← Back to glossary

CHANGELOG — Keeping a Good One

style Beginner

Also Known As

CHANGELOG release notes change log

TL;DR

A human-readable log of notable changes per release — distinct from git commit history — following Keep a Changelog conventions.

Explanation

A CHANGELOG.md (keepachangelog.com format) documents what changed per version for users consuming your code, not for git history consumers. Sections per release: Added, Changed, Deprecated, Removed, Fixed, Security. An Unreleased section accumulates changes for the next release. Each version section links to a tag diff. Changelogs are essential for open-source libraries — without one, consumers must read commit history to assess upgrade risk. Combined with Semantic Versioning, a clear changelog makes library upgrades significantly less risky and signals project maturity and maintainer diligence.

Common Misconception

✗ A changelog is just git log reformatted. A good changelog is written for humans, not machines — it groups changes by type (Added, Changed, Fixed, Security), links to issues, and explains the why and impact, not just the what.

Why It Matters

A structured changelog communicates what changed between versions to users and developers — without one, upgrading is a risk that requires reading every commit to understand impact.

Common Mistakes

Using git log as a changelog — commit messages are for developers, not users.
Not following Keep a Changelog or semantic versioning conventions — inconsistent format is hard to parse.
Forgetting to update the changelog before tagging a release — it is always stale.
No distinction between Added, Changed, Deprecated, Removed, Fixed, Security sections.

Code Examples

✗ Vulnerable

# CHANGELOG.md anti-pattern:
## [Unreleased]
## [1.2.0] - 2026-03-01
- stuff
- fixes
- new things

# Structured changelog:
## [1.2.0] - 2026-03-01
### Added
- User export to CSV feature
### Fixed
- Session timeout not enforced on API endpoints
### Security
- Patched XSS in search results (CVE-2026-1234)

✓ Fixed

# CHANGELOG.md — Keep a Changelog format (keepachangelog.com)

## [Unreleased]
### Added
- PHP 8.3 typed class constants

## [2.4.1] - 2024-03-10
### Fixed
- Password reset tokens now expire after 1 hour (was never expiring)

### Security
- CVE-2024-XXXX: Patched XSS in user profile bio field

## [2.4.0] - 2024-02-28
### Added
- MFA support via TOTP
### Changed
- Session now regenerated on login (session fixation fix)
### Deprecated
- `UserManager::fetchCustomer()` — use `UserRepository::find()` instead
### Removed
- Removed legacy MD5 password migration path

## [2.3.0] - 2024-01-15
...

# Types: Added, Changed, Deprecated, Removed, Fixed, Security

References

↗ https://keepachangelog.com/en/1.1.0/

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Perplexity 14 Amazonbot 12 Google 3 Unknown AI 3 Ahrefs 2

Also referenced

Code Documentation 38 Composer & Dependency Management 29 Semantic Versioning (SemVer) 16

How they use it

crawler 32 crawler_json 1 pre-tracking 1

Related categories

php 6.3k general 1.4k devops 1k style 1k

⚡ DEV INTEL Tools & Severity

🟢 Low ⚙ Fix effort: Low

⚡ Quick Fix

Keep CHANGELOG.md in the repo root, update it on every release with sections: Added, Changed, Deprecated, Removed, Fixed, Security — or automate it from conventional commits

📦 Applies To

any web cli

🔗 Prerequisites

Semantic Versioning (SemVer) Conventional Commits API Deprecation

🔍 Detection Hints

No CHANGELOG.md; changelog only in GitHub releases not in repo; changelog not updated on bug fix releases

Auto-detectable: ✓ Yes conventional-changelog semantic-release keep-a-changelog

⚠ Related Problems

Semantic Versioning (SemVer) API Deprecation Documentation as Code

🤖 AI Agent

Confidence: Low False Positives: High ✗ Manual fix Fix: Low Context: File