<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Sonu Preetam</title>
    <description>The latest articles on DEV Community by Sonu Preetam (@sonupreetam).</description>
    <link>https://dev.to/sonupreetam</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4011168%2F400c0505-a946-4a30-99a4-6aed57c35acc.jpg</url>
      <title>DEV Community: Sonu Preetam</title>
      <link>https://dev.to/sonupreetam</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/sonupreetam"/>
    <language>en</language>
    <item>
      <title>Keeping Your Mac Dev Environment From Rotting</title>
      <dc:creator>Sonu Preetam</dc:creator>
      <pubDate>Wed, 01 Jul 2026 21:22:49 +0000</pubDate>
      <link>https://dev.to/sonupreetam/keeping-your-mac-dev-environment-from-rotting-43ah</link>
      <guid>https://dev.to/sonupreetam/keeping-your-mac-dev-environment-from-rotting-43ah</guid>
      <description>&lt;p&gt;Developer workstations rot. Packages drift out of date, nobody checks for CVEs until something breaks.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 1: Audit Your Taps
&lt;/h2&gt;

&lt;p&gt;Taps go stale. Projects shut down, formulae move to homebrew-core, and you're left with dead weight. Run &lt;code&gt;brew tap&lt;/code&gt; and check:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tap&lt;/th&gt;
&lt;th&gt;Why it's dead&lt;/th&gt;
&lt;th&gt;What to do&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;hashicorp/tap&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;All tools are in homebrew-core now. Known "conflicts with itself" bug (&lt;a href="https://github.com/Homebrew/brew/pull/22764" rel="noopener noreferrer"&gt;Homebrew/brew#22764&lt;/a&gt;).&lt;/td&gt;
&lt;td&gt;Migrate and untap&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;weaveworks/tap&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Company shut down (2024). Abandoned &lt;code&gt;formula_renames.json&lt;/code&gt;.&lt;/td&gt;
&lt;td&gt;Untap&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;derailed/k9s&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;k9s is in homebrew-core&lt;/td&gt;
&lt;td&gt;Untap&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;To migrate off a tap:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew uninstall terraform vault packer
brew &lt;span class="nb"&gt;install &lt;/span&gt;terraform vault packer
brew untap hashicorp/tap
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If &lt;code&gt;brew info &amp;lt;package&amp;gt;&lt;/code&gt; shows it's in &lt;code&gt;homebrew/core&lt;/code&gt;, the tap is redundant.&lt;/p&gt;

&lt;p&gt;Homebrew 4.x+ also has tap trust. If you see &lt;code&gt;Warning: Skipping &amp;lt;tap&amp;gt; because it is not trusted&lt;/code&gt;, either trust it (&lt;code&gt;brew trust &amp;lt;tap&amp;gt;&lt;/code&gt;) or remove it. Don't leave dead taps dangling.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 2: Vulnerability Scanning
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;The wrong approach&lt;/strong&gt;: pointing generic SCA tools at &lt;code&gt;/opt/homebrew/Cellar&lt;/code&gt;. Homebrew packages don't leave lockfiles or standard metadata, so &lt;code&gt;osv-scanner&lt;/code&gt; and &lt;code&gt;trivy&lt;/code&gt; won't find anything useful.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The right approach&lt;/strong&gt;: &lt;a href="https://github.com/Homebrew/homebrew-brew-vulns" rel="noopener noreferrer"&gt;&lt;code&gt;brew-vulns&lt;/code&gt;&lt;/a&gt;, Homebrew's first-party vulnerability scanner (released January 2026):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;gem &lt;span class="nb"&gt;install &lt;/span&gt;brew-vulns

brew vulns                              &lt;span class="c"&gt;# scan all installed packages&lt;/span&gt;
brew vulns &lt;span class="nt"&gt;--severity&lt;/span&gt; high              &lt;span class="c"&gt;# filter by severity&lt;/span&gt;
brew vulns &lt;span class="nt"&gt;--cyclonedx&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; sbom.cdx.json  &lt;span class="c"&gt;# generate SBOM with vuln data&lt;/span&gt;
brew vulns &lt;span class="nt"&gt;--sarif&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; results.sarif      &lt;span class="c"&gt;# for GitHub code scanning&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It queries OSV.dev against each formula's source repository and version. Actual CVE data, not guesswork.&lt;/p&gt;

