants praised the event’s organization, particularly highlighting Vanessa’s efforts and the conducive environment at IndyHall.
• Productive Collaboration: The in-person collaboration facilitated rapid progress and effective problem-solving, which participants found highly beneficial. Direct interaction enabled efficient idea exchange and immediate problem resolution. Participants appreciated the social interactions and the chance to work closely with peers they usually communicate with asynchronously.

Participants themselves assessed the event as successful:

1 = least successful, 5 = most successful

One of the unexpected effects of the rapid progress was a flurry of notifications for the maintainers who were not attending the event:

Apologies, Eric.

First-person accounts

In their own words, participants identified key benefits:

What in particular made the Hackathon successful or not successful?

• A fun experience overall, I got to work on aspects of Homebrew that I had never dealt with before and met some wonderful people!
• The efficient exchange of ideas made it very successful in my opinion. We have probably never had a time when we were able to fix this many issues and make this many improvements to Homebrew within such a short period.
• There were a lot – we fixed many problems, had various foods, and had a great time together. If I had to choose one, it would still be about the in-person nature of the event. It not only made it much easier to share ideas, but also strengthened the bond between our maintainers.
• The list of issues from the audit helped to outline the work to be done.
• The organization - Vanessa did an awesome job - thank you! The security stuff was awesome to get some issues burned down. Philly’s a great city. IndyHall is a great venue. And it was really nice to just be!
• Two fixed themes for the hackathon kept people focused, IMO
• The availability of a list of issues to select from and work together with people
• I feel like a lot was done, but with such vague goals it’s hard to tell if all were met.
• Full focus, no distractions.
• I feel that a lot was accomplished in a short amount of time. It was clear everyone came ready to work and the attitude of all maintainers was so upbeat.
• All being in the same room together was great for productivity because we could easily bounce ideas and discuss with each other without dealing with timezone differences. When I was working on problems that I didn’t understand super well, I could just ask other people for help and get it immediately.

Areas for Improvement

As an experiment, we were keen to hear how we might improve the structure to be more effective. Attendees had feedback in the following areas:

• Task Clarity: More structured task lists, especially for performance-related issues, would provide clearer direction.
• Schedule Optimization: Participants suggested better time management, including more structured breaks and optional cultural activities.
• Constructive Feedback: Some participants desired a mid-day stand-up for better synchronization and clarity.

Overall, the event not only addressed critical technical challenges but also strengthened the bonds within the Homebrew community, setting a positive precedent for future collaborative efforts.

Major changes and deprecations since 4.2.0:

• brew bottle will include a basic SPDX file inside the bottle and a more comprehensive one after installation. This is to provide support for the widely used SBOM format from Homebrew.

• If HOMEBREW_VERIFY_ATTESTATIONS is set, brew install will verify the bottle artifact’s attestation when pouring bottles using GitHub’s gh CLI. This functionality is still in beta. We expect to remove the need for the gh tool and improve performance before we make this the default behaviour. This behaviour demonstrates Homebrew’s ongoing commitment to improving our security posture. Read more in the tracking issue or in the GitHub artifact attestation announcement

• HOMEBREW_AUTOREMOVE is the default behaviour meaning that brew cleanup and brew uninstall automatically run brew autoremove. Disable this by setting HOMEBREW_NO_AUTOREMOVE. This is to improve the default behaviour of brew uninstall given brew autoremove is sufficiently reliable.

• Homebrew has two new types of analytics: “Brew Command Run” events and brew test-bot analytics. The latter are not working or published yet but will be soon. These are to help us improve the documentation and prioritisation of issues in Homebrew.

• Homebrew/homebrew-cask requires code signing of all casks. Expect removal of casks that are not code signed from Homebrew/homebrew-cask in future. This is because code signing is required on Apple Silicon which is used by a growing majority of all Homebrew users.

• Homebrew/homebrew-autoupdate is no longer an official tap and has moved back to DomT4/homebrew-autoupdate.

• Homebrew/homebrew-cask-versions migrated to Homebrew/homebrew-cask and is archived, following Homebrew/homebrew-cask-drivers. Migration for Homebrew/homebrew-cask-fonts will happen soon. This will make it easier to have a more consistent installation, discovery and maintenance experience for all official casks.

• brew info --json=v2 output no longer includes the deprecated oldname key for formulae. Use the oldnames array instead.

• As-of Homebrew 4.3.1: Homebrew now provides Portable Ruby 3.3.1 and requires Ruby >=3.3.0.

• Miscellaneous additional code deprecation/disable/removals.

Other changes since 4.2.0 I’d like to highlight are the following:

• HOMEBREW_FORBIDDEN_CASKS, HOMEBREW_FORBIDDEN_FORMULAE and HOMEBREW_FORBIDDEN_TAPS are added to extend the functionality beyond the existing HOMEBREW_FORBIDDEN_LICENSES to prevent formulae/cask/tap installation. Relatedly, HOMEBREW_ALLOWED_TAPS was added to restrict installation of and from specific taps.

• GitHub Actions will display native warnings/error notices for deprecations/disables and warnings/errors.

• There are now several more reasons why casks are deprecated or disabled.

• Homebrew’s code documentation on rubydoc.brew.sh previously did not do a good job of differentiating public/private/internal (i.e. only public for Homebrew’s use) APIs. We explicitly mark non-private APIs, non-public APIs, warn about undocumented non-private APIs and APIs are private by default.

• Homebrew’s code documentation on rubydoc.brew.sh includes Sorbet data from .rbi files to provide more types.

• brew command, brew shellenv and brew setup-ruby are significantly faster.

• When the GitHub token used by Homebrew requires more scopes, Homebrew will clarify these.
• brew upgrade --overwrite is a new flag similar to brew install --overwrite and brew link --overwrite to delete files that already exist in the prefix while linking.
• brew install --display-times also works with casks.
• Tap migrations can also perform renames.
• HOMEBREW_GITHUB_API_TOKEN supports more types of GitHub tokens.
• The brew desc --eval-all warning only applies to brew desc --search.
• brew tap no longer shows untapped taps with API support.
• brew upgrade no longer truncates some version numbers.
• @BrewTestBot can no longer provide approving reviews on Homebrew/brew.
• Formulae can optionally restrict network access in build/test/postinstall sandboxes.
• HOMEBREW_TEMP is used more consistently for temporary files
• brew update outputs a message whenever it is autoupdating to make clear what is causing the delay. Also, brew update will attempt to update all taps, not just those on GitHub.
• brew install/upgrade/outdated will more intelligently auto-update when specifying formulae/casks from third-party taps.
• brew bump-formula and brew bump-cask-pr refuse to bump packages that Homebrew’s automation already handles.
• brew install --adopt is more permissive and quicker if the bundle versions match.
• brew uninstall and brew reinstall will skip cask quit/signal directives.
• brew info --json=v2 returns a Cask’s bundle versions in bundle_version and bundle_short_version keys.
• brew info and brew tap-info provide more consistent output indicating if a package or tap is installed.
• brew *-sync commands avoid overwriting existing user installations.
• brew *-sync commands will use their respective: *ENV_ROOT variables.
• brew config provides information about Homebrew/homebrew-core and Homebrew/homebrew-cask taps and JSON API files.
• brew list provides --installed-on-request and --installed-as-dependency to list formulae installed on request or as dependencies respectively.
• brew update-reset will reset to the stable tag when appropriate.
• brew bump* commands no longer allow forcing multiple PRs.
• brew bump* commands limit the number of open PRs to 15.
• brew bump will indicate if formulae should sync with others.
• brew audit will reject Internet Archive Wayback Machine URLs as these formulae are no longer active.
• brew audit will check the license(s) of the specific release rather than the default branch.
• brew update will attempt to parse a GitHub API token from repository URL to better handle private repositories.

Finally:

• Changes to Homebrew’s Governance were merged after a vote of members before the 2024 AGM.
• The minutes of the 2024 AGM are available.
• Homebrew maintainers no longer use forks on official repositories.
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Major changes and deprecations since 4.1.0:

• Homebrew now uses and requires Ruby 3.1. If you do not already have a version provided by your system: we provide Portable Ruby 3.1.4 that will be installed whenever needed on Linux x86_64 and macOS Apple Silicon and Intel. This marks the end of Homebrew using the macOS system Ruby. Pour one out for our old friend /usr/bin/ruby on macOS 🍻.
• Formula installation and upgrades are less likely to require dependencies to be upgraded. This should reduce “brew upgrade foo upgraded everything on my system” problems.
• Homebrew/homebrew-core and Homebrew/homebrew-cask now store formulae/casks in “sharded” subdirectories for improved git and GitHub performance.
• Homebrew can be configured with .env files.
• Homebrew supports macOS Sonoma.
• OS::Mac and MacOS usage in formulae on Linux is deprecated. Please guard all uses in formulae with if OS.mac? or if OS.linux? as appropriate.
• brew audit --new-formula and --new-cask options are deprecated. Please use brew audit --new instead.
• brew postgresql-upgrade-database is deprecated. It is not longer needed now that we use versioned postgresql formulae. Please use pg_upgrade directly instead.
• Casks can be, like formulae, deprecated and disabled. Relatedly, the use of discontinued? in casks is deprecated.
• Various other deprecations.

Other changes since 4.1.0 I’d like to highlight are the following:

• Homebrew detects Apple Silicon M3 processors.
• The macOS .pkg installer is signed (by me!).
• Casks support setting multiple download headers
• brew list --full-names properly output Homebrew organisation names for casks.
• Homebrew uses Sorbet for runtime error checking.
• Homebrew is importing parts of ActiveSupport to speed up command execution time.
• Homebrew supports the rc shell.
• Various sharding fixes
• Downloads from the Homebrew API better support if curl or system certificates are too old.
• brew deps no longer passes options to formulae.
• brew desc has improved handling of--eval-all with formulae.
• brew install will upgrade already installed casks (to be consistent with formulae.)
• brew pin‘d formulae don’t cause as many warnings or errors.
• brew setup-ruby is a new command to just install Homebrew’s Ruby, if needed.
• brew edit will suggest tapping core repositories if untapped.
• The macOS .pkg installer is a documented installation method.
• Formula support ENV.O3 again to allow passing -O3 compiler optimisations.
• brew install sets PIP_CACHE_DIR to cache more Python files when building bottles or from source.
• brew audit checks all relicensed HashiCorp formulae.
• sshpass has (finally?) been removed from the new formula deny list.
• Formula’s service blocks now support multiple sockets.
• bootsnap is used more often, speeding up repeated brew invocations.
• XDG_CACHE_HOME is used correctly again for logs and Homebrew’s cache on Linux.

