Homebrew: Locking Down Casks and Network Trust

Homebrew shipped a cluster of security-focused fixes around cask uninstalls and network redirects, alongside a bigger structural push to move cask metadata from Ruby to JSON. Developers should expect cask handling to keep changing shape over the next few releases.

Duration: PT2M39S

Episode overview

This episode is a short developer briefing from Homebrew.

It explains recent repository work in plain language.

  • Show: Homebrew
  • Published: 2026-07-05T13:10:35Z
  • Audio duration: PT2M39S

Transcript excerpt

This excerpt keeps the crawler page concise. Listen to the episode or use the RSS feed for the full update.

It's July 5th, 2026, and this is Homebrew's daily briefing.

The main story today is trust: what Homebrew trusts when it touches the network, and what it trusts when it removes something from your system.

Start with security. PR 22946 stops `brew uninstall` from evaluating untrusted Ruby cask files, falling back to recorded JSON metadata instead, closing issue 22892. That pairs directly with two curl fixes from Mike McQuaid: PR 22944 stops livecheck from following redirects to non-HTTPS destinations, and PR 22945…

That untrusted-cask fix connects to a bigger theme: casks are moving from Ruby to JSON. PR 22952 starts reading receipt-owned version and artifact data from JSON instead of evaluating cask files. PR 22957 and PR 22958 extend that migration behind a developer flag first, then roll it out to all users, while…

A second theme is correctness in install and upgrade flows. PR 22951 fixes `brew upgrade --dry-run` to correctly split "would install" from "would upgrade" dependencies and read installed versions from kegs. PR 22943 fixes a race where cask taps weren't loaded before dependency discovery in bundle jobs, closing…

Smaller but worth noting: PR 22947 adds RuboCops to…

Nearby episodes from Homebrew

  1. Performance and Test Reliability Cleanup
  2. Cleanup Week for Type Errors and Test Stability
  3. Developer Experience and Toolchain Updates
  4. Weekly Recap - Security & Trust Hardening
  5. Performance and Tooling Improvements
  6. Sandbox Security and Performance Overhaul
  7. Security Hardening and Installation Improvements
  8. Trust System Improvements and Documentation Updates