← Back to glossary

CHANGELOG — Keeping a Good One

Style Beginner

debt(d7/e3/b3/t7)

d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). Tools like conventional-changelog, semantic-release, and keep-a-changelog can flag missing or malformed changelogs, but they require deliberate setup and CI integration — they won't catch quality issues like missing sections or stale entries automatically. The most common failure (no update before tagging) is only noticed during release review or when downstream users complain.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is clear: add CHANGELOG.md to repo root, adopt Keep a Changelog format, and update per release. This is a small, localised effort — not a one-liner swap (e1) because it involves establishing a convention and possibly automating from conventional commits, but it doesn't span multiple files or components.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The changelog applies to the project as a whole (web/cli contexts), but the burden is contained — one file, updated at release time. It doesn't shape architectural decisions or slow down day-to-day feature work. The tax is felt mainly at release time, not across every development task.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field is explicit: developers assume 'git log reformatted = changelog', which contradicts the human-readable, grouped, impact-focused nature of a good changelog. This is a documented anti-pattern (common_mistakes confirm it) that contradicts how developers naturally think about version history, placing it at t7 — a serious trap that contradicts an obvious analogy from another familiar tool (git log).

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-06 · reviewed by human

Also Known As

CHANGELOG release notes change log

TL;DR

A human-readable log of notable changes per release — distinct from git commit history — following Keep a Changelog conventions.

Explanation

A CHANGELOG.md (keepachangelog.com format) documents what changed per version for users consuming your code, not for git history consumers. Sections per release: Added, Changed, Deprecated, Removed, Fixed, Security. An Unreleased section accumulates changes for the next release. Each version section links to a tag diff. Changelogs are essential for open-source libraries — without one, consumers must read commit history to assess upgrade risk. Combined with Semantic Versioning, a clear changelog makes library upgrades significantly less risky and signals project maturity and maintainer diligence.

Common Misconception

✗ A changelog is just git log reformatted. A good changelog is written for humans, not machines — it groups changes by type (Added, Changed, Fixed, Security), links to issues, and explains the why and impact, not just the what.

Why It Matters

A structured changelog communicates what changed between versions to users and developers — without one, upgrading is a risk that requires reading every commit to understand impact.

Common Mistakes

Using git log as a changelog — commit messages are for developers, not users.
Not following Keep a Changelog or semantic versioning conventions — inconsistent format is hard to parse.
Forgetting to update the changelog before tagging a release — it is always stale.
No distinction between Added, Changed, Deprecated, Removed, Fixed, Security sections.

Code Examples

✗ Vulnerable

# CHANGELOG.md anti-pattern:
## [Unreleased]
## [1.2.0] - 2026-03-01
- stuff
- fixes
- new things

# Structured changelog:
## [1.2.0] - 2026-03-01
### Added
- User export to CSV feature
### Fixed
- Session timeout not enforced on API endpoints
### Security
- Patched XSS in search results (CVE-2026-1234)

✓ Fixed

# CHANGELOG.md — Keep a Changelog format (keepachangelog.com)

## [Unreleased]
### Added
- PHP 8.3 typed class constants

## [2.4.1] - 2024-03-10
### Fixed
- Password reset tokens now expire after 1 hour (was never expiring)

### Security
- CVE-2024-XXXX: Patched XSS in user profile bio field

## [2.4.0] - 2024-02-28
### Added
- MFA support via TOTP
### Changed
- Session now regenerated on login (session fixation fix)
### Deprecated
- `UserManager::fetchCustomer()` — use `UserRepository::find()` instead
### Removed
- Removed legacy MD5 password migration path

## [2.3.0] - 2024-01-15
...

# Types: Added, Changed, Deprecated, Removed, Fixed, Security

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,506 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Perplexity 14 Amazonbot 14 Scrapy 7 Google 6 Ahrefs 4 SEMrush 4 Unknown AI 3 Claude 1 Bing 1 Meta AI 1 Yandex 1

Also referenced

Composer & Dependency Management 71 Code Documentation 63 Semantic Versioning (SemVer) 46

How they use it

crawler 53 crawler_json 2 pre-tracking 1

Related categories

php 13k general 3k devops 2.2k style 2.1k

⚡ DEV INTEL Tools & Severity

🟢 Low ⚙ Fix effort: Low

⚡ Quick Fix

Keep CHANGELOG.md in the repo root, update it on every release with sections: Added, Changed, Deprecated, Removed, Fixed, Security — or automate it from conventional commits

📦 Applies To

any web cli

🔗 Prerequisites

Semantic Versioning (SemVer) Conventional Commits API Deprecation

🔍 Detection Hints

No CHANGELOG.md; changelog only in GitHub releases not in repo; changelog not updated on bug fix releases

Auto-detectable: ✓ Yes conventional-changelog semantic-release keep-a-changelog

⚠ Related Problems

Semantic Versioning (SemVer) API Deprecation Documentation as Code

🤖 AI Agent

Confidence: Low False Positives: High ✗ Manual fix Fix: Low Context: File

References

https://keepachangelog.com/en/1.1.0/