Finally:

• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Major changes and deprecations since 4.0.0:

• brew downloads of formula/cask APIs use a signed API endpoint with client signature verification.
• We’ve made many improvements around the new 4.0.0 feature of using JSON files downloaded from formulae.brew.sh for package installation rather than local homebrew/core and homebrew/cask taps.
  • If you had previously set HOMEBREW_NO_AUTO_UPDATE, HOMEBREW_NO_INSTALL_FROM_API or HOMEBREW_AUTO_UPDATE_SECS to work around bugs or annoyances: please consider unsetting these and tweaking the values based on the new behaviour. Under some circumstances, you may see a one-time message nudging you do to this.
• brew doctor warns if Homebrew/homebrew-core or Homebrew/homebrew-cask seem to be tapped unnecessarily so you can brew untap them to save time and disk space.
• formulae.brew.sh provides new analytics for Homebrew Developer Configuration, OS/Architecture/CI, Homebrew Prefixes and Homebrew Versions. This is based on existing data that was already gathered.
• We destroyed (and did not migrate/back up) all of Homebrew’s Google Analytics data on 2023-06-16 and all Google Analytics code has been removed.
• Homebrew’s analytics are only sent to our InfluxDB instance hosted in the EU.
  • If you had previously set HOMEBREW_NO_ANALYTICS because you didn’t like Google Analytics and/or data being sent to the US: please consider unsetting this allowing analytics data to be sent to our new InfluxDB host. Again, under some circumstances, you may see a one-time message nudging you do to this.
• Homebrew’s analytics documentation is updated with the new InfluxDB, post-Google Analytics reality.
• Setting HOMEBREW_NO_ENV_FILTERING no longer fails but is silently a no-op.
• Homebrew’s deprecated Ubuntu 16.04 Docker image is no longer being built or updated.
• Homebrew/homebrew-cask-drivers is deprecated and active casks were moved to Homebrew/homebrew-cask.
• brew rbenv-sync, brew nodenv-sync and brew pyenv-sync commands will automatically sync Homebrew-installed Ruby, NodeJS and Python versions with rbenv, nodenv and pyenv respectively to avoid needing to build these from source.
• Homebrew has laid the groundwork for later macOS Sonoma (14) support.
• Various improvements sped up all Ruby brew command performance.
• brew fetching bottles is significantly faster.
• brew install with no post_install is significantly faster.
• Various other minor release deprecations and disables.

Other changes since 4.0.0 I’d like to highlight are the following:

• brew commands will only auto-update from the API for commands that auto-updated from Git pre-4.0.0.
• brew update reports new/deleted formulae/casks when installing from the API.
• brew update will automatically update Homebrew/homebrew-core and Homebrew/homebrew-cask local taps for users who have run developer commands.
• brew install build failures only recommend open issues rather than pull requests.
• brew install will use cached bottles if the request to check if bottles are up-to-date fails.
• brew install sets OPENSSL_NO_VENDOR to use Homebrew’s relevant openssl* formula rather than the vendored OpenSSL from the openssl crate.
• brew install --skip-post-install will skip post-installation steps when installing a formula.
• brew search no longer searches remotely instead using Homebrew’s new JSON API.
• brew cleanup --quiet omits outputting some warnings.
• brew deps --missing provides the inverse output to brew deps --installed
• brew fetch, brew --cache, brew audit and brew readall has --os and --arch flags to simulate different operating systems and CPU architectures.
• brew shellenv accepts a shell name parameter for when auto-detection is unreliable.
• brew commands auto-update less frequently for users who have run Homebrew developer commands.
• brew audit verifies the correct signing of .pkg installers.
• brew bump and brew bump-formula-pr will update a local Homebrew/homebrew-core tap (if present) and brew bump and brew bump-cask-pr will do the same for Homebrew/homebrew-cask.
• HOMEBREW_NO_INSTALL_FROM_API is set automatically for commands that need it.
• A cask_renames.json file in taps allows casks to be renamed.
• The default Linux installation location (/home/linuxbrew/.linuxbrew) works as expected on Fedora Silverblue and other configurations where /home is symlinked elsewhere.
• Homebrew uses (and prioritises) GitHub tokens stored by the gh CLI (when available).
• Homebrew avoids using the macOS texinfo
• GitHub Packages bottle manifests contain the size of the bottle.
• Homebrew will set RUSTFLAGS to the appropriate target CPU on installation.
• Homebrew can build with GCC 13.
• Homebrew’s analytics better capture non-Debian-based distribution versions.
• Preliminary support for loading formulae/casks from subdirectories (to later “shard” Homebrew/homebrew-core and Homebrew/homebrew-cask Formula/Cask directories for performance reasons.)
• Homebrew is more vocal that building from source is unsupported.
• Various display issues have been fixed with Homebrew’s Ruby API documentation at rubydoc.brew.sh.

Finally:

• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Major changes and deprecations since 3.6.0:

• Using JSON files downloaded from formulae.brew.sh for package installation rather than local homebrew/core and homebrew/cask taps.
  • Please note: this is the largest change we have made to our update process since we split Homebrew/brew and Homebrew/homebrew-core repositories. Please bear with us, there may be a few bumps.
  • If you had previously set HOMEBREW_NO_AUTO_UPDATE, HOMEBREW_NO_INSTALL_FROM_API or HOMEBREW_AUTO_UPDATE_SECS to work around bugs or annoyances: please consider unsetting these and tweaking the values based on the new behaviour.
  • Unless you are developing formulae or casks, you can brew untap homebrew/core and brew untap homebrew/cask to save some space.
  • brew update will now be run automatically less often (every 24 hours rather than every 5 minutes) and these auto-updates will be much faster as they no longer need to perform the slow git fetch of the huge homebrew/core and homebrew/cask taps’ Git repositories.
  • This is now the default behaviour so the HOMEBREW_INSTALL_FROM_API variable has been removed and is a no-op.
  • If you wish to opt-out of this behaviour change, you can export HOMEBREW_NO_INSTALL_FROM_API=1. Please investigate HOMEBREW_API_AUTO_UPDATE_SECS first.
  • This behaviour is automatically disabled when using certain commands or in configurations that mostly build from source.
  • HOMEBREW_API_DOMAIN can be set to use mirrors for formulae.brew.sh.
• Homebrew’s analytics are now sent both to Google Analytics and our new InfluxDB instance hosted in the EU.
  • Our InfluxDB instance does not store either anonymised IP addresses or an anonymised user token so it has additional privacy benefits over Google Analytics.
  • If you had previously set HOMEBREW_NO_ANALYTICS because you didn’t like Google Analytics and/or data being sent to the USA: please consider unsetting this and setting HOMEBREW_NO_GOOGLE_ANALYTICS instead, allowing analytics data to be sent to our new InfluxDB host.
  • We expect to migrate entirely from Google Analytics to our InfluxDB instance in ~100 days at which point we will remove all Google Analytics and destroy all existing data. Note: this occurred on 2023-06-16!
• macOS .pkg files are generated for each Homebrew release. You can help us test this beta feature by downloading the generated package artifact from the relevant GitHub Actions release events.
• The homebrew/ubuntu16.04:master image has been deprecated.
• Various major release deprecations and disables.

Other changes since 3.6.0 I’d like to highlight are the following:

• brew test sets PYTHONDONTWRITEBYTECODE to improve performance.
• VSCode devcontainers are available in the Homebrew/brew repository for use with e.g. GitHub Codespaces.
• brew install --adopt allows taking ownership of existing installed cask artifacts.
• brew install --dry-run allows viewing what brew install will do before it is run.
• brew docs opens docs.brew.sh.
• --cask is never required on Linux.
• service do blocks allow defining a run command per platform.
• brew install uses the local cache while installing dependencies from pip.
• brew doctor no longer complains about BitDefender.
• brew install will also suggest casks rather than just formulae when it fails to find the requested package.
• brew readall simulates all architecture and OS configurations for better reliability.
• git partial clones with sparse checkouts are supported when downloading using git.
• GCC 12 is used for runtime libraries to match Ubuntu 22.04, where we build our bottles.
• brew doctor --quiet prints no output on success.
• brew gist-logs better detects missing permissions.
• brew update uses the GitHub API token if available to avoid hitting rate limits.
• We have discontinued WSL 1 support and recommend WSL 2 instead.
• brew fetch and brew install can automatically determine mirrors for glibc-bootstrap and PyPI resources.

Finally:

• Homebrew is now on Mastodon: @[email protected].
• Our governance documents have been updated as part of our AGM.
• We have switched from HackerOne to GitHub for vulnerability reporting.
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.
• Homebrew had our first stand at FOSDEM 2023 in which the Project Leader was forced to wear a stupid beer suit.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

API Project

Since version 3.6.0 of Homebrew, we are now choosing to advertise the HOMEBREW_INSTALL_FROM_API environment variable to the general public. A lot of work was done by @Rylan12 to make the experience more stable and the API install method is bound to bring a big performance improvement to those who are willing to give it a try.

The goal of the HOMEBREW_INSTALL_FROM_API environment variable is to allow Homebrew users to install formulae and casks without needing to have Homebrew/homebrew-core and/or Homebrew/homebrew-cask tapped. This is intended to make brew update much faster and required less often and also to save space on the user’s machine.

Now that the variable is public, we’re going into a period of bug hunting. When its users stop finding problems and edge-cases for the API to handle, we will be making this the default for all users so everyone can enjoy a fast Homebrew experience.

Ephemeral CI Runners

Since July 18th the Intel-based CI runners are now ephemeral and the foundation has been laid for applying the same features to Apple Silicon based runners. While Homebrew users might not notice more than sleeping a little easier thanks to bottling runs being more reliable, I can tell you that the maintainers are very happy with this improvement and the accompanying dashboard.

Currently our runners persist indefinitely, which has some distinct downsides:

• Security is worse since a compromised runner will keep working indefinitely
• Keeping them maintained is harder
• We cannot dynamically scale up/down usage per-OS

The goal was to replace all our persistent runners with ephemeral variants, starting with the Apple Silicon runners. Unfortunately we ran into some bugs in the Orka platform which MacStadium provides for us, so that initial goal had to be shifted to Intel runners first.

