CocoaPods Trunk Read-only Plan
“`html
CocoaPods Trunk to Become Read-Only: A Timeline and What It Means for Developers
Table of Contents
TLDR: In two years, CocoaPods trunk will transition to a read-only state. This means no new pods or versions will be added. This post was last updated in May 2025.
What is CocoaPods Trunk and Why is This Happening?
CocoaPods is a dependency manager for Swift and Objective-C cocoa projects. The ”trunk” is the central repository where developers publish and share their open-source libraries (Pods). Maintaining trunk presents notable security challenges, as highlighted by recent abuse of scripting capabilities within Podspecs.
The decision to move trunk to read-only is a proactive security measure. By preventing new submissions, the maintainers aim to drastically simplify the security posture of the Specs repo and the associated CDN (Content Delivery Network). The underlying infrastructure – GitHub and jsDelivr – are expected to remain operational for the foreseeable future, ensuring existing builds continue to function.
The Timeline: From Discussion to Implementation
The discussion about transitioning trunk to read-only began over a year ago. The initial plan was a multi-year process. However, increased security incidents have accelerated the timeline.
- Early 2024: Initial discussions regarding read-only mode.
- May 2025: The decision to implement the block on new Podspecs utilizing the
prepare_commanddue to security researcher abuse. - 2026 (Expected): Full implementation of read-only mode. New Podspec submissions will be denied at the server level. The CocoaPods/Specs repo will be archived on GitHub.
What dose This Mean for You?
The impact of this change depends on how you use CocoaPods:
- Users of Pods from Trunk: After 2026, you will no longer receive updates to dependencies sourced directly from CocoaPods trunk. Existing builds will continue to work, but you’ll be reliant on the versions available as of the transition date.
- Users with Private Specs Repos: This change will have no impact on you. You manage your dependencies independently.
- users with Vendored Dependencies: This change will have no impact on you. Your dependencies are included directly within your project.
Technical Details & Implementation
The implementation will involve two key steps:
- Server-Side Rejection: The CocoaPods server will be configured to reject all new Podspec submissions.
- GitHub Archiving: The “CocoaPods/Specs” repository on GitHub will be marked as ”Archived.” This prevents further direct contributions through pull requests.
The prepare_command, a feature allowing custom scripting during Podspec planning, has already been targeted for restriction due to security vulnerabilities.This is a precursor to the full read-only transition.
Impact on Security
| Feature | Current status | post-Transition Status | Security Impact |
|---|---|---|---|
| New Podspec Submissions | Allowed | Denied | Reduced attack surface |
prepare_command |
Enabled (with restrictions) | Blocked | eliminates scripting vulnerabilities |
| Existing Podspecs | Functional | Functional | no change |
By eliminating the ability to introduce new code through Podspecs, the maintainers significantly reduce the risk of malicious code being injected into the CocoaPods ecosystem.
FAQs
- Will my existing projects break?
- No. Existing builds will continue to work as long as GitHub and jsDelivr remain operational.
- What if I need a new version of a Pod?
- You’ll need to consider alternative dependency management strategies,