nanobrew

The fastest macOS package manager. Written in Zig.

$ curl -fsSL https://nanobrew.trilok.ai/install | bash

Then restart your terminal or run the export command it prints.

39ms warm install · with full security checks

230x faster than Homebrew · 0.1ms for no-ops

Speed

Apple Silicon, macOS 15, same network. Cold = fresh download. Warm = cached in store.

tree / 0 deps, cold
brew
8.99s
nb
1.19s
7.6x faster
wget / 6 deps, cold
brew
16.84s
nb
11.26s
1.5x faster
ffmpeg / 11 deps, warm
brew
~24.5s
nb
3.5ms
7,000x faster

What shipped in v0.1.079

48 issues closed. 21 security vulnerabilities fixed. Built with parallel AI agents in one session.

🛡 security
patched
21 vulnerabilities — RCE, path traversal, injection, binary corruption
Shell injection in decompression · JSON injection in DB · self-update was curl|bash · Mach-O binary guard
🔧 broken packages
fixed
aws, pip3, c_rehash, wheel3 — all script packages work now
@@HOMEBREW_CELLAR@@ placeholders replaced in shebangs · handles read-only files (0o555)
✨ new commands
added
nb migrate · nb info --cask · nb bundle install
Import from Homebrew · cask metadata · Brewfile support with instant no-ops
🚀 quality of life
added
no sudo after init · clear errors · no Gatekeeper quarantine on casks
sudo nb init chowns to your user · failed packages listed with hint · apps just open
🧪 testing
before
103 tests
after
150 tests + adversarial security suite
+47 tests · path traversal · JSON injection · null bytes · version string attacks
$ nb install jq
==> Resolving dependencies...
    [38ms]
==> Installing 1 package(s):
    jq 1.7.1
==> Downloading + installing 1 packages...
    ✓ jq
==> Done in 1102.4ms
 
$ nb list
jq 1.7.1
 
$ nb update # self-update nanobrew
==> Updating nanobrew...
==> nanobrew updated successfully

How it works

01
Resolve
BFS parallel dependency resolution across concurrent API calls
02
Download
Native HTTP with streaming SHA256 verification in a single pass
03
Extract
Unpack into content-addressable store keyed by SHA256
04
Materialize
APFS clonefile into Cellar — copy-on-write, zero disk cost
05
Link
Symlink binaries into PATH and record in local database

Why it's fast

APFS clonefile

Copy-on-write materialization via macOS syscall. Zero disk overhead per install.

Parallel everything

Downloads, extraction, relocation, and dependency resolution all run concurrently.

Native HTTP

Zig std.http.Client replaces curl subprocess spawns. One fewer process per bottle.

Native Mach-O

Reads load commands from binary headers directly. No otool. Batched codesign.

Content-addressed store

SHA256-keyed dedup means reinstalls skip download and extraction entirely.

Single static binary

No Ruby runtime. No interpreter startup. No config sprawl. Just one ~2MB binary.