Work is ongoing to enable the Apple Silicon based runners as ephemeral runners to close this project from the macOS side. Once that is done the stretch goal for this project is to make our self-hosted Linux runners ephemeral too. Most of our Linux CI already uses ephemeral GitHub-hosted runners.

Finally:

• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon to make projects like these possible. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Major changes and deprecations since 3.5.0:

• Homebrew has preliminary macOS 13 (Ventura) support.
• Homebrew requires --eval-all to be passed or HOMEBREW_EVAL_ALL to be set to improve security in cases where it may evaluate formulae or casks that have not been installed, may not be trusted and will execute arbitrary Ruby code.
• Homebrew’s CI uses Ubuntu 22.04 to e.g. build bottles (binary packages).
• brew no longer respects HOMEBREW_NO_ENV_FILTERING. Environment variables needed in formulae or casks need to have a HOMEBREW_ prefix to be passed through and then reassigned e.g. ENV["FOO"] = ENV["HOMEBREW_FOO"].
• brew linkage detects deprecated linkage to libnsl.so.1. and disabled linkage to libcrypt.so.1..
• Other miscellaneous disabled code has been removed.

Other changes since 3.5.0 I’d like to highlight are the following:

• HOMEBREW_INSTALL_FROM_API is an opt-in flag added in 3.3.0 to install formulae and casks in homebrew/core and homebrew/cask taps using Homebrew’s API instead of needing the (large, slow) local checkouts of these repositories. HOMEBREW_INSTALL_FROM_API has had many improvements since 3.5.0. We encourage you to try setting it and reporting any issues you experience.
• The postgresql formula was renamed to postgresql@14 to avoid repeated breakage on major/minor version upgrades.
• HOMEBREW_CURL_PATH and HOMEBREW_GIT_PATH are documented and supported for setting the location of curl or git on Linux. On macOS, the system versions will still always be used instead.
• HOMEBREW_ARTIFACT_DOMAIN only takes effect on bottles and not e.g. casks.
• Periodic brew cleanup is run after installing all packages rather than after the first package is installed.
• brew install --debug-symbols is available to build and retain debug symbols on macOS. This does not yet work on Linux but we’ll review a pull request to add it.
• brew install automatically installs glibc or gcc if they are too old.
• brew cleanup and brew uninstall automatically run brew autoremove if HOMEBREW_AUTOREMOVE is set.
• brew fetch --retry uses an exponential backoff.
• brew deps returns failing exit code when circular dependencies are detected.
• brew info --json includes a variations key. This provides information about how a formula or cask varies on OSs and CPU architectures other than the one it is being run on. Various additional DSLs e.g. on_system and arch have been added to formulae or casks to facilitate this.
• A new Formula DSL is available to more easily generate completions.

Finally:

• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Major changes and deprecations since 3.4.0:

• brew update now defaults to HOMEBREW_UPDATE_REPORT_ONLY_INSTALLED behaviour, showing only information on installed formulae, so HOMEBREW_UPDATE_REPORT_ALL_FORMULAE was added instead. This improves performance and usability of brew update.
• brew update lists “Outdated” rather than “Updated” formulae by default. It was already calculating which formulae were outdated and this information is more useful than showing which formulae were changed and is significantly faster than doing version comparisons.
• Homebrew (on macOS) now requires at least OS X El Capitan (10.11) to run rather than OS X Yosemite (10.10). This is because we have released Portable Ruby 2.6.8_1 using our new pipeline and have been unable to successfully virtualise Yosemite.
• Various code disables and deletions for 3.5.0.

Other changes since 3.4.0 I’d like to highlight are the following:

• brew tests --changed runs tests only on files that have been changed from master (including test files).
• brew tap --no-force-auto-update removes the --force-auto-update flag for taps.
• brew no longer filters the TERMINFO_DIRS environment variable.
• brew update --quiet makes brew update produce less output.
• brew uninstall, brew reinstall, etc. are no longer blocked by unreadable casks.
• brew upgrade only upgrades version :latest casks when --greedy or --greedy-latest are passed and the cask has been updated.
• brew cleanup shows the total disk space freed.
• HOMEBREW_DOCKER_REGISTRY_TOKEN and HOMEBREW_DOCKER_REGISTRY_BASIC_AUTH_TOKEN can be used for GitHub Packages authentication without HOMEBREW_ARTIFACT_DOMAIN.
• HOMEBREW_ARTIFACT_DOMAIN’s description in man brew has been clarified.

Finally:

• Homebrew left the SFC and has moved to OpenCollective. This allows more permissive spending of our funds in exchange for our incomings/outgoing being public.
• Homebrew’s governance documentation was updated, following our April 2022 AGM’s vote on this. This notes Homebrew’s move to OpenCollective, PLC quorum and member changes and clarifies responsibilities for PL, PLC and TLC.
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Here’s an overview of the timescale:

• 11th June 2020: The Mozilla Open Source program (MOSS) reaches out to Homebrew as we were nominated for a paid, sponsored security audit by Radically Open Security (ROS)
• 11th June 2020: Homebrew meets with ROS and provides the main areas of focus:
  • macOS sandbox escapes
  • CI/development workflow issues (e.g. ways to exploit our CI infrastructure or deploy changes that haven’t been reviewed)
  • Bad uses/setting/checking of Unix permissions
  • Formulae being able to modify the Homebrew/brew source process
• 18th June 2020: ROS meets with Homebrew to further discuss the audit, scope and process and provide access to ROS systems (e.g. GitLab, RocketChat)
• 23rd September 2020: MOSS and ROS confirm contract
• 14th October 2020: ROS begins security audit
• October 2020 - March 2021: ROS communicates issues to Homebrew which are resolved, e.g. with https://github.com/Homebrew/brew/pull/10970 and https://github.com/Homebrew/brew/pull/10972
• 31st March 2021: ROS provides final security audit report PDF to Homebrew
• 21st April 2021: Homebrew provides a related security incident disclosure based on follow-up work
• 16 August 2022: Homebrew adds final security audit report PDF to this page

Major changes and deprecations since 3.3.0:

• brew will hint at configuration variables to tweak behaviour unless HOMEBREW_NO_ENV_HINTS is set.
• brew services is supported and recommended on Linux when using systemd.
• brew install --overwrite ensures the brew link after brew install is always run with --overwrite.
• Formula.each, Cask::Cask.each and other uses of Enumerable methods are deprecated because reading all formulae/casks on the system unnecessarily runs untrusted code.
• Other code deprecations, disables and deletions.

Other changes since 3.3.0 I’d like to highlight are the following:

• HOMEBREW_DOCKER_REGISTRY_TOKEN_BASIC allows authenticating with a Docker register proxying GitHub Packages using a basic authentication token.
• brew cask produces a more helpful error message pointing to brew --cask.
• HOMEBREW_DOCKER_REGISTRY_TOKEN is used when installing Homebrew’s Portable Ruby.
• brew deps --graph and --dot output dependencies as a directed graph in text or DOT formats.
• brew bump --open-pr opens a pull request for a new version if there is none already open. This is used by Homebrew’s automation to automatically “bump” some outdated formulae.
• brew extract automatically removes bottle blocks.
• brew style --fix automatically fixes shellcheck failures.
• brew upgrade skips upgrading unbottled dependents of upgraded formulae.
• brew upgrade skips checking dependents of homebrew-core versioned formulae.

Finally:

• Homebrew has begun the process to leave the SFC and is moving to OpenCollective. This allows more permissive spending of our funds in exchange for our incomings/outgoing being public.
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Major changes and deprecations since 3.2.0:

• brew update will migrate all Linux users from linuxbrew-core to homebrew-core. This will also trigger the upgrade of some formulae installed from linuxbrew-core due to revision differences.
• macOS Monterey is officially supported and requires Xcode 13.1. Monterey ships with Ruby 2.6.8 so we’ve released and use Portable Ruby 2.6.8.
• HOMEBREW_INSTALL_FROM_API is a new opt-in flag to install formulae and casks in homebrew/core and homebrew/cask taps using Homebrew’s API instead of needing the (large, slow) local checkouts of these repositories.
• brew bump-formula-pr --write has been deprecated in favour of brew bump-formula-pr --write-only.
• The Internet Archive uploader was broken and no-one noticed so it has been removed.
• Various additional deprecations, disables and code removals.

Other changes since 3.2.0 I’d like to highlight are the following:

• HOMEBREW_SSH_CONFIG_PATH sets the path a configuration file for using Git over SSH inside Homebrew.
• brew edit --print-path outputs the filename to be edited without opening an editor.
• brew developer makes it easier to enable/disable the Homebrew developer release channel.
• Artifactory and other private registries can be used for mirroring Homebrew bottles distributed through GitHub Packages.
• BuildPulse is used to detect and track Homebrew’s flaky tests.
• brew search does approximate matching of formula names.
• Homebrew’s ca-certificates will be installed when necessary on macOS <= 10.15.5 to allow connecting to various HTTPS sites.
• brew bump --start-with retrieves a subset of results.
• brew search can search Arch Linux and Repology.
• HOMEBREW_ADDITIONAL_GOOGLE_ANALYTICS_ID can be used to report to an additional Google Analytics tracking ID.
• brew fetch --bottle-tag allows fetching a bottle for any specified tag (e.g. OS/architecture/macOS version).
• brew install and brew upgrade will fetch all formulae before attempting installation.
• brew install outputs all cask installations at the end (like formulae).
• brew will start the sandbox in a pseudoterminal (to avoid potential formula access to the parent terminal).
• brew style will check and fix more shell script style.
• brew tap --custom-remote allows changing the remote for an installed tap.
• brew typecheck can be run on Apple Silicon.
• Temurin will be recommended instead of the (deprecated) AdoptOpenJDK when installing casks that need Java.

Finally:

• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Major changes and deprecations since 3.1.0:

• brew install now upgrades outdated formulae by default (for idempotency). This can be disabled by setting HOMEBREW_NO_INSTALL_UPGRADE.
• brew has basic macOS 12 (Monterey) support.
• brew leaves has --installed-on-request and --installed-as-dependency flags to only list formula installed manually or as dependencies.
• Various deprecations, disables and code deletions for Homebrew 3.2.0.