&lt;p&gt;For a pre-upgrade gate, &lt;a href="https://github.com/sharkyger/homebrew-safe-upgrade" rel="noopener noreferrer"&gt;&lt;code&gt;brew safe-upgrade&lt;/code&gt;&lt;/a&gt; checks OSV + GitHub Advisory + NIST NVD &lt;strong&gt;before&lt;/strong&gt; touching your system:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew tap sharkyger/homebrew-safe-upgrade
brew safe-upgrade   &lt;span class="c"&gt;# blocks if target version has known CVEs&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Step 3: Triage What You Find
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;brew vulns&lt;/code&gt; tells you &lt;em&gt;what's&lt;/em&gt; vulnerable. It doesn't tell you whether a fix exists, whether you actually need the package, or what to do when &lt;code&gt;brew upgrade&lt;/code&gt; won't help.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why do you have it
&lt;/h3&gt;

&lt;p&gt;Most vulnerable packages are transitive dependencies. Find out what pulls them in:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew uses &lt;span class="nt"&gt;--installed&lt;/span&gt; &amp;lt;package&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If nothing depends on it, you installed it directly. If you don't use it, &lt;code&gt;brew uninstall &amp;lt;package&amp;gt;&lt;/code&gt; and move on.&lt;/p&gt;

&lt;h3&gt;
  
  
  Is there an upstream fix
&lt;/h3&gt;

&lt;p&gt;Query the OSV API:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;curl &lt;span class="nt"&gt;-s&lt;/span&gt; https://api.osv.dev/v1/vulns/OSV-XXXX-NNN | jq &lt;span class="s1"&gt;'.affected[].ranges[].events'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You're looking for a &lt;code&gt;"fixed"&lt;/code&gt; event:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Outcome&lt;/th&gt;
&lt;th&gt;What it means&lt;/th&gt;
&lt;th&gt;What to do&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;No &lt;code&gt;fixed&lt;/code&gt; event&lt;/td&gt;
&lt;td&gt;No upstream fix exists&lt;/td&gt;
&lt;td&gt;Wait. Optionally file an issue upstream.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;fixed&lt;/code&gt; commit exists, no release&lt;/td&gt;
&lt;td&gt;Fix is on &lt;code&gt;main&lt;/code&gt; but not tagged&lt;/td&gt;
&lt;td&gt;Request a release upstream, or &lt;code&gt;brew install --HEAD &amp;lt;package&amp;gt;&lt;/code&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;fixed&lt;/code&gt; in a release you already have&lt;/td&gt;
&lt;td&gt;OSV record is stale&lt;/td&gt;
&lt;td&gt;Nothing, you're already patched&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  Would &lt;code&gt;brew upgrade&lt;/code&gt; help
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew info &lt;span class="nt"&gt;--json&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;v2 &amp;lt;package&amp;gt; | jq &lt;span class="s1"&gt;'.formulae[].versions.stable'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If you're already on the latest stable and the CVE is still open, &lt;code&gt;brew upgrade&lt;/code&gt; does nothing.&lt;/p&gt;

&lt;h3&gt;
  
  
  When the fix is on &lt;code&gt;main&lt;/code&gt; but not released
&lt;/h3&gt;

&lt;p&gt;Some projects merge security fixes months before cutting a release. Homebrew can only ship what's tagged.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Install from HEAD&lt;/strong&gt; (builds from source, includes the fix). Not all formulae support this. Check with &lt;code&gt;brew info &amp;lt;package&amp;gt;&lt;/code&gt; and look for "HEAD" in the output:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew uninstall &lt;span class="nt"&gt;--ignore-dependencies&lt;/span&gt; &amp;lt;package&amp;gt;
brew &lt;span class="nb"&gt;install&lt;/span&gt; &lt;span class="nt"&gt;--HEAD&lt;/span&gt; &amp;lt;package&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Pin to prevent regression&lt;/strong&gt; (a future &lt;code&gt;brew upgrade&lt;/code&gt; will revert you to the vulnerable stable bottle):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew pin &amp;lt;package&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Wait for a release&lt;/strong&gt; and file an issue upstream asking for one.&lt;/p&gt;

