release: 0.38.1

[stainless-app]

Automated Release PR

0.38.1 (2026-04-23)

Full Changelog: v0.38.0...v0.38.1

Chores

• internal: more robust bootstrap script (dd48b06)
• internal: update docs ordering (9ac7b35)
• update SDK settings (5f5049a)

---

This pull request is managed by Stainless's GitHub App.

The semver version number is based on included commit messages. Alternatively, you can manually set the version number in the title of this pull request.

For a better experience, it is recommended to use either rebase-merge or squash-merge when merging this pull request.

🔗 Stainless website
📚 Read the docs
🙋 Reach out for help or questions

[stainless-app]

🧪 Testing

To try out this version of the SDK:

npm install 'https://pkg.stainless.com/s/hyperspell-typescript/dd48b061429585dad8aad6566a46d2d2bd83fbc0/dist.tar.gz'

Expires at: Sat, 23 May 2026 04:07:23 GMT
Updated at: Thu, 23 Apr 2026 04:07:23 GMT

[canaries-inc]

🐤 Canary Summary

This is an automated release PR with no UI/UX changes:

• Version bumped from 0.38.0 to 0.38.1 across all package files
• Updated npm publishing workflow authentication from OIDC to token-based
• Modified release scripts to use NPM_TOKEN environment variable
• Updated changelog and configuration metadata
• No user-facing UI components, styling, or application logic affected

---

---

View PR tests on Canary

[canaries-inc]

🐤 Canary Proposed Tests

No testable user journeys found for this PR.

[entelligence-ai-pr-reviews]

---

Confidence Score: 5/5 - Safe to Merge

Safe to merge — this appears to be a standard release bump to version 0.38.1 with no identified logic, security, or correctness issues surfaced during review. The automated analysis found zero critical, significant, or medium-severity issues across the reviewed files. While only 4 of 13 changed files received coverage, the absence of any flagged concerns and the nature of a patch release (typically containing minor fixes or version metadata updates) supports a clean merge.

Key Findings:

• No new review comments were generated, indicating no obvious logic bugs, security vulnerabilities, or correctness issues were detected in the analyzed code.
• The PR is a patch release (0.38.1), which typically involves version string updates, changelog entries, and minor bug fixes rather than high-risk architectural changes.
• Zero unresolved pre-existing comments were carried into this review, meaning there is no backlog of known issues being deferred.
• 4 of 13 changed files were reviewed by the heuristic analysis — the unreviewed files represent a minor blind spot, but for a release PR this risk is generally low.

[entelligence-ai-pr-reviews]

EntelligenceAI PR Summary

Patch release v0.38.1 that simplifies npm authentication and hardens CI/release tooling.

• Removes OIDC-based npm publish flow (id-token: write, dynamic npm install, ACTIONS_ID_TOKEN_REQUEST_TOKEN fallback) in bin/publish-npm and .github/workflows/publish-npm.yml
• Introduces NPM_TOKEN env var (with HYPERSPELL_NPM_TOKEN || NPM_TOKEN fallback) in both publish-npm.yml and release-doctor.yml workflows
• Adds NPM_TOKEN presence validation in bin/check-release-environment
• Fixes potential unbound variable error in scripts/bootstrap using ${SKIP_BREW:-} expansion
• Reorders EMBEDDED_READMES entries in packages/mcp-server/src/local-docs-search.ts (cli → python → typescript)
• Removes oidc from .gitignore
• Bumps version to 0.38.1 in package.json, src/version.ts, packages/mcp-server/package.json, packages/mcp-server/manifest.json, packages/mcp-server/src/server.ts, and .release-please-manifest.json

---

Confidence Score: 5/5 - Safe to Merge

Safe to merge — this patch release cleanly simplifies npm authentication by replacing the OIDC-based publish flow with a straightforward NPM_TOKEN environment variable approach using a HYPERSPELL_NPM_TOKEN || NPM_TOKEN fallback, which is a well-understood and widely-adopted pattern. The addition of NPM_TOKEN presence validation in bin/check-release-environment is a positive hardening measure that catches misconfiguration early. No review comments were generated and heuristic analysis found zero issues across the reviewed files.

Key Findings:

• The removal of id-token: write and OIDC-based dynamic npm install in publish-npm.yml reduces attack surface and eliminates a fragile token-request flow that required ACTIONS_ID_TOKEN_REQUEST_TOKEN fallback handling.
• Adding NPM_TOKEN validation in bin/check-release-environment is a proactive correctness improvement — it prevents silent publish failures where a missing token would only surface at the actual publish step.
• The HYPERSPELL_NPM_TOKEN || NPM_TOKEN fallback pattern in both publish-npm.yml and release-doctor.yml maintains backward compatibility with existing secret configurations while allowing organization-specific overrides.

Files requiring special attention

• .github/workflows/publish-npm.yml
• bin/publish-npm
• bin/check-release-environment
• .github/workflows/release-doctor.yml