Homebrew 6.0 brings tap trust security mechanism, smaller JSON API, and Linux sandboxing

Homebrew 6.0 arrives as the most substantial update since version 5.1 for this widely-used package manager for macOS and Linux. Leading the release, Homebrew introduces tap trust, which requires users to explicitly trust any third-party tap before its unsandboxed Ruby code can be executed. This change allows only official taps to run by default, reducing the risk from compromised or malicious sources.

Alongside this security upgrade, Homebrew 6.0 now defaults to its internal JSON API. By unifying all metadata into a single download, updates are significantly faster and network requests are reduced, streamlining the typical workflow for users.

For those on Linux, Bubblewrap sandboxing is now enabled by default, aligning Linux security practices with those on macOS. Build, test, and post-install phases now run sandboxed, and changes like hardened install steps, sandboxed cask executable hooks, and improved handling of logs further reinforce process isolation. Hosted Ubuntu systems will have Bubblewrap pre-installed, and syntax-only jobs skip sandbox setup for efficiency.

Building on these updates, Homebrew users also receive better defaults, improved performance, expanded brew bundle features, and initial support for macOS 27 “Golden Gate”.