Other changes since 3.1.0 I’d like to highlight are the following:

• brew link --HEAD links the HEAD version of a formula.
• brew alias, brew autoupdate and brew command-not-found are official external command taps.
• brew tap will never create shallow clones (as shallow clones are not performant when repeatedly fetching as Homebrew does).
• brew fetch will no longer use shallow clones.
• brew install also outputs cask caveats as part of the final summary.
• brew has GCC 11 support.
• brew bottle will generate all: bottles which are used on all platforms.. A lot of work has gone into improving reproducible builds to make these possible. brew bottle on your local machine for an all: bottle should generate an identical checksum.
• brew doctor hides some warnings on Apple Silicon with Intel and ARM installations.
• brew bottle --bottle-arch allow bottles with custom architectures.

Finally:

• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.

Whenever an affected cask tap received a pull request to change only the version of a cask, the review-cask-pr GitHub Action would automatically review and approve the pull request. The approval would then trigger the automerge GitHub Action which would merge the approved pull request. A proof-of-concept (PoC) pull request demonstrating the vulnerability was submitted with our permission. We subsequently reverted the PoC pull request, disabled and removed the automerge GitHub Action and disabled and removed the review-cask-pr GitHub Action from all vulnerable repositories.

What was impacted

The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically. This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection. Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.

A single cask was compromised with a harmless change for the duration of the demonstration pull request until its reversal. No action is required by users due to this incident.

What we’re doing about it

• The vulnerable review-cask-pr GitHub Action has been disabled and removed from all repositories.
• The automerge GitHub Action has been disabled and removed from all repositories (in favour of the GitHub built-in functionality that did not exist when this action was created).
• We have removed the ability for our bots to commit to homebrew/cask* repositories.
• All homebrew/cask* pull requests will require a manual review and approval by a maintainer.
• We are improving documentation to help onboard new homebrew/cask maintainers and training existing homebrew/core maintainers to help with homebrew/cask.

We did, do and will continue to take the security of the project and our users very seriously. We try our best to behave as a for-profit company would do in terms of timely response to security issues.

In order to ensure and improve Homebrew’s security, please consider contributing your code and code reviews to our GitHub projects.

Thanks for using Homebrew!

Major changes and deprecations since 3.0.0:

• GitHub Packages is the default package download/upload location on macOS and Linux. This is due to Bintray’s shutdown on May 1st 2021.
• Various deprecated, disabled and deleted code.

• The undocumented HOMEBREW_NO_ENV_FILTERING flag is deprecated and will be removed.

• The HOMEBREW_NO_BOTTLE_SOURCE_FALLBACK is removed (as its behaviour is now the default).
• GitHub Packages writes bottles’ tabs into the GitHub Packages manifest JSON. brew bottle --only-json-tab has been added to allow future GitHub Packages bottles to store their tab outside the bottle to allow reproducible builds. This is why downloads from GitHub Packages also include a small manifest JSON download. This also allows future creation of all: SHA256 bottles for bottles shared across all platforms.

Other changes since 3.0.0 I’d like to highlight are the following:

• The sed superenv shim is removed.
• CodeCov in Homebrew’s GitHub Actions no longer requires a hardcoded token.
• brew update --quiet is a bit quieter.
• brew update outputs to stderr when not outputting to a TTY to ease stdout usage.
• brew update reports outdated formulae and suggests brew upgrade.
• installed_on_request is correctly set in the tab for dependencies again. This will improve usage of brew bundle dump after reinstalling packages.
• Homebrew does not load non-Bundler gems to prevent issues from user-installed gems.
• Homebrew’s default ruby warning level is now -W1 (to avoid hiding legitimate warnings.)
• brew cask pkg uninstallation is faster.
• brew --prefix <formula> is faster.
• brew --version is faster.
• brew list also uses ls for casks output (to be consistent with formulae).
• brew list visually separates formulae and casks.
• brew bump supports casks.
• service do is a new formula DSL to allow plists to be easily generated.
• Always require developer tools on Apple Silicon (because codesign is needed when pouring bottles).
• When codesign fails more error output is now printed.
• gem, rake and ruby superenv shims are provided to work around broken macOS rubys.
• A better error message is output when users don’t have any GitHub API credentials set.

Finally:

• Homebrew’s Annual General Meeting in February elected a new Project Leadership Committee, Technical Steering Committee, and I (Mike McQuaid) was re-elected as Project Leader
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Particular thanks on Homebrew 3.1.0 go to GitHub for providing GitHub Packages and helping in our migration. Enjoy using Homebrew!

Major changes and deprecations since 2.7.0:

• Apple Silicon is now officially supported for installations in /opt/homebrew. formulae.brew.sh formula pages indicate for which platforms bottles (binary packages) are provided and therefore whether they are supported by Homebrew. Homebrew doesn’t (yet) provide bottles for all packages on Apple Silicon that we do on Intel x86_64 but we welcome your help in doing so. Rosetta 2 on Apple Silicon still provides support for Intel x86_64 in /usr/local.
• brew bottle and bottle do blocks use a new syntax format (one :cellar per platform). brew style --fix will autocorrect formulae to this new format. This will allow more bottles to be relocatable.
• The new HOMEBREW_BOOTSNAP environment variable allows the use of the Bootsnap gem to speed up repeated brew calls. This does not work (yet) on Apple Silicon or using Homebrew’s portable Ruby.
• Various methods have been deprecated, disabled and removed
• Bash, fish and zsh completions are generated automatically from the CLI::Parser DSL. This will ensure they are kept up-to-date.
• brew update better handles upstream branch renames (e.g. from master to main)
• brew completions is a new command to opt-in to completions provided by third-party taps

Other changes since 2.7.0 I’d like to highlight are the following:

• Command usage text is automatically generated (so will be kept-up-to-date)
• brew audit reads more formula data from taps
• brew untap of an official tap you don’t use (e.g. Homebrew/homebrew-cask) will ensure it’s no longer automatically retapped
• brew casks is a new command implemented in Bash to speedily output all casks available to install (like brew formulae)
• brew info --cask --json=v2 includes whether a cask is outdated and the currently installed versions
• Fixed a bug where brew update could be run every time
• brew --prefix --installed is a new flag to brew --prefix that will fail if the requested formula is not installed
• We now use an unversioned SDK path on Big Sur to avoid breakage on minor SDK version changes

Finally:

• Discourse was made read-only on January 1st 2021 in favour of GitHub Discussions.
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Particular thanks on Homebrew 3.0.0 go to MacStadium and Apple for providing us with a lot of Apple Silicon hardware and Cassidy from Apple for helping us in many ways with this migration. Enjoy using Homebrew!

Changes and deprecations since 2.6.0:

• The prefix DSL for bottles is deprecated. It was not actually used by the code.
• deprecate! and disable! in formulae with missing or non-ISO 8601 dates is deprecated.
• depends_on :java, :x11, :osxfuse, :tuntap are all deprecated in formulae and casks.
• Additional API deprecations, disables and removals.
• GitHub basic authentication support is removed.
• brew update refuses to update shallow homebrew-core/cask clones (on request from GitHub).
• The HOMEBREW_CLEANUP_PERIODIC_FULL_DAYS environment variable allows customisation of how often a full brew cleanup is run.
• Installing formulae missing bottles from the homebrew-core or linuxbrew-core requires specifying --build-from-source.
• brew livecheck now supports casks.

Finally:

• Discourse and IRC are now deprecated as official communication methods in favour of GitHub Discussions. It will be made read-only on January 1st 2021.
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Major changes and deprecations since 2.5.0:

• macOS Big Sur is supported (and High Sierra unsupported)
• depends_on :java, brew switch, brew diy and various other APIs have been deprecated
• All brew cask commands have been deprecated in favour of brew commands (with --cask) when necessary
• Homebrew.args is deprecated
• All Requirements are deprecated in Homebrew/core
• macOS Homebrew running natively on M1/Apple Silicon/ARM has partial functionality. We recommend installing into /opt/homebrew and forbid installing into /usr/local (to avoid clashing with the macOS Intel install and allow their usage side-by-side). We currently recommend running Homebrew using Intel emulation with Rosetta 2.
• brew tap-new will set up GitHub Actions workflows to upload to GitHub Releases. Read the blog post for more documentation.
• GitHub deprecated their API’s basic authentication

Other changes since 2.5.0 I’d like to highlight are the following:

• brew doctor checks the active branch for all taps, not just Homebrew/homebrew-core
• brew unbottled is a new developer command to identify formulae that haven’t had binary packages built yet
• brew install ./ is now recommended for installing local file formulae
• Bash, ZSH and Fish formula completion is now much faster with the brew formulae command
• brew install --force-bottle refuses to ever build from source
• brew install or brew link of a versioned keg-only formula will automatically unlink conflicted version formulae
• brew shellenv is significantly faster
• Homebrew has further reduced shallow clone usage (on request from GitHub)
• brew linkage and commands using the linkage cache have significantly better performance
• brew bump-cask-pr is a new developer command to create Homebrew/homebrew-cask pull requests

Finally:

• Discourse and IRC are now deprecated as official communication methods in favour of GitHub Discussions.
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Creating the tap

First, go to GitHub and create an empty repository named with the homebrew- prefix, for example: USER/homebrew-tap.

Then locally run:

brew tap-new USER/REPOSITORY

changing USER/REPOSITORY to the full name of the repository that you just created on GitHub. You can omit the homebrew- prefix and specify the --branch flag if your default branch should be named differently than main.

Navigate to the newly created tap on disk by executing:

cd $(brew --repository USER/REPOSITORY)

Now you can list all files in this tap to see what is created by default.

Add the repository that you created on GitHub as the origin remote and push newly created files:

git remote add origin https://github.com/USER/REPOSITORY
git push --set-upstream origin main

I won’t go into too many details on how the workflows look, as they are subject to change at any time. For now, there are 2 workflow files created by default.

• One is run on each pull_request event, so every push to a PR’s branch triggers the workflow, which tests changes made to formulae, builds bottles for those formulae and uploads them to GitHub Actions as artifacts.
• The second workflow, run when a pull request is labelled, is responsible for bottle uploading and publishing.

Creating the first formula in the tap

It’s time we add a new formula to our tap; shall we?

