Homebrew

Today, I’d like to announce Homebrew 4.3.0. The most significant changes since 4.2.0 are SBOM support, initial bottle attestation verification, new command analytics and uninstall autoremove by default.

Major changes and deprecations since 4.2.0:

• brew bottle will include a basic SPDX file inside the bottle and a more comprehensive one after installation. This is to provide support for the widely used SBOM format from Homebrew.

• If HOMEBREW_VERIFY_ATTESTATIONS is set, brew install will verify the bottle artifact’s attestation when pouring bottles using GitHub’s gh CLI. This functionality is still in beta. We expect to remove the need for the gh tool and improve performance before we make this the default behaviour. This behaviour demonstrates Homebrew’s ongoing commitment to improving our security posture. Read more in the tracking issue or in the GitHub artifact attestation announcement

• HOMEBREW_AUTOREMOVE is the default behaviour meaning that brew cleanup and brew uninstall automatically run brew autoremove. Disable this by setting HOMEBREW_NO_AUTOREMOVE. This is to improve the default behaviour of brew uninstall given brew autoremove is sufficiently reliable.

• Homebrew has two new types of analytics: “Brew Command Run” events and brew test-bot analytics. The latter are not working or published yet but will be soon. These are to help us improve the documentation and prioritisation of issues in Homebrew.

• Homebrew/homebrew-cask requires code signing of all casks. Expect removal of casks that are not code signed from Homebrew/homebrew-cask in future. This is because code signing is required on Apple Silicon which is used by a growing majority of all Homebrew users.

• Homebrew/homebrew-autoupdate is no longer an official tap and has moved back to DomT4/homebrew-autoupdate.

• Homebrew/homebrew-cask-versions migrated to Homebrew/homebrew-cask and is archived, following Homebrew/homebrew-cask-drivers. Migration for Homebrew/homebrew-cask-fonts will happen soon. This will make it easier to have a more consistent installation, discovery and maintenance experience for all official casks.

• brew info --json=v2 output no longer includes the deprecated oldname key for formulae. Use the oldnames array instead.

• As-of Homebrew 4.3.1: Homebrew now provides Portable Ruby 3.3.1 and requires Ruby >=3.3.0.

• Miscellaneous additional code deprecation/disable/removals.

Other changes since 4.2.0 I’d like to highlight are the following:

• HOMEBREW_FORBIDDEN_CASKS, HOMEBREW_FORBIDDEN_FORMULAE and HOMEBREW_FORBIDDEN_TAPS are added to extend the functionality beyond the existing HOMEBREW_FORBIDDEN_LICENSES to prevent formulae/cask/tap installation. Relatedly, HOMEBREW_ALLOWED_TAPS was added to restrict installation of and from specific taps.

• GitHub Actions will display native warnings/error notices for deprecations/disables and warnings/errors.

• There are now several more reasons why casks are deprecated or disabled.

• Homebrew’s code documentation on rubydoc.brew.sh previously did not do a good job of differentiating public/private/internal (i.e. only public for Homebrew’s use) APIs. We explicitly mark non-private APIs, non-public APIs, warn about undocumented non-private APIs and APIs are private by default.

• Homebrew’s code documentation on rubydoc.brew.sh includes Sorbet data from .rbi files to provide more types.

• brew command, brew shellenv and brew setup-ruby are significantly faster.

• When the GitHub token used by Homebrew requires more scopes, Homebrew will clarify these.
• brew upgrade --overwrite is a new flag similar to brew install --overwrite and brew link --overwrite to delete files that already exist in the prefix while linking.
• brew install --display-times also works with casks.
• Tap migrations can also perform renames.
• HOMEBREW_GITHUB_API_TOKEN supports more types of GitHub tokens.
• The brew desc --eval-all warning only applies to brew desc --search.
• brew tap no longer shows untapped taps with API support.
• brew upgrade no longer truncates some version numbers.
• @BrewTestBot can no longer provide approving reviews on Homebrew/brew.
• Formulae can optionally restrict network access in build/test/postinstall sandboxes.
• HOMEBREW_TEMP is used more consistently for temporary files
• brew update outputs a message whenever it is autoupdating to make clear what is causing the delay. Also, brew update will attempt to update all taps, not just those on GitHub.
• brew install/upgrade/outdated will more intelligently auto-update when specifying formulae/casks from third-party taps.
• brew bump-formula and brew bump-cask-pr refuse to bump packages that Homebrew’s automation already handles.
• brew install --adopt is more permissive and quicker if the bundle versions match.
• brew uninstall and brew reinstall will skip cask quit/signal directives.
• brew info --json=v2 returns a Cask’s bundle versions in bundle_version and bundle_short_version keys.
• brew info and brew tap-info provide more consistent output indicating if a package or tap is installed.
• brew *-sync commands avoid overwriting existing user installations.
• brew *-sync commands will use their respective: *ENV_ROOT variables.
• brew config provides information about Homebrew/homebrew-core and Homebrew/homebrew-cask taps and JSON API files.
• brew list provides --installed-on-request and --installed-as-dependency to list formulae installed on request or as dependencies respectively.
• brew update-reset will reset to the stable tag when appropriate.
• brew bump* commands no longer allow forcing multiple PRs.
• brew bump* commands limit the number of open PRs to 15.
• brew bump will indicate if formulae should sync with others.
• brew audit will reject Internet Archive Wayback Machine URLs as these formulae are no longer active.
• brew audit will check the license(s) of the specific release rather than the default branch.
• brew update will attempt to parse a GitHub API token from repository URL to better handle private repositories.

Finally:

• Changes to Homebrew’s Governance were merged after a vote of members before the 2024 AGM.
• The minutes of the 2024 AGM are available.
• Homebrew maintainers no longer use forks on official repositories.
• Homebrew accepts donations through GitHub Sponsors and still accepts donations through Patreon. If you can afford it, please consider donating. If you’d rather not use GitHub Sponsors or Patreon (our preferred donation methods), check out the other ways to donate in our README.

Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.