Merge pull request #1021 from Homebrew/4.3.0

Homebrew 4.3.0

_posts/2024-05-14-homebrew-4.3.0.md

@@ -0,0 +1,106 @@
+---
+title: 4.3.0
+author: MikeMcQuaid
+redirect_from: /blog/4.3.0/
+---
+
+Today, I'd like to announce Homebrew 4.3.0.
+The most significant changes since 4.2.0 are SBOM support, initial bottle attestation verification, new command analytics and uninstall autoremove by default.
+
+Major changes and deprecations since 4.2.0:
+
+- [`brew bottle` will include a basic SPDX file inside the bottle](https://github.com/Homebrew/brew/pull/16594)
+ [and a more comprehensive one after installation](https://github.com/Homebrew/brew/pull/17254).
+ This is to provide support for the widely used SBOM format from Homebrew.
+
+- [If `HOMEBREW_VERIFY_ATTESTATIONS` is set, `brew install` will verify the bottle artifact's attestation when pouring bottles using GitHub's `gh` CLI](https://github.com/Homebrew/brew/pull/17049).
+ This functionality is still in beta. We expect to remove the need for the `gh` tool and improve performance before we make this the default behaviour.
+ This behaviour demonstrates Homebrew's ongoing commitment to improving our security posture.
+ Read more in [the tracking issue](https://github.com/Homebrew/brew/issues/17019) or in the [GitHub artifact attestation announcement](https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/.)
+
+- [`HOMEBREW_AUTOREMOVE` is the default behaviour meaning that `brew cleanup` and `brew uninstall` automatically run `brew autoremove`](https://github.com/Homebrew/brew/pull/17261).
+ Disable this by setting `HOMEBREW_NO_AUTOREMOVE`.
+ This is to improve the default behaviour of `brew uninstall` given `brew autoremove` is sufficiently reliable.
+
+- [Homebrew has two new types of analytics](https://github.com/Homebrew/brew/pull/16847): ["Brew Command Run" events](https://formulae.brew.sh/analytics/brew-command-run/30d/) and `brew test-bot` analytics.
+ The latter are not working or published yet but will be soon.
+ These are to help us improve the documentation and prioritisation of issues in Homebrew.
+
+- [Homebrew/homebrew-cask requires code signing of all casks](https://github.com/Homebrew/brew/pull/17002).
+ Expect removal of casks that are not code signed from Homebrew/homebrew-cask in future.
+ This is because code signing is required on Apple Silicon which is used by [a growing majority of all Homebrew users](https://formulae.brew.sh/analytics/homebrew-os-arch-ci/365d/).
+
+- [Homebrew/homebrew-autoupdate is no longer an official tap and has moved back to DomT4/homebrew-autoupdate.](https://github.com/Homebrew/brew/pull/16822)
+
+- [Homebrew/homebrew-cask-versions migrated to Homebrew/homebrew-cask and is archived](https://github.com/Homebrew/brew/pull/17207), following Homebrew/homebrew-cask-drivers.
+ Migration for Homebrew/homebrew-cask-fonts will happen soon.
+ This will make it easier to have a more consistent installation, discovery and maintenance experience for all official casks.
+
+- [`brew info --json=v2` output no longer includes the deprecated `oldname` key for formulae. Use the `oldnames` array instead.](https://github.com/Homebrew/brew/pull/17285)
+
+- [Miscellaneous additional code deprecation/disable/removals.](https://github.com/Homebrew/brew/pull/17233)
+
+Other changes since 4.2.0 I'd like to highlight are the following:
+
+- [`HOMEBREW_FORBIDDEN_CASKS`, `HOMEBREW_FORBIDDEN_FORMULAE` and `HOMEBREW_FORBIDDEN_TAPS` are added to extend the functionality beyond the existing `HOMEBREW_FORBIDDEN_LICENSES` to prevent formulae/cask/tap installation](https://github.com/Homebrew/brew/pull/17037).
+ [Relatedly, `HOMEBREW_ALLOWED_TAPS` was added to restrict installation of and from specific taps.](https://github.com/Homebrew/brew/pull/17213)
+
+- GitHub Actions will display native warnings/error notices for [deprecations/disables](https://github.com/Homebrew/brew/pull/16890) and [warnings/errors](https://github.com/Homebrew/brew/pull/17255).
+
+- There are
+ [now](https://github.com/Homebrew/brew/pull/16752)
+ [several](https://github.com/Homebrew/brew/pull/16743)
+ [more](https://github.com/Homebrew/brew/pull/16960)
+ [reasons](https://github.com/Homebrew/brew/pull/17006)
+ why casks are deprecated or disabled.
+
+- Homebrew's code documentation on [rubydoc.brew.sh](https://rubydoc.brew.sh) previously did not do a good job of differentiating public/private/internal (i.e. only public for Homebrew's use) APIs.
+ We [explicitly mark non-private APIs](https://github.com/Homebrew/brew/pull/17128),
+ [non-public APIs](https://github.com/Homebrew/brew/pull/17132),
+ [warn about undocumented non-private APIs](https://github.com/Homebrew/brew/pull/17165) and
+ [APIs are private by default](https://github.com/Homebrew/brew/pull/16831).
+
+- Homebrew's code documentation on [rubydoc.brew.sh](https://rubydoc.brew.sh)
+ [includes Sorbet data from `.rbi` files to provide more types](https://github.com/Homebrew/brew/pull/16906).
+
+- [`brew command`](https://github.com/Homebrew/brew/pull/17186),