All formulae should go in the Formula directory. Let’s suppose we want to create a formula for this little Go program named gothanks. Run locally:

brew create --tap=USER/REPOSITORY --go https://github.com/psampaz/gothanks/archive/v0.3.0.tar.gz

This command will create a new standard formula for Go projects in your tap and open the file in your editor of choice. After you close the editor, you can still edit the formula with:

brew edit USER/REPOSITORY/FORMULA

Our gothanks formula, after some editing could look like this:

class Gothanks < Formula
  desc "Automatically star your go.mod Github dependencies"
  homepage "https://github.com/psampaz/gothanks"
  url "https://github.com/psampaz/gothanks/archive/v0.3.0.tar.gz"
  sha256 "ce5440334b3eac2e058724faa4c6e4478ca1d81ea087e55ccca33f1996752aad"
  license "MIT"

  depends_on "go" => :build

  def install
    system "go", "build", *std_go_args
  end

  test do
    ENV.delete "GITHUB_TOKEN"
    assert_match "no Github token found", shell_output(bin/"gothanks", 255)
  end
end

Now we can create a new branch, add the formula, commit it and push:

git checkout -b gothanks
git add Formula/gothanks.rb
git commit --message "gothanks 0.3.0 (new formula)"
git push --set-upstream origin gothanks

But to trigger the workflows, we need to create a pull request from our recently-pushed branch. I’m using the hub utility for this operation, but you can use the newer GitHub CLI tool gh or just click your way through in GitHub’s UI.

Uploading built bottles

Wait until the pull request’s checks become green. Then label your pull request with the pr-pull label (this is the default label that will trigger the uploading workflow; you can easily change this in workflow file). A new brew pr-pull workflow will be fired up and after a couple of minutes you should observe the PR closed, bottles uploaded and commits pushed to the main branch of your repository.

Summary

With current tooling it’s now easier than ever to create your own Homebrew tap with bottles. Gone are the days when you had to create a Bintray account and fiddle around with custom CI configs. Now you can run a bunch of commands and get a tap up and running in minutes, with only a GitHub account!

Major changes and deprecations since 2.4.0:

• Many brew cask commands have been replaced with brew commands and are deprecated. This continues our goal of better integration between brew and brew cask commands.
• Most Homebrew/homebrew-core formulae have their licenses stored and audited.
• brew typecheck provides the beginnings of Homebrew’s use of Sorbet for type-checking.
• Homebrew is currently experimenting with GitHub Discussions as a possible replacement for Discourse.
• brew livecheck has moved from its own tap to a Homebrew command and part of Homebrew/homebrew-core formulae.
• brew bump is a new command using brew livecheck and Repology to output outdated formulae in Homebrew/homebrew-core.
• Homebrew on Linux is moving towards a pure-Ruby ELF reading and writing implementation.
• Various other Homebrew (mostly internal) APIs have been deprecated

Other changes since 2.4.0 I’d like to highlight are the following:

• brew sh has a non-interactive mode.
• Disabled and deprecated formulae require a reason (to better explain to users).
• brew bump-revision accepts multiple formulae.
• brew cask --help output is supported for all brew cask commands.
• brew audit now has a --tap argument.
• brew tap-new makes use of Homebrew’s custom GitHub Actions (which are also used by Homebrew CI).
• brew audit is passing and mandatory for all changes on Homebrew/homebrew-core.
• brew update-python-resources is a new command that can be used to upgrade dependencies in Python formulae.
• brew tests retries failed tests by default.
• brew bundle runs brew update before if needed.
• Many brew audit checks were migrated to RuboCop checks for better performance and editor integration.
• Homebrew is working on support for macOS Big Sur (11.0).

Finally:

• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Major changes and deprecations since 2.3.0:

• Homebrew’s minimum macOS version is Yosemite.
• devel versions in formulae have been deprecated.
• brew pull has been deprecated in favour of hub checkout.

Other changes since 2.3.0 I’d like to highlight are the following:

• brew audit is significantly faster.
• brew irb correctly uses TERMINFO to improve keyboard handling.
• Homebrew uses system Gems correctly.
• man brew lists the full help for all official external commands (which now includes brew test-bot).

Finally:

• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Major changes and deprecations since 2.2.0:

• brew tap-pin and brew tap-unpin have been removed along with the deprecation of some Homebrew and Formula methods.
• brew install from a URL has been deprecated to improve the security of brew install.
• brew install, brew upgrade and brew reinstall now fetch all resources before beginning installation or locking dependencies.
• The Homebrew/brew Docker image is now built for Ubuntu 16.04 and 20.04 and includes latest for the latest stable release and master for the master branch.
• Homebrew formulae can be deprecated or disabled to provide an easier transition than deletion (the previous method).
• Homebrew/homebrew-core has been entirely migrated to GitHub Actions and Homebrew’s Jenkins has shut down entirely.

Other changes since 2.2.0 I’d like to highlight are the following:

• brew style and brew readall are run on macOS and Linux for Homebrew/brew and Homebrew/homebrew-core to make retaining Linux compatibility easier and ease the eventual merging of homebrew-core and linuxbrew-core taps.
• Homebrew searches the entire PATH to find a compatible ruby.
• brew cask info shows cask analytics data.
• brew doctor shows deleted formulae.
• brew uninstall notes all etc files will stay around.
• brew test runs pkill without exceptions to avoid manual cleanup in test do blocks.
• pkg-config correctly sets the SDKROOT to find more macOS-provided software.
• Formulae can use the pkgetc method to install into etc/#{formula_name}.
• Formulae can use the free_port test helper.
• All Homebrew curl requests retry 2 times by default.
• Formulae patch blocks can change directories to apply their patch.
• brew tap defaults to full clones. The existing shallow clone default would cause slower git fetches over time.
• HOMEBREW_BREW_GIT_REMOTE and HOMEBREW_CORE_GIT_REMOTE environment variables allow you to use custom Git mirrors to speed up brew update and brew tap.

Finally:

• I (Mike McQuaid) stood down from the Homebrew PLC and was reelected Project Leader. Sean Molenaar joined the PLC. (@MikeMcQuaid)
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Major changes and deprecations since 2.1.0:

• macOS Catalina (10.15) is supported. macOS Sierra (10.12) and older are unsupported.
• The no-op case for HOMEBREW_AUTO_UPDATE_SECS is dramatically faster and defaults to 5 minutes (rather than 1).
• brew upgrade no longer has an unsuccessful error code if the formula is up-to-date.
• brew upgrade’s post-install dependent checking is dramatically faster and more reliable.
• Homebrew on Linux raised their minimum requirements.
• https://formulae.brew.sh displays Linux formulae. When on Linux, brew info outputs Linux analytics data.
• Homebrew now uses OpenSSL 1.1. OpenSSL 1.0 has been removed as it was EOL by the end of 2019.
• Homebrew will remove Python 2.7 by the end of 2019 as it will be EOL.
• brew tap-pin is disabled. It was buggy and unused by Homebrew maintainers. Directly reference formulae (e.g. brew install user/tap/formula) or rename formulae in taps to avoid shadowing Homebrew/homebrew-core formulae instead.

Other changes since 2.1.0 I’d like to highlight are the following:

• brew bundle outputs Brewfile.lock.json files for debugging non-reproducibility.
• brew bundle allows skipping installations by setting environment variables.
• sudo brew services takes root ownership of files when running as root.
• --verbose command output no longer outputs (extremely) long $LOAD_PATH and Ruby paths.
• Homebrew uses Ruby 2.6
• brew cat sets bat as pager if HOMEBREW_BAT is set
• brew create has --rust and --python options.
• brew audit checks bitbucket.com and gitlab.com repositories for notability.
• Homebrew uses GitHub Actions CI for all non-core repositories.
• uses_from_macos is a new formula DSL that allows formulae to declare that they use a dependency from the macOS system (rather than from Homebrew). This is useful for additional metadata and automatically installing that dependency on Linux.
• Setting HOMEBREW_CURL_RETRIES retries curl downloads that fail.
• brew bump-revision increases the revision of formulae.
• All invocations of brew are faster.

Finally:

• Many Homebrew maintainers will be attending FOSDEM 2020 (say hello!) and will have our AGM afterwards on 3rd February to elect a PLC and Project Leader.
• Homebrew now accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Maintainers arrived on Friday and met informally to socialise and get to know each other. On Saturday we released Homebrew 2.0.0 and on Saturday and Sunday attended the various talks at the conference (including a Homebrew 2.0.0 talk).

After getting to know each other better over the weekend we met in a hotel meeting room on Monday for the main purpose of the maintainer meeting: discussion of the future direction of the Homebrew project. 14 Homebrew maintainers were present in the meeting room and 3 others called in remotely.

Perhaps due to Mike McQuaid arranging to resign as Lead Maintainer on the same day the majority of the discussion was about Homebrew’s project governance. We agreed on having an elected Project Leader position, Project Leadership Committee and Technical Steering Committee. Representatives were elected to each of these positions.

If you’re interested in more details on our agreed governance structures you can read Governance documents (https://docs.brew.sh/Homebrew-Governance) and read the representatives for all positions in the Homebrew README’s “Who We Are” section.

Homebrew spent $11,965.85 in total on this meeting on the 14 individuals who attended. Included in this are some group meals, meeting room hire, travel (i.e. flights or trains) and hotel rooms in line with the Software Freedom Conservancy Travel and Reimbursable Expense Policy.

We felt this was a disproportionally valuable use of project funds. Most of us met each other for the first time, had some difficult conversations in-person and built bonds that make us all more committed to the project.

Thanks so much to everyone who has ever donated to Homebrew for enabling this meeting. If you would like to support similar events in future and can afford it, please donate through Patreon. If you’d rather not use Patreon (our preferred donation method), check out the other ways to donate in our README.

Major changes and deprecations since 2.0.0:

• https://formulae.brew.sh now displays casks.
• brew tap-pin is deprecated. It was buggy and unused by Homebrew maintainers. Directly reference formulae (e.g. brew install user/tap/formula) or rename formulae in taps to avoid shadowing Homebrew/homebrew-core formulae instead.
• brew install --ignore-dependencies is documented as an unsupported, developer flag. If you’re trying to avoid a command being installed instead consider adjusting your PATH so your preferred version precedes it.

