npm should store (and require) changelog comments with each published version

[jedwards1211]

I'm starting to get really tired of how many packages don't have changelogs.

For example, the highest ranked "tcp proxy" project sorted by maintenance is https://github.com/tewarid/node-tcp-proxy, which has some code quality badges, but no changelog that I can find.

Also, even though the widely used pg has a changelog I haven't managed to find one for pg-native.

There are great tools like semantic-release that take care of building the changelog for you but most people don't seem to know about them or are too lazy to take advantage of them.

I made the npm-fetch-changelog tool but it only supports GitHub Releases or Changelog.md accessible in GitHub.
Why should there not be a standardized way to determine what changed in a given release regardless of where the code lives?
Not only would it save us from having to scour git commit history of a project to see what changed, it would make it easier for package upgrade tools (for example my npm-upgrade-browser) to display what changed in dependencies.

[thescientist13]

While I can certainly appreciate the sentiment, I wonder if this is more of a higher expectation to set on the packages you consume, rather than the package manager / registry? Maybe open an issue with the team to get their insight / feedback, and / or why they choose not prepare them? Might be good to understand if there is a good reason for it or just that open source is often what you see is what you get, and while it would be great for all packages to adhere to higher standards across the board, this is also part of the "ToS" we all assume from using OSS, IMO. (isn't the free work a generous contribution in and of itself already? 🥺 )

---

But from a purely technical perspective, npm doesn't really require any sort of versioned "backend" to the packages that get published there, right? It's just a tarball with metadata at the end of the day. Although git / GitHub is / are by far the most popular, it is not the only option out there. Plus this assumes users even put (accurate) repo metadata in their package.json in the first place or provide useful commit messages, etc.

It's like the saying, the only thing worse than no documentation, is incorrect documentation.

Another way to put it I guess; is npm really in the best place to be managing the release documentation of all packages in the registry? Not every packages needs this and the extra infra and engineering effort, plus all that extra metadata over the wire. Meanwhile, GitHub released automated release notes, where (most of) all this the code lives seems, which like a good place for it and maybe a good place to drive the effort towards?

[jedwards1211]

Also, if npm required changelogs, it could provide a tool similar to GitHub automated release notes to automatically generate the changelogs from commits.

[ljharb]

Github's automated release notes currently only consider PRs, not commits, so that's not a very ideal exemplar.

It's way too heavy-handed to impose commit message conventions, and npm also doesn't require there be a repository at all, so I'm not sure it's plausible to require changelogs in a way that would be meaningful.

[jedwards1211]

That's true about repositories...
To me it's just a shame because it seems like the only ideal place to store a changelog is along with the releases on npm, since anything else can't be unambiguously associated with npm releases in an automated way.
I forget if npm warns about missing repo url? In any case if npm at least encouraged people to enter release notes when publishing, I think it would push authors of popular packages over the hump of laziness...

[ljharb]

I think it's a great RFC category to find ways to recommend the presence of changelogs (but not a specific format), and to warn when one is absent. Another good one would be having the website (and maybe a CLI command) parse and surface as many changelog formats as possible, to highlight the benefits of having one.

I'm not sure how much farther than that it would be practical to go, and I definitely don't think we want npm to be taking steps that force, or strongly push, use of github for anything (let the ecosystem continue doing that on its own :-) )

[jedwards1211]

I agree I don't want it to push any specific repo host, which is part of the reason I wish changelog info could live in npm itself, since npm will never be able to support fetching changelogs from all possible hosts.