Reading SemVer Changelogs
5 exercises — read a realistic multi-version changelog covering a major release with breaking changes, removed APIs, and a security CVE. Understand SemVer bump logic, deprecation lifecycles, and upgrade paths.
SemVer changelog reading strategy
- MAJOR bump → read "Changed" and "Removed" carefully — code updates required
- MINOR bump → read "Changed" for behavioural surprises; "Added" is safe
- PATCH bump → "Fixed" and "Security" only — almost always safe to apply
- Deprecated → plan migration before the next MAJOR; it will be removed then
- CVE in Security → apply urgently — the vulnerability is publicly known
0 / 5 completed
1 / 5
CHANGELOG.md — @acme/data-client
# Changelog — @acme/data-client
All notable changes to this project will be documented in this file.
Format: Keep a Changelog 1.0.0 | Versioning: Semantic Versioning 2.0.0
## [3.0.0] - 2026-06-01
### Added
- New `DataClient.stream()` method for real-time data subscriptions
- TypeScript 5.x strict-mode support
- Plugin API: extend the client with custom middleware via `DataClient.use()`
### Changed
- `DataClient.fetch()` now throws `DataClientError` on HTTP 4xx responses
(previously returned null; callers must update error handling)
- Minimum supported Node.js version raised from 16 to 18
### Removed
- `DataClient.fetchLegacy()` — deprecated since v2.1.0
- `config.retryOnNull` option — no longer meaningful after fetch() change
### Security
- Replaced `node-fetch` with native `fetch` (Node 18+), eliminating
CVE-2022-0235 exposure in the old dependency
---
## [2.3.2] - 2026-04-14
### Fixed
- Fixed incorrect `Content-Type` header sent on PATCH requests (#3301)
- Fixed race condition in connection pool when all connections are in use (#3318)
### Security
- Updated `axios` to 1.7.4 to address SSRF vulnerability CVE-2024-28849 What is the significance of the version number jumping from 2.3.2 to 3.0.0, according to Semantic Versioning?
MAJOR version bump (2.x → 3.0.0) signals breaking changes:
Semantic Versioning rules: MAJOR.MINOR.PATCH
Teams that auto-update dependencies without reviewing MAJOR bumps regularly get broken builds. The changelog's "Changed" section should always be read carefully before a MAJOR upgrade — it is the migration guide in miniature.
Semantic Versioning rules: MAJOR.MINOR.PATCH
- MAJOR → breaking changes. Consumers must review and update code before upgrading.
- MINOR → new features, backward-compatible. Upgrade is generally safe.
- PATCH → bug fixes only. Upgrade is almost always safe.
DataClient.fetch()now throws instead of returning null — callers must add error handling- Node.js minimum version raised to 18 — environments on Node 16 will not work
DataClient.fetchLegacy()removed entirely — callers must migrate toDataClient.fetch()
Teams that auto-update dependencies without reviewing MAJOR bumps regularly get broken builds. The changelog's "Changed" section should always be read carefully before a MAJOR upgrade — it is the migration guide in miniature.