Other changes since 2.0.0 I’d like to highlight are the following:

• brew doctor reports unreadable, installed formulae.
• Homebrew’s Formula API is generated by GitHub Actions and displayed on https://rubydoc.brew.sh.
• brew commands avoid auto-updating if no parameters are passed
• brew extract works for all taps
• “Homebrew on Linux” is used consistently instead of “Linuxbrew”
• Search is available on https://formulae.brew.sh, https://docs.brew.sh and https://brew.sh
• New formulae in Homebrew/homebrew-core allow HEAD
• Homebrew on Linux has best-effort support for ARM64 (AArch64)
• Homebrew/linuxbrew-core is used for Linuxbrew’s formulae
• Homebrew builds and tests the Dockerhub Linuxbrew/brew Docker image (we’re working on obtaining the Homebrew name).
• brew update and brew doctor warn on deleted taps.
• Homebrew allows Docker to run it as root
• brew cleanup --prune-prefix option does what brew prune used to

Finally:

• Homebrew’s Governance document is public
• Mike McQuaid is now the elected Homebrew project lead. A project leadership committee and technical steering committee were also elected.
• Homebrew still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use Patreon (our preferred donation method), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Major changes and deprecations since 1.9.0:

• Homebrew officially supports Linux and Windows 10 with Windows Subsystem for Linux (WSL). Homebrew on Linux was previously called “Linuxbrew”. You can install it in your home directory, so it does not require sudo, and use it to install software that your host distribution’s package manager does not provide. Homebrew on Linux uses its own repository for formulae: Homebrew/linuxbrew-core.
• brew cleanup is run periodically (every 30 days) and triggers for individual formula cleanup on reinstall, install or upgrade. You can opt-out of this behaviour by setting the HOMEBREW_NO_INSTALL_CLEANUP variable. This addresses a long-standing complaint where users were surprised by how much disk space Homebrew used if they did not run brew cleanup.
• Homebrew does not run on OS X Mountain Lion (10.8) and below. For 10.4 - 10.6 support, see Tigerbrew. This has allowed us to remove large amounts of legacy code.
• Homebrew does not migrate old, pre-1.0.0 installations from the Homebrew/legacy-homebrew (formerly Homebrew/homebrew repository. This has allowed us to delete legacy code that dealt with migrations from old versions.
• Homebrew does not have any formulae with options in Homebrew/homebrew-core. Options will still be supported and encouraged by third-party taps. This change allows us to better focus on delivering binary packages rather than options. Formulae with options had to be built from source, could not be tested on our CI system and provided a disproportionate support burden on our volunteer maintainers.

Other changes since 1.9.0 I’d like to highlight are the following:

• Homebrew uses a proper option parser to generate the man brew and --help. Also, Homebrew no longer silently ignores invalid options to formulae or commands.. This change will provide better feedback to users and allow making our argument handling more simple and robust.
• Homebrew’s portable Ruby is now built on OS X Mavericks (10.9) for improved performance.
• brew install does not try to link formulae that already have a cask with the same name installed. This change avoids link errors in these cases.
• Analytics data is now available for Cask installs on formulae.brew.sh.

Also, if you’ve not tuned in since 1.0.0, here are the major changes since then:

• RuboCop-supporting editors (e.g. VS Code, Atom) can get inline brew audit information when editing formulae in taps. This improves the contribution experience.
• A brew tap-new command is available for creating a new tap with a README and preconfigured Azure Pipelines configuration (which seems to provide the most reliable and performant macOS CI for OSS at the time of writing). This eases the creation of taps (third-party repositories).
• brew update-reset resets all repositories and taps to their upstream versions. This is useful when debugging git issues.
• brew link state is preserved after brew install and brew upgrade (including for keg-only formulae) but unfortunately not the brew unlink state due to a lack of state. This should allow many keg-only formulae to be used as if they are normal formulae.
• Homebrew filters all user environment variables. This reduces errors when formulae are built from source and allows the removal of many workarounds for niche issues.
• brew postgresql-upgrade-database upgrades PostgreSQL database data between major versions. This simplifies upgrades between PostgreSQL versions which previously required a semi-manual process and old version of PostgreSQL to be kept around.
• The python formula was upgraded to Python 3.x and python@2 formula was added for installing Python 2.7. We initially did not comply with PEP 394 and this was a mistake. We made brew install python and brew install python@2 PEP 394 compliant and will not change this again until PEP 394 has changed. This allows us to migrate more of our ecosystem to Python 3.
• We deprecated and archived all the Homebrew organisation taps and created new and versioned formulae in Homebrew/homebrew-core. We encourage more niche formulae and formula options to be supported in taps outside the Homebrew organisation. This allows us to focus on providing high-quality formulae that work consistently rather than a long-tail of broken, unsupported, ignored formulae.
• Homebrew Formulae is a site providing formulae data, anonymous aggregate analytics data and a JSON API querying these. This allows you to quickly query Homebrew information without access to macOS or Homebrew.
• In July 2018 a security researcher identified a GitHub personal access token leak from Homebrew’s Jenkins. Within a few hours the credentials had been revoked and sanitised. No packages were compromised and no action was required by users due to this incident. We are currently attempting to migrate away from Jenkins to a suitable hosted CI provider.
• When a bottle isn’t available for your version of macOS we will use a bottle from an older version instead. This will make life much more pleasant on new macOS releases before our bottling has completed (or when formulae fail to build).
• brew upgrade automatically reinstalls or upgrades formulae with broken linkage. This avoids broken formulae when building from source or using optional behaviour after upgrades.
• brew info displays analytics data. This is the way that Homebrew maintainers query analytics data so we are using the same data as the community.. This will hopefully ease concerns about our collection of analytics data.
• Homebrew Cask’s downloads are quarantined. This provides the same level of security when downloading these tools manually.
• Homebrew/homebrew-core requires all formulae to be open source by the OSI definition. This allows you to be confident that any brew install (although not brew cask install) from Homebrew/homebrew-core is open source software.
• brew link --force will not link software already provided by macOS but instead output the instructions on how to do so. This avoids strange compilation errors and encourages users to use the system mechanisms for adjusting their PATH.

Finally:

• Many Homebrew maintainers will be attending FOSDEM 2019 (say hello!) and meeting afterwards on 4th February to discuss the future governance of Homebrew.
• Homebrew still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use Patreon (our preferred donation method), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Major changes and deprecations since 1.8.0:

• Homebrew 1.9.0 has beta support for Linux and Windows 10 (with the Windows Subsystem for Linux). Homebrew on Linux (known as Linuxbrew) does not require root access.
• brew cleanup is run periodically if the HOMEBREW_INSTALL_CLEANUP environment variable is set. The HOMEBREW_INSTALL_CLEANUP environment variable will also trigger individual formula cleanup on reinstall, install or upgrade. brew upgrade --cleanup and HOMEBREW_UPGRADE_CLEANUP have been replaced with the HOMEBREW_INSTALL_CLEANUP variable. These will become default behaviours in 2.0.0.
• Homebrew 1.9.0 no longer runs on 32-bit Intel CPUs.
• brew update no longer migrates legacy keg symlinks, tap names, repository locations, cache locations or cache entries.
• brew prune has been replaced by and is now run as part of brew cleanup.
• brew cask --version has been replaced with brew --version and brew cask search with brew search --cask.
• The HOMEBREW_BUILD_FROM_SOURCE environment variable has been deprecated in favour of passing --build-from-source to individual formulae installs.
• brew install on macOS uses the same CFLAGS for bottles and building from source.
• Homebrew/homebrew-core requires all formulae to be open source by the OSI definition.
• brew link --force will not link software already provided by macOS.

Future major changes and deprecations coming in 2.0.0:

• Homebrew 2.0.0 will officially support Linux and Windows 10 (with the Windows Subsystem for Linux).
• brew cleanup will be run periodically and for trigger individual formula cleanup on reinstall, install or upgrade. You can enable this behaviour now on 1.9.0 by setting the HOMEBREW_INSTALL_CLEANUP variable.
• Homebrew 2.0.0 will not run on macOS 10.8 and below. For 10.4 - 10.6 support see Tigerbrew.
• Homebrew 2.0.0 will not be able to create universal binaries (even in taps).
• Homebrew 2.0.0 will no longer migrate old installations from the legacy Homebrew/homebrew repository.
• Homebrew 2.0.0 will not have any formulae with options in Homebrew/homebrew-core. Options will still be supported and encouraged by third-party taps.

Other changes since 1.8.0 I’d like to highlight are the following:

• brew info --json defaults to the latest JSON version and no longer requires a version argument.
• The TERMINFO environment variable is passed through to Homebrew to enable support for some terminal emulators.
• Incomplete downloads can be resumed even when the server rejects HEAD requests.
• macOS Mojave bottles are now optimised for the newer CPUs required by Mojave.
• brew’s ZSH completion performs more caching.
• brew bottle now allows relocation of more bottles by ignoring source code and skipping matches to build dependencies.
• More commands now have robust options handling.
• brew doctor now outputs the non-default Xcode prefix to ease debugging when Homebrew is using one in a strange location.
• brew upgrade will not upgrade formulae installed from one tap to formulae installed in another.
• Homebrew now has a mission statement.
• Homebrew/brew contains a Dockerfile for building Linuxbrew. This is built automatically on Homebrew’s Docker Hub page.

