Intermediate Reading #semver #changelog #breaking-change #cve

Reading SemVer Changelogs

5 exercises — read a realistic multi-version changelog covering a major release with breaking changes, removed APIs, and a security CVE. Understand SemVer bump logic, deprecation lifecycles, and upgrade paths.

SemVer changelog reading strategy
  • MAJOR bump → read "Changed" and "Removed" carefully — code updates required
  • MINOR bump → read "Changed" for behavioural surprises; "Added" is safe
  • PATCH bump → "Fixed" and "Security" only — almost always safe to apply
  • Deprecated → plan migration before the next MAJOR; it will be removed then
  • CVE in Security → apply urgently — the vulnerability is publicly known
0 / 5 completed
1 / 5
📋 CHANGELOG.md — @acme/data-client
# Changelog — @acme/data-client

All notable changes to this project will be documented in this file.
Format: Keep a Changelog 1.0.0 | Versioning: Semantic Versioning 2.0.0

## [3.0.0] - 2026-06-01

### Added
- New `DataClient.stream()` method for real-time data subscriptions
- TypeScript 5.x strict-mode support
- Plugin API: extend the client with custom middleware via `DataClient.use()`

### Changed
- `DataClient.fetch()` now throws `DataClientError` on HTTP 4xx responses
  (previously returned null; callers must update error handling)
- Minimum supported Node.js version raised from 16 to 18

### Removed
- `DataClient.fetchLegacy()` — deprecated since v2.1.0
- `config.retryOnNull` option — no longer meaningful after fetch() change

### Security
- Replaced `node-fetch` with native `fetch` (Node 18+), eliminating
  CVE-2022-0235 exposure in the old dependency

---

## [2.3.2] - 2026-04-14

### Fixed
- Fixed incorrect `Content-Type` header sent on PATCH requests (#3301)
- Fixed race condition in connection pool when all connections are in use (#3318)

### Security
- Updated `axios` to 1.7.4 to address SSRF vulnerability CVE-2024-28849
What is the significance of the version number jumping from 2.3.2 to 3.0.0, according to Semantic Versioning?