Frequently asked questions

What is ChangeSpec?

ChangeSpec is an open JSON event format and taxonomy for communicating software changes. A ChangeSpec event describes one change - a breaking API change, a deprecation, a security advisory, a pricing change, a TOS update - in a machine-readable way that developers, AI agents, and compliance teams can all consume. The specification is Apache 2.0, hosted at changespec.org. The commercial aggregator that crawls vendor changelogs and emits ChangeSpec events is at changespec.com.

Who is ChangeSpec for?

Three audiences. Developers who build on external vendors and want one structured feed of breaking changes, deprecations, and security advisories. AI coding agents that need to know about vendor changes their training data does not cover. Compliance teams that must monitor third-party changes continuously under DORA, OSFI B-10, OCC guidance, and similar third-party risk frameworks.

How do I install ChangeSpec?

ChangeSpec is a format, not an app. To consume it: subscribe to the RSS feed at changespec.com/changes.rss, add the ChangeSpec MCP server to your AI coding tool (discovery pointer at /.well-known/mcp), use the JSON endpoints under /data/, or use the reference libraries in Go, TypeScript, and Python linked from the implementations page.

Is ChangeSpec free?

The specification is Apache 2.0 and free forever. The hosted aggregator at changespec.com is free for individual developers and small teams. Paid tiers cover enterprise features: publisher-verified streams with cryptographic signature verification, custom vendor crawling, audit-log exports, DORA and OSFI reports, SSO, and SLAs.

Does ChangeSpec replace Dependabot or Renovate?

No. Dependabot and Renovate upgrade your dependencies for you. ChangeSpec tells you what changed, including in services that are not even in your lockfile such as your CDN, payments provider, LLM API, and other SaaS vendors. They are complementary. ChangeSpec events can be used to enrich Dependabot PR bodies with severity and migration guidance pulled from the publisher.

How does ChangeSpec work with Claude Code or Cursor?

ChangeSpec has a normative MCP transport binding. Any MCP-capable agent - Claude Code, Cursor, Windsurf, Cline, Zed, Continue - can connect to the ChangeSpec MCP server and call tools like get_recent_changes, check_project_deps, search_changes, and get_vendor_grade. The agent receives structured event data and can reason about severity, action required, and migration steps without any per-agent adapter.

Is my data private when I use ChangeSpec?

Reading public vendor data on changespec.com does not require an account. The MCP server's check_project_deps tool parses your lockfile in the local server process - the file contents are not sent to changespec.com. Dependency names are sent to the index to match against events.

How do I bypass ChangeSpec if I need to?

Every consumer interface has a direct fallback to the underlying source. RSS items link to the vendor's original page. JSON events include source_url on every event. The MCP binding returns raw ChangeSpec events you can inspect. There is no lock-in - ChangeSpec is additive to whatever you already do.

Which vendors does ChangeSpec support?

The canonical list is at /data/vendors.json. Initial coverage includes major developer platforms - Anthropic, Vercel, GitHub, Cloudflare, Twilio, Stripe, Supabase, MongoDB, Auth0, and others. Vendor coverage grows continuously based on user demand and voluntary publisher opt-in.

How is ChangeSpec different from RSS or CloudEvents?

RSS is a channel format. CloudEvents is a generic event envelope. ChangeSpec is a domain-specific schema for one narrow thing: software changes. ChangeSpec sits on top of CloudEvents - the envelope format is compatible - and distributes over RSS as one of several transport bindings. ChangeSpec adds the category taxonomy, severity levels, migration guidance, vendor identifier namespace, and optional publisher signing model that neither RSS nor CloudEvents provides.

Can vendors publish ChangeSpec events themselves?

Yes. Any vendor can publish ChangeSpec events directly by adding ChangeSpec output to their existing changelog infrastructure. Publisher-verified events use Ed25519 signatures to cryptographically attest authorship. Events signed by the vendor flow through the hosted index with source_type=publisher_verified and are prioritized in consumer-facing displays over crawled events.

What is a retraction event and how does it differ from a security advisory?

A retraction event (added in v1.1) is a signed vendor declaration that specific versions of a package should not be installed or used. It is designed for supply-chain compromise scenarios where the attacker published malicious versions from inside the vendor's own pipeline.

The key difference from a security advisory: a retraction carries tooling action signals - do_not_install: true, last_known_good_version, and provenance_invalidated. The provenance_invalidated field is the critical addition. Build provenance tools like SLSA and Sigstore answer "was this built in CI?" A compromised pipeline can produce packages with valid attestations. provenance_invalidated: true tells downstream tooling that even valid-looking attestations on the affected versions should not be trusted - the signing key was in the wrong hands.

Per Section 7.6 of the spec, retraction signing keys MUST be stored outside the CI/CD pipeline that builds and publishes the package. This is the separation that makes the signal meaningful.

Who maintains ChangeSpec?

The specification is drafted by Roboticforce Inc. (Steve Leggett, founder) and is open for community contribution on GitHub at changespec/spec. The commercial implementation at changespec.com is operated by Roboticforce. The governance structure, contribution process, and working groups are documented at changespec.org/governance.