Finally:

• Many Homebrew maintainers will be attending FOSDEM 2019 (say hello!) and meeting afterwards to discuss the future governance of Homebrew.
• Homebrew still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use Patreon (our preferred donation method), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Major changes and deprecations since 1.7.0:

• Download strategies unused by Homebrew/homebrew-core have been deprecated
• We no longer provide support for devel specs in Homebrew/homebrew-core (due to CI overhead)
• When a bottle isn’t available for your version of macOS we will use a bottle from an older version instead
• I (Mike McQuaid) will step down as lead maintainer on February 4th when the Homebrew maintainers meet in person for the first time
• Mojave is officially supported (and El Capitan unsupported)
• brew upgrade automatically reinstalls or upgrades formulae with broken linkage
• brew shellenv outputs configuration variables for Homebrew (and was reimplemented in Bash for speed)
• brew info displays analytics data. This is the way that Homebrew maintainers query analytics data so we are using the same data as the community.
• JSON is used to marshal child process errors to avoid potential security issues
• Homebrew Cask’s downloads are quarantined
• brew extract is a new command to extract old versions of formulae from Git history
• Homebrew Cask’s installs report analytics events
• brew cask search and brew cask cleanup are deprecated in favour of brew search and brew cleanup

Other changes since 1.7.0 I’d like to highlight are the following:

• brew gist-logs --private creates private gists
• Setting HOMEBREW_FORCE_HOMEBREW_ON_LINUX disables using Linuxbrew settings when using Homebrew on Linux
• brew style checks Bash style with shellcheck and uses RuboCop RSpec by default
• brew cleanup removes old or unnecessary portable Rubies and linkage caches
• brew linkage uses a JSON cache to increase reliability
• brew update-reset accepts a repository argument
• bundle install --standalone is used to handle vendored gems. This is used to use ActiveSupport File.atomic_write, ActiveSupport Hash#deep_merge, String#delete_prefix backport and ActiveSupport Object#blank? and #present? rather than maintaining our own poor imitations.
• brew update follows GitHub API redirects
• Directories that need to be writable are created automatically and checked more thoroughly
• brew linkage data is used to check for multiple simultaneous versioned formulae linkage. This is more permissive than the previous recursive dependency check.
• brew bundle check --verbose displays what software is missing and causing a brew bundle check to fail
• brew update prints a one-time donation request

Finally:

• Many Homebrew maintainers will be attending FOSDEM 2019. Consider coming along and saying hello!
• Homebrew still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use Patreon, check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

What was impacted

GitHub Support was contacted and they verified the relevant token had not been used to perform any pushes to Homebrew/brew or Homebrew/homebrew-core during the period of elevated scopes. To be explicit: no packages were compromised and no action is required by users due to this incident.

What we’re doing about it

• We have for several years enabled 2FA and third party application restrictions for the entire Homebrew GitHub organisation. This was also recommended by the security researcher.
• We enabled branch protection and required reviews on additional repositories as mentioned above.
• We requested all Homebrew maintainers review and prune their personal access tokens and disable SMS fallback for 2FA.
• The security researcher also recommended we consider using GPG signing for Homebrew/homebrew-core. The Homebrew project leadership committee took a vote on this and it was rejected non-unanimously due to workflow concerns.

We did, do and will continue to take the security of the project and our users very seriously. We try our best to behave as a for-profit company would do in terms of timely response to security issues but this is heavily limited by our lack of resources. For example, in this the Homebrew maintainer who resolved the above issues was on paternity leave from work and the primary carer for their child and had to reach a quick resolution while their child had a nap.

We need more help to improve Homebrew’s security. Please consider contributing your code and code reviews to our GitHub projects, get in touch to volunteer to be on-call for security and/or system administration emergencies or donate through Patreon.

Thanks for using Homebrew!

Major changes and deprecations since 1.6.0:

• macOS 10.14 Mojave and Xcode 10 are now working for some formulae (but not yet supported)
• Homebrew Formulae now uses HTTPS, provides anonymous aggregate analytics data and has a JSON API for formulae and analytics data
• Homebrew Cask’s taps have now all moved to the Homebrew GitHub organisation
• Setting HOMEBREW_FORCE_BREWED_GIT makes Homebrew use a Homebrew-installed rather than system Git
• brew install and upgrade display all caveats at the end of installing multiple formulae
• Many formula deprecations have been disabled and disabled functions removed
• brew link does not permit force-linking system dependencies on macOS 10.14 Mojave/CLT 10 and instead outputs the correct compiler flags to use
• The HOMEBREW_PREFIX can no longer be in Homebrew’s temporary directory
• brew ls no longer accepts all ls arguments

Other changes since 1.6.0 I’d like to highlight are the following:

• Homebrew now uses Ruby 2.3.7 (like macOS High Sierra 10.13.6)
• macOS 10.14 Mojave currently requires the CLT header package (until we have more communication with Apple)
• brew install, upgrade and reinstall now have a --display-times option to print the install time for each formula
• brew linkage now uses a cache to dramatically speed up the command
• Unspecified but opportunistic linked dependencies are now stored on formula installation and used to correctly generate the list of dependencies for an installed formula
• Downloading Homebrew’s portable Ruby also respects the HOMEBREW_BOTTLE_DOMAIN variable
• The brew.sh websites all look better on mobiles

Finally:

• Homebrew still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use Patreon we’ve updated the README on how to make single donations through PayPal, cheque or wire transfer.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Major changes and deprecations since 1.5.0:

• The python formula was upgraded to Python 3.x and python@2 formula was added for installing Python 2.7. We initially did not comply with PEP 394 and this was a mistake; sorry for the pain. We heard your feedback on Python 3 and made brew install python and brew install python@2 PEP 394 compliant. We will not change this again until PEP 394 has changed.
• We deprecated and archived the Homebrew/homebrew-php tap and created new php and versioned php@* formulae in Homebrew/core. This completes the deprecation and archival of the last non-Homebrew/core tap for end-users. We encourage more niche formulae and options to be supported in taps outside the Homebrew organisation.
• Many formula deprecations have been disabled and disabled functions removed
• Homebrew’s curl invocations now only read curlrc if HOMEBREW_CURLRC is set
• brew audit --strict now checks for depends_on ... build.with? dependencies (because they don’t and cannot work as expected)
• brew audit now flags the use of :run dependencies as they were a no-op
• brew tap refuses to tap deprecated taps

Other changes since 1.5.0 I’d like to highlight are the following:

• We’ve updated our documentation to note that curl needs --insecure on OS X 10.7 and below
• brew unlink no longer incorrectly removes versioned aliases
• brew linkage now outputs broken dependencies and missing libraries
• brew bump-formula-pr uses the GitHub API directly rather than hub
• You can now use scp:// in formula URLs
• Runtime dependencies handling is improved so e.g. brew uninstall and brew missing will now have consistent output
• Bottles can use custom download strategy URLs
• brew install will now also search casks if the formulae was not found
• Bottle root_urls can now use any download strategy
• brew install --only-dependencies will install any missing dependencies even if the formula is already installed
• brew upgrade now has a HOMEBREW_UPGRADE_CLEANUP environment variable to request automatic removal of old versions of a formula on upgrade
• Dependencies can now be :test to indicate they are only used by the test do block
• brew irb --pry uses pry instead of irb
• brew prof and brew ruby commands have been added for Homebrew developers
• brew update now handles a too old system Git (by installing Homebrew’s git) to access GitHub on OS X 10.8 and below
• If the NO_COLOR environment variable is set, Homebrew disables all coloured output
• brew pin is no longer automatically undone by brew uninstall or brew upgrade
• Homebrew now passes through the ALL_PROXY variable to curl
• We now tell people when they need to upgrade their macOS installation to install a formula

Finally:

• The Homebrew maintainers will attempt to have more of our communication in the open
• Thank you to everyone who helped with the Python and PHP migrations and provided constructive, polite and actionable feedback. No thanks to those who have used these as an excuse to abuse the entirely volunteer run project and maintainers. If you’re going to @mention individual maintainers or this project on Twitter with unkind or rude things: expect to be immediately blocked here and on GitHub. When you do that also please be aware that you are sapping volunteer motivation and in doing so make the project worse. In short, remember that open source maintainers owe you nothing.
• Homebrew still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use Patreon we’ve updated the README on how to make single donations through PayPal, cheque or wire transfer.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Future dates for your calendar:

• On 1st March 2018 the python formula will be upgraded to Python 3.x and a python@2 formula will be added for installing Python 2.7 (although this will be keg-only so neither python nor python2 will be added to the PATH by default without a manual brew link --force). We will maintain python2, python3 and python@3 aliases. Any formulae that use depends_on "python" outside Homebrew/core will need to be updated at this point if they wish to keep using Python 2. Note: macOS has provided Python 2.7 since OS X Lion (10.7) so you can update formulae that need Python 2 today by removing depends_on "python" so they use the system python instead.
• By 31st March 2018 we will deprecate and archive the Homebrew/homebrew-php tap. Unfortunately we have been unable to maintain an acceptable, consistent user or contributor experience and CI workload through non-core formula taps in the Homebrew organisation so we are continuing to migrate widely used formulae into Homebrew/core and encourage more niche formulae and options to be supported outside the Homebrew organisation.

Major changes and deprecations since 1.4.0:

• The Homebrew/homebrew-science tap has been archived (for the reasons explained above) as noted previously. This does not represent an adversarial relationship between Homebrew and the science community (as we have imported the widely used formulae from this tap) but an inability to maintain an acceptable level of quality in this tap and differences of opinion on contributor experience (this tap aimed to work on Homebrew and Linuxbrew which made contribution difficult).
• brew postgresql-upgrade-database is a new command to simplify upgrading PostgreSQL databases between major versions.
• default_formula are no longer supported for Requirements. This was originally added to ease our bottle/binary package building when Homebrew was primarily a build-from-source package manager. Now that Homebrew is primarily a binary package manager, default_formula was no longer useful and was the source of many complex dependency resolution bugs.
• Requirements that allowed you to use depends_on for software outside of Homebrew that was also provided by Homebrew have been deprecated. Instead formulae that wish to support e.g. a non-Homebrew Python should use env :std and use the first instance of the software in the PATH (found with which)
• Various, old deprecated APIs have been disabled and more deprecations added.
• brew reinstall and brew upgrade no longer keep manually brew unlinked kegs as unlinked on reinstall or upgrade. Without this change there was no way of differentiating manually unlinked and failed-to-link kegs so a single keg link failure would stop any future version trying to link (leading to the software unexpectedly being missing from the user’s PATH).

Other changes since 1.4.0 I’d like to highlight are the following:

• brew audit allows the use of env :std in non-Homebrew organisation taps
• HOMEBREW_DEVELOPERs are encouraged to submit pull requests for deprecations
• Attempting to brew install a formula that doesn’t exist will only check if the formula was deleted in the last month (rather than ever) to improve performance.
• brew info now shows --devel and --HEAD options for optionless formulae
• Homebrew’s portable Ruby has a GitHub mirror for users that cannot access Bintray
• brew upgrade skips the formula rather than exiting if an upgrade fails due to an unsatisfied Requirement
• The no_proxy variable is passed through to the Homebrew fetch/install process (e.g. for curl)

Finally:

• Homebrew has fewer maintainers than we once did so we’d love more help. If you’re interested check out the documented expectations for Homebrew maintainers.
• Homebrew still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use Patreon we’ve updated the README on how to make single donations through PayPal, cheque or wire transfer.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Major changes and deprecations since 1.3.0:

• Homebrew filters all user environment variables. This reduces errors in installing formulae from source and in Homebrew commands.
• Homebrew’s “bottle hooks” have been removed. These were added originally to remove Boxen’s monkey-patching of Homebrew’s internal, private APIs but are no longer necessary for or used by Boxen.
• The Homebrew/science tap is migrating notable formulae to Homebrew/core and will be archived in January 2018. The Homebrew/apache tap has been deprecated and archived. In 2018 we will also deprecate and archive the Homebrew/php tap. Over the last few minor versions of Homebrew we’ve migrated, deprecated and archived most of the formula taps in the Homebrew organisation to improve the reliability, consistency and discoverability of formulae under the Homebrew organisation.
• macOS version analytics are available on the brew.sh homepage.

