release: 0.5.0#13
Conversation
|
Firetiger deploy monitoring skipped This PR didn't match the auto-monitor filter configured on your GitHub connection:
Reason: This is an automated release PR with only internal bootstrap script changes, not a modification to kernel API endpoints or Temporal workflows. To monitor this PR anyway, reply with |
|
🧪 Testing To try out this version of the SDK: Expires at: Sun, 07 Jun 2026 05:22:05 GMT |
stainless-app
Bot
force-pushed
the
release-please--branches--main--changes--next--components--hypeman
branch
from
d3308ac to
f31252b
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| } | ||
| } | ||
| options.defaultHeaders = { ...parsed, ...options.defaultHeaders }; | ||
| } |
There was a problem hiding this comment.
Object spread breaks non-Record defaultHeaders types
Medium Severity
When HYPEMAN_CUSTOM_HEADERS is set, the new code merges env headers into options.defaultHeaders via object spread. However, HeadersLike accepts a Headers instance, an array of header tuples, or a branded NullableHeaders — none of which spread into a plain object correctly. A user-supplied Headers instance