&lt;h3&gt;
  
  
  Existing upstream issues
&lt;/h3&gt;

&lt;p&gt;Before filing, search the project's issue tracker:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;gh search issues &lt;span class="nt"&gt;--repo&lt;/span&gt; &amp;lt;org&amp;gt;/&amp;lt;repo&amp;gt; &lt;span class="s2"&gt;"&amp;lt;OSV-ID or OSS-Fuzz issue number&amp;gt;"&lt;/span&gt;
gh issue list &lt;span class="nt"&gt;--repo&lt;/span&gt; &amp;lt;org&amp;gt;/&amp;lt;repo&amp;gt; &lt;span class="nt"&gt;--state&lt;/span&gt; open &lt;span class="nt"&gt;--search&lt;/span&gt; &lt;span class="s2"&gt;"&amp;lt;crash function name&amp;gt;"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Not all projects use GitHub Issues (e.g., ICU uses Jira, Chromium uses Monorail). Check the project's README for their bug tracker. OSS-Fuzz auto-notifies project owners, but that notification doesn't always become a public issue.&lt;/p&gt;

&lt;h3&gt;
  
  
  Verify after remediation
&lt;/h3&gt;

&lt;p&gt;Re-scan after any fix. If the vulnerability still shows, the OSV record may not have been updated yet.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew vulns &lt;span class="nt"&gt;--severity&lt;/span&gt; medium
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Step 4: Update Everything
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;brew upgrade&lt;/code&gt;, &lt;code&gt;npm update -g&lt;/code&gt;, &lt;code&gt;gem update&lt;/code&gt;, &lt;code&gt;rustup update&lt;/code&gt;... nobody runs all of these consistently. &lt;a href="https://github.com/topgrade-rs/topgrade" rel="noopener noreferrer"&gt;Topgrade&lt;/a&gt; does:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew &lt;span class="nb"&gt;install &lt;/span&gt;topgrade
topgrade
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It detects what's installed and upgrades &lt;a href="https://github.com/topgrade-rs/topgrade#supported-steps" rel="noopener noreferrer"&gt;all of it&lt;/a&gt;. Configure at &lt;code&gt;~/.config/topgrade/topgrade.toml&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight toml"&gt;&lt;code&gt;&lt;span class="nn"&gt;[misc]&lt;/span&gt;
&lt;span class="py"&gt;cleanup&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;

&lt;span class="nn"&gt;[brew]&lt;/span&gt;
&lt;span class="py"&gt;greedy_cask&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;     &lt;span class="c"&gt;# upgrade casks without version bumps&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Some tools (macOS softwareupdate, RubyGems system) fail in non-interactive mode. Add them to &lt;code&gt;disable&lt;/code&gt; if the noise bothers you.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 5: Automate It
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Daily: Homebrew autoupdate (built-in)
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew autoupdate start 86400 &lt;span class="nt"&gt;--upgrade&lt;/span&gt; &lt;span class="nt"&gt;--cleanup&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This uses launchd behind the scenes. Runs every 24 hours: update, upgrade, cleanup. No cron, no plist, no maintenance.&lt;/p&gt;

&lt;p&gt;Check status: &lt;code&gt;brew autoupdate status&lt;/code&gt;&lt;br&gt;
Disable: &lt;code&gt;brew autoupdate stop&lt;/code&gt;&lt;/p&gt;
&lt;h3&gt;
  
  
  Weekly: Full topgrade sweep
&lt;/h3&gt;

&lt;p&gt;Add a cron entry or run it manually every Monday:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;topgrade &lt;span class="nt"&gt;--yes&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Monthly: Cleanup dead weight
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew autoremove          &lt;span class="c"&gt;# remove orphan dependencies&lt;/span&gt;
brew cleanup &lt;span class="nt"&gt;--prune&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;30  &lt;span class="c"&gt;# delete old versions&lt;/span&gt;
brew tap                 &lt;span class="c"&gt;# check for abandoned taps&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Step 6: Hardening Baseline
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Firewall&lt;/span&gt;
/usr/libexec/ApplicationFirewall/socketfilterfw &lt;span class="nt"&gt;--getglobalstate&lt;/span&gt;