Other changes since 1.3.0 I’d like to highlight are the following:

• Xcode 9.2 is the latest supported version of Xcode
• macOS High Sierra is the latest supported version of macOS
• Homebrew’s vendored Ruby is 2.3.3 (the same version as provided by macOS High Sierra). This is only used on older macOS versions.
• Using the HOMEBREW_FORCE_BREWED_CURL variable you can force Homebrew to use its own curl for all downloads. This may be useful combined with the proxychains-ng formula in bypassing any grating, ceramic firewalls.
• Homebrew no longer sets MACOSX_DEPLOYMENT_TARGET when building formulae
• Homebrew requires the CLT on all but the latest version of macOS (to avoid copious workarounds in formulae)
• Homebrew correctly orders APFS filesystem command output
• brew config outputs most HOMEBREW_* variables
• brew readall and brew update-reset are documented commands in man brew
• Homebrew ignores applications (e.g. Xcode) found in Time Machine backups
• Formulae are loaded from bottles (when sensible)
• brew linkage will list possible unnecessary dependencies
• The first-time installation on Mac OS X 10.5 has been improved
• Require some HTTP mirrors for old OS X versions without a system curl that consistently supports HTTPS
• Homebrew now always outputs when tapping Homebrew/core (rather than a silent delay)
• Many more brew audit checks have been ported to RuboCop so are available in your text editor
• brew installing local bottles no longer requires a sha256 in the formula
• brew search explains what it’s searching for at each stage
• brew pin documentation explains when and why pinned formulae may be upgraded
• The macOS sandbox message is no longer printed (as it has been on by default for a while)
• brew audit will only check for non-libraries in lib for new formulae

Finally:

• Thanks to our new sponsor, CommsWorld, for hosting our physical hardware. This was particularly helpful for the macOS 10.13 release.
• Homebrew still accepts donations through Patreon. If you can afford it, please consider donating.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Major changes and deprecations since 1.2.0:

• brew install (and upgrade/reinstall) use the macOS sandbox for all builds by default
• revision is deprecated in favour of rebuild in bottle do blocks
• fails_with :llvm is deprecated as it’s always a no-op
• versioned aliases’ opt links for taps are created based on their name and not in subdirectories
• brew link and brew unlink state is preserved after brew install and brew upgrade (including for keg-only formulae)
• brew test requires non-keg-only formulae to be linked
• events we didn’t use are no longer reported to analytics
• BuildErrors reported to analytics now include the requested formula installation options

While all the functionality for these deprecations will be supported for the foreseeable future in Homebrew/brew for 3rd-party usage, Homebrew/homebrew-core has removed the use of these APIs from formulae to improve the user experience.

Other changes since 1.2.0 I’d like to highlight are the following:

• default_formula are always used when pouring bottles again
• brew --prefix is faster
• with_env can be used to simplify temporarily setting environment variables
• homebrew npm-noob is a new tool to ease creating formulae from npm packages
• brew update arguments tell you more explicitly which brew upgrade command to run
• brew bump-formula-pr now works with a shallow Git clone of a tap
• versions are detected more reliably from URLs
• you can brew install formulae whose dependency trees require more than one version of the same :build-time dependency
• :build-time requirements are no longer fatal when installing from bottles
• brew edit will use atom if available
• Basic macOS 10.13 High Sierra support
• brew search includes Homebrew Cask results even when it is tapped
• brew style and brew audit run rubocop in parallel for performance
• brew info displays formula conflict reasons
• brew install --interactive can access $HOME to provide a better shell experience
• brew install can install bottles from a URL
• brew postinstall allows reinstalling etc and var
• Many brew audit checks have been ported to rubocop providing in-editor feedback on Homebrew style

Finally:

• Homebrew still accepts donations through Patreon. If you can afford it, please consider donating.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

Additionally, as Homebrew/homebrew-versions has been moved into Homebrew/homebrew-core Homebrew provides better, official support for different versions. You can read more about this in the dedicated versions document. Please note our goal isn’t to support all versions of all software but to provide some versions and tooling such that you can easily maintain more in your own tap (package repository).

Since 1.1.0 the following deprecations have been made:

• env :std and env :userpaths in formulae
• OS.mac? and OS.linux? in formulae
• fails_with :llvm in formulae
• 32-bit options in formulae
• go get usage in formulae
• formulae dependencies that need built with non-default options
• new formulae that require patches
• language module requirements (e.g. depends_on "pygments.rb" => :ruby)
• Universal options and builds of formulae
• brew tap of deprecated, official taps
• brew cask update command
• brew linkapps and brew unlinkapps commands
• Various internal APIs on ENV. and elsewhere

While all the functionality for these deprecations will be supported for the foreseeable future in Homebrew/brew for 3rd-party usage, Homebrew/homebrew-core will be removing the use of these APIs from formulae to improve the user experience.

Since 1.1.0 some new commands are available:

• brew cask outdated shows outdated Casks
• brew formula outputs the location of a formula
• brew update-reset simplifies cleaning up broken repositories

Some of the other changes since 1.1.0 I’d like to highlight are the following:

• brew create uses GitHub metadata to populate fields when creating from a GitHub archive
• brew audit provides --only and --except flags to allow selectively running brew audit methods
• brew search uses a single GitHub API call for searching all Homebrew and Caskroom taps
• brew install creates symlinks in opt for formulae aliases (such as versioned aliases)
• brew update will symlink shell completions provided by taps
• brew tests runs all cask tests (replacing brew cask-tests) and all tests use RSpec rather than MiniTest
• New download strategies were added for handling private GitHub repositories
• We store (and report to anonymous analytics) whether a package was installed as a dependency or on request. This is returned as part of brew info --json=v1. This is useful in differentiating between top installed packages based on user demand vs. based on large numbers of dependents. This is also used by brew bundle dump and brew bundle cleanup to handle dependencies more sensibly.
• Xcode prerelease warnings have been removed
• brew reinstall, upgrade and install always output used options
• brew tap-new uses our latest Travis CI recommended configuration providing zero-configuration CI for all formulae taps
• brew uninstall now refuses to uninstall a package if other packages that depend on it are still installed
• RuboCop is used for formulae desc audits and checking the order of methods in formulae rather than requiring brew audit be run. This also allows these checks to be run automatically in any editor with RuboCop integration.
• Setting HOMEBREW_ENV_FILTERING will filter all custom user environment variables from brew. Eventually we hope to enable this by default.
• Sensitive tokens in the environment are hidden from untrusted 3rd-party code in brew install and brew test
• brew services provides better error reporting using new macOS APIs

And finally:

• A new documentation site is at docs.brew.sh
• A dump of installation, installation on request and build error events is provided on this site
• Homebrew’s mailing list has been deprecated in favour of our Discourse forum
• Homebrew accepts donations through Patreon. If you can afford it, please consider donating.
• Homebrew uses HackerOne for security vulnerability disclosure
• Homebrew’s CI servers are now provided by MacStadium and DigitalOcean. Thanks to Positive Internet for years of friendship, incredible customer support and super reliable hosting.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far. Enjoy using Homebrew!

1.1.0 contains some breaking changes:

• Disable SHA-1 checksum support in formulae
• Disable running Homebrew as the root user (e.g. sudo brew)
• Bottles with _or_later tags no longer use _or_later in their filenames so the existing bottle can be reused

Some of the changes since 1.0.0 I’d like to highlight are the following:

• A branch named stable (rather than master) is used for following Homebrew/brew tags
• brew test-bot has moved to its own tap
• brew info now also lists Requirements (e.g. depends_on :foo) as well as dependencies
• RuboCop configured so RuboCop-supporting editors get the correct messaging for editing files in Homebrew/brew and Library/Taps
• External brew commands can now use #: comments to automatically have rich --help output
• The brew.1 manpage points to official external commands (brew bundle, brew cask, brew services)
• OS X Mavericks (10.9) and above now use BSD tar’s libarchive LZMA support rather than needing to install xz
• A brew tap-new command is available for creating a new tap with a README and preconfigured Travis CI file (.travis.yml)
• Bottle/binary package creation and extraction has been sped up
• brew output has been improved when git is not installed
• A new brew cask reinstall command was added
• brew info now lists required option builds in dependencies output

Enjoy using Homebrew!

We’ve been working hard over the last year to make some major changes to Homebrew that we’ve been wanting for a long time. There have been some hiccups along the way but we now have a more stable base for using and developing Homebrew in the future.

These include:

• Homebrew package management and formulae (package metadata) split into separate repositories
• Homebrew Community site (using Discourse) for discussion
• Homebrew joined the Software Freedom Conservancy
• Homebrew’s default repository installation location changed to /usr/local/Homebrew to keep your /usr/local cleaner
• Homebrew/brew updates between release tags
• Homebrew CI and homebrew/core use the macOS sandbox for build-time security
• Homebrew Cask integrated into Homebrew/brew
• Add new brew bump-formula-pr command to create new formula version pull requests
• Add brew --help to brew subcommands
• Homebrew auto-updates when needed
• brew update sped up by only running git fetch if necessary
• Officially support brew bundle (for Brewfiles and import/export) and brew services (for background services management).
• Homebrew/brew passes tests on Linux and has generic backend for porting to other platforms in future
• Provide access to developer commands and brew update workflow automatically
• Use curl for all HTTP access for consistent proxy support
• Use new Ruby Macho library for reading and writing library macOS Mach O file locations.
• Provide vendored, portable Ruby 2 binary for when system Ruby 2 is not available
• HEAD package installations have versions and can be upgraded
• Use Python virtualenvs to better handle Python dependencies

And finally:

• Improves formula not found handling

Thanks to all our users, contributors and maintainers past and present for getting us to this milestone. Enjoy using Homebrew!