+ [`brew shellenv` and `brew setup-ruby` are significantly faster](https://github.com/Homebrew/brew/pull/17188).
+
+- [When the GitHub token used by Homebrew requires more scopes, Homebrew will clarify these.](https://github.com/Homebrew/brew/pull/16633)
+- [`brew upgrade --overwrite` is a new flag similar to `brew install --overwrite` and `brew link --overwrite` to delete files that already exist in the prefix while linking.](https://github.com/Homebrew/brew/pull/16851)
+- [`brew install --display-times` also works with casks.](https://github.com/Homebrew/brew/pull/17052)
+- [Tap migrations can also perform renames.](https://github.com/Homebrew/brew/pull/16648)
+- [`HOMEBREW_GITHUB_API_TOKEN` supports more types of GitHub tokens.](https://github.com/Homebrew/brew/pull/17001)
+- [The `brew desc --eval-all` warning only applies to `brew desc --search`.](https://github.com/Homebrew/brew/pull/17102)
+- [`brew tap` no longer shows untapped taps with API support.](https://github.com/Homebrew/brew/pull/16766)
+- [`brew upgrade` no longer truncates some version numbers.](https://github.com/Homebrew/brew/pull/16959)
+- [@BrewTestBot can no longer provide approving reviews on Homebrew/brew.](https://github.com/Homebrew/brew/pull/16916)
+- [Formulae can optionally restrict network access in build/test/postinstall sandboxes.](https://github.com/Homebrew/brew/pull/17081)
+- [`HOMEBREW_TEMP` is used more consistently for temporary files](https://github.com/Homebrew/brew/pull/16749)
+- [`brew update` outputs a message whenever it is autoupdating to make clear what is causing the delay. Also, `brew update` will attempt to update all taps, not just those on GitHub.](https://github.com/Homebrew/brew/pull/16855)
+- [`brew install`/`upgrade`/`outdated` will more intelligently auto-update when specifying formulae/casks from third-party taps.](https://github.com/Homebrew/brew/pull/17179)
+- [`brew bump-formula` and `brew bump-cask-pr` refuse to bump packages that Homebrew's automation already handles.](https://github.com/Homebrew/brew/pull/16750)
+- [`brew install --adopt` is more permissive and quicker if the bundle versions match.](https://github.com/Homebrew/brew/pull/16889)
+- [`brew uninstall` and `brew reinstall` will skip cask quit/signal directives.](https://github.com/Homebrew/brew/pull/16507)
+- [`brew info --json=v2` returns a Cask's bundle versions in `bundle_version` and `bundle_short_version` keys.](https://github.com/Homebrew/brew/pull/16826)
+- [`brew info` and `brew tap-info` provide more consistent output indicating if a package or tap is installed.](https://github.com/Homebrew/brew/pull/17076)
+- [`brew *-sync` commands avoid overwriting existing user installations.](https://github.com/Homebrew/brew/pull/17155)
+- [`brew *-sync` commands will use their respective: `*ENV_ROOT` variables.](https://github.com/Homebrew/brew/pull/16453)
+- [`brew config` provides information about Homebrew/homebrew-core and Homebrew/homebrew-cask taps and JSON API files.](https://github.com/Homebrew/brew/pull/16385)
+- [`brew list` provides `--installed-on-request` and `--installed-as-dependency` to list formulae installed on request or as dependencies respectively.](https://github.com/Homebrew/brew/pull/17125)
+- [`brew update-reset` will reset to the `stable` tag when appropriate.](https://github.com/Homebrew/brew/pull/16891)
+- [`brew bump*` commands no longer allow forcing multiple PRs.](https://github.com/Homebrew/brew/pull/16664)
+- [`brew bump*` commands limit the number of open PRs to 15.](https://github.com/Homebrew/brew/pull/16962)
+- [`brew bump` will indicate if formulae should sync with others.](https://github.com/Homebrew/brew/pull/16515)
+- [`brew audit` will reject Internet Archive Wayback Machine URLs as these formulae are no longer active.](https://github.com/Homebrew/brew/pull/16476)
+- [`brew audit` will check the license(s) of the specific release rather than the default branch.](https://github.com/Homebrew/brew/pull/16754)
+- [`brew update` will attempt to parse a GitHub API token from repository URL to better handle private repositories.](https://github.com/Homebrew/brew/pull/16649)
+
+Finally:
+
+- [Changes to Homebrew's Governance were merged after a vote of members before the 2024 AGM.](https://github.com/Homebrew/brew/pull/16494)
+- [The minutes of the 2024 AGM are available.](https://github.com/Homebrew/brew/pull/17072)
+- [Homebrew maintainers no longer use forks on official repositories.](https://github.com/Homebrew/brew/pull/16734)
+- [Homebrew accepts donations through GitHub Sponsors](https://github.com/sponsors/Homebrew) and [still accepts donations through Patreon](https://www.patreon.com/homebrew). If you can afford it, please consider donating. If you'd rather not use GitHub Sponsors or Patreon (our preferred donation methods), [check out the other ways to donate in our README](https://github.com/Homebrew/brew/#donations).
+
+Thanks to all our hard-working maintainers, contributors, sponsors and supporters for getting us this far.