&lt;span class="c"&gt;# FileVault (disk encryption)&lt;/span&gt;
fdesetup status

&lt;span class="c"&gt;# System Integrity Protection&lt;/span&gt;
csrutil status

&lt;span class="c"&gt;# Gatekeeper&lt;/span&gt;
spctl &lt;span class="nt"&gt;--status&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;All four should report enabled. If any don't, fix them:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Enable firewall&lt;/span&gt;
&lt;span class="nb"&gt;sudo&lt;/span&gt; /usr/libexec/ApplicationFirewall/socketfilterfw &lt;span class="nt"&gt;--setglobalstate&lt;/span&gt; on

&lt;span class="c"&gt;# FileVault (prompts for restart)&lt;/span&gt;
&lt;span class="nb"&gt;sudo &lt;/span&gt;fdesetup &lt;span class="nb"&gt;enable&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For a full CIS Benchmark audit, use &lt;a href="https://github.com/sametsazak/mergen" rel="noopener noreferrer"&gt;Mergen&lt;/a&gt; (85 controls with auto-fix) or &lt;a href="https://cisofy.com/lynis/" rel="noopener noreferrer"&gt;lynis&lt;/a&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;brew &lt;span class="nb"&gt;install&lt;/span&gt; &lt;span class="nt"&gt;--cask&lt;/span&gt; sametsazak/mergen/mergen-app
&lt;span class="c"&gt;# or&lt;/span&gt;
brew &lt;span class="nb"&gt;install &lt;/span&gt;lynis &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;sudo &lt;/span&gt;lynis audit system
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Quick Setup
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# 1. Audit and clean up dead taps&lt;/span&gt;
brew tap                 &lt;span class="c"&gt;# review the list&lt;/span&gt;
brew untap &amp;lt;dead-tap&amp;gt;    &lt;span class="c"&gt;# remove any you don't need&lt;/span&gt;

&lt;span class="c"&gt;# 2. Install tooling&lt;/span&gt;
gem &lt;span class="nb"&gt;install &lt;/span&gt;brew-vulns
brew &lt;span class="nb"&gt;install &lt;/span&gt;topgrade

&lt;span class="c"&gt;# 3. Configure topgrade&lt;/span&gt;
&lt;span class="nb"&gt;mkdir&lt;/span&gt; &lt;span class="nt"&gt;-p&lt;/span&gt; ~/.config/topgrade
&lt;span class="nb"&gt;cat&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; ~/.config/topgrade/topgrade.toml &lt;span class="o"&gt;&amp;lt;&amp;lt;&lt;/span&gt; &lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="no"&gt;EOF&lt;/span&gt;&lt;span class="sh"&gt;'
[misc]
cleanup = true

[brew]
greedy_cask = true
&lt;/span&gt;&lt;span class="no"&gt;EOF

&lt;/span&gt;&lt;span class="c"&gt;# 4. Set up daily autoupdate&lt;/span&gt;
brew autoupdate start 86400 &lt;span class="nt"&gt;--upgrade&lt;/span&gt; &lt;span class="nt"&gt;--cleanup&lt;/span&gt;

&lt;span class="c"&gt;# 5. Initial full update&lt;/span&gt;
topgrade &lt;span class="nt"&gt;--yes&lt;/span&gt;

&lt;span class="c"&gt;# 6. Vulnerability check&lt;/span&gt;
brew vulns &lt;span class="nt"&gt;--severity&lt;/span&gt; medium
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After this, your workstation maintains itself daily. Run &lt;code&gt;topgrade&lt;/code&gt; weekly for the full sweep, and &lt;code&gt;brew vulns&lt;/code&gt; whenever you want a CVE status check.&lt;/p&gt;

</description>
      <category>macos</category>
      <category>security</category>
      <category>homebrew</category>
      <category>devops</category>
    </item>
  </channel>
</rss>
