Free for developers and teams
Every vendor your stack depends on - Stripe, Anthropic, Vercel, GitHub, your favourite OSS library - ships changes that can quietly break your code. ChangeSpec gives you one place to see what changed, how serious it is, and whether it affects you. Your AI assistant gets the same feed so it can actually fix things.
How it works
You build on 20, 30, maybe 50 external services. Every one of them ships changes on their own schedule, in their own format. Some post to a blog you don't read. Some send an email you archive. Some update a changelog page nobody checks. Some say nothing at all until prod breaks at 2am.
Your AI coding assistant is even more in the dark. It was trained months ago. It will confidently write code against a deprecated Anthropic model, a Stripe webhook field that no longer exists, or a Vercel config option that was renamed last Tuesday. You catch it in review. Sometimes.
Compliance is worse. DORA, OSFI B-10, OCC third-party guidance all require continuous monitoring of vendor changes. If your bank's vendor updated their DPA last month and nobody noticed, that is a real audit finding.
There is a layer missing between build provenance and vendor intent. Build provenance tools like SLSA and Sigstore answer "was this built in CI?" ChangeSpec answers "did the vendor authorize this change?" The TanStack supply-chain compromise in May 2026 produced 200+ malicious npm packages with valid SLSA attestations - the attacker ran code inside the legitimate build pipeline. ChangeSpec's retraction events, signed by a key held separately from CI (per Section 7.6 of v1.1), are the signal that provenance alone cannot provide.
Subscribe to the vendors in your stack. See every breaking change, deprecation, CVE, TOS update, and pricing change in one place, ranked by severity.
Install the MCP server in Claude Code, Cursor, or Windsurf. Your assistant knows what changed this week and can fix affected code on the spot.
Point the CLI at your lockfile. Get a list of recent changes that touch your actual dependencies - not every change from every vendor, just the ones that matter to you.
Every change is timestamped, signed when possible, and categorized (security, TOS, pricing, API). Export to PDF or pipe into your GRC tool for DORA, OSFI, and OCC evidence.
Critical security events get an immediate notification. Everything else batches into a weekly digest. You decide the noise floor per vendor.
Built on an open spec (Apache 2.0). You can self-host, switch providers, or consume the raw feed directly. Your data is yours.
When a supply-chain compromise is detected, vendors publish a cryptographically signed retraction event - independent of what the registry can do. Includes do_not_install, last_known_good_version, and provenance_invalidated so tooling can act automatically, not just alert.
Three ways in, pick the one that fits your workflow. You can combine them.
Install once, add to Claude Code or Cursor, done. Your assistant gets live change data every time you code.
npm install -g @changespec/mcpFree forever. No account required.
Scan your lockfile. Get changes affecting your actual dependencies. Drop into CI as a deployment gate.
brew install changespec
changespec check .Free forever. Open source (MIT).
Add vendors, configure alerts, get a weekly digest by email. Or pipe events to Slack, PagerDuty, or your internal system via webhook.
Sign in at changespec.com
Add vendors. Done.Free for individuals and small teams.
Works where you already code
The MCP server plugs into Claude Code, Cursor, Windsurf, and JetBrains AI Assistant. One install. Every vendor change your stack depends on is available to your AI in real time - not from training data months out of date.
Free for the people who would benefit most. Paid for vendors who want publisher analytics and enterprises with compliance obligations.
Free
Forever. Not a trial.
Free
Up to 10 seats.
$79+/mo
For vendors publishing their own changes.
Custom
For regulated industries and compliance teams.
The open spec and reference implementations are Apache 2.0 and MIT, free to use and self-host regardless of plan. changespec.com is the hosted option. Nothing stops you from running your own.
ChangeSpec is an advisory layer. It surfaces information. It does not own your deployment gate. Three guarantees we stand behind:
The CLI exits 0 whether it finds zero issues or fifty. Blocking behavior requires an explicit --fail-on flag. Never the default. Never changed without notice.
The MCP server and CLI cache the last successful response for 7 days. When our API is down, you read from cache. One variable - CHANGESPEC_SKIP=1 - disables everything in 30 seconds.
Every API call has a hard wall-clock timeout. If we don't respond in 2 seconds (interactive) or 5 seconds (CI), the client falls back to cache and continues. You never wait on us.
Full reliability commitments, SLOs, and bypass instructions →
A real event from the vendor index. Publisher-verified, severity classified, machine-readable.
{
"specversion": "1.1",
"id": "cs_01HY3KXDEPRECATE001",
"vendor_id": "anthropic",
"category": "api_deprecation",
"severity": "medium",
"title": "claude-2 model deprecated, sunset 2027-01-01",
"summary": "The claude-2 and claude-2.1 model identifiers are deprecated
and will stop accepting requests on 2027-01-01. Applications should
migrate to claude-3-5-sonnet-20241022 or later.",
"published_at": "2026-04-01T10:00:00Z",
"source_type": "publisher_verified",
"confidence_score": 1.0,
"sunset_date": "2027-01-01",
"action_required": true,
"migration_hint": "Replace 'claude-2' or 'claude-2.1' with
'claude-3-5-sonnet-20241022' in your model parameter.",
"migration_url": "https://docs.anthropic.com/models/overview",
"recommended_reviewers": ["engineering"],
"affected_systems": ["Messages API", "Legacy Completion API"]
}Full field reference in the spec →
New in v1.1. A vendor-signed declaration to stop using a package - with tooling action signals that registries alone cannot provide.
{
"specversion": "1.1",
"id": "cs_01TANSTACK_RETRACT_001",
"vendor_id": "npm:@tanstack/react-query",
"category": "retraction",
"severity": "critical",
"title": "Supply-chain compromise - do not install affected versions",
"summary": "Versions 5.63.0 through 5.74.x were published from a
compromised CI pipeline. Malicious code is present. Do not install.
Pin to 5.62.3 or wait for a clean release.",
"published_at": "2026-05-11T03:45:00Z",
"source_type": "publisher_verified",
"do_not_install": true,
"provenance_invalidated": true,
"last_known_good_version": "5.62.3",
"retraction_reason": "supply_chain_compromise",
"action_required": true,
"affected_versions": ">=5.63.0 <=5.74.x"
}A shared format for change announcements is useful to anyone who produces, consumes, or routes software change information. Eight concrete cases.
You ship one product that integrates Stripe, Resend, Supabase, Anthropic, Vercel, Clerk, and 30 others. You cannot read all of their blogs. A ChangeSpec feed per vendor, aggregated into one place, means your AI assistant tells you what changed while you sleep.
You are mid-sprint. Your teammate mentions Stripe changed a webhook field last Thursday. You did not see it. Nothing fails yet. It will. With a machine-readable feed in your IDE, your editor flags affected code inline before the Monday standup.
Every dep bump requires reading the changelog, scanning for breaking changes, guessing impact. If the upstream publishes ChangeSpec events, your agent summarizes what actually changed and flags what touches your code. Review drops from thirty minutes to three.
You have 80 vendors in production. You cannot tell your board which of them ship breaking changes without warning, which of them updated their DPA last quarter, or which of them had a CVE last week. A structured feed gives you an actual dashboard. That dashboard becomes your procurement lens.
Backstage, Port, or Cortex can tell your engineers what services exist. They cannot tell them what vendors in those services just changed. Subscribe to ChangeSpec feeds once, pipe events into your internal portal, every team sees relevant changes in context.
Blog post, changelog page, Twitter, Discord, email, release notes. Half your users rely on the channel you underweight. Publish a ChangeSpec event once and every subscriber receives it in the channel they already use. Your communication effort goes down. Their awareness goes up.
Training cutoffs mean your agent has no idea that Anthropic deprecated claude-2 or that Stripe changed a webhook schema last month. It writes broken code with full confidence. An MCP-delivered ChangeSpec feed gives the agent real-time ground truth. Confident code becomes correct code.
Continuous monitoring of vendor changes is now a regulatory obligation in the EU, UK, and Canada for financial services. Today you maintain spreadsheets and set Google Alerts. A structured feed of signed, categorized changes produces the audit evidence a regulator actually wants to see.
If you build a developer tool, you can consume ChangeSpec events and expose change awareness to your users without a bespoke integration per vendor. One ingest pipeline, coverage across every vendor that publishes. This is how a format becomes infrastructure.
When an upstream vendor flags a breaking change, your gateway can warn, shadow-test, or protect downstream callers. A signed ChangeSpec feed is a better signal than scraping a blog.
A build step that checks the current ChangeSpec feed before deploying a release. If a breaking change landed in a critical dependency in the last 24 hours, require a human review. Same step, every repo, across every CI vendor.
Today, a Renovate PR shows you the version bump. It does not tell you the upstream considers this a breaking change or a CVE response. Consume ChangeSpec events from the upstream publisher and surface that context directly in the PR description.
A gutter indicator on imports when the upstream published a breaking change. A tooltip when a deprecated API is called. CodeLens annotations that update as ChangeSpec events land. Your editor becomes the dashboard your users never had to build.
When error rate spikes at 03:17 UTC, the top question is what changed. A ChangeSpec feed lets your platform tell its user: upstream vendor X shipped a breaking change at 03:11 UTC. Faster root cause. Fewer pages escalated.
Your service catalog already lists which teams depend on which external vendors. Subscribe to ChangeSpec feeds for each vendor, route events to the owning team, and the platform becomes the single pane of glass for vendor risk.
Building one of these? Share it on GitHub →
Five vendors indexed at launch. Changes are hand-curated and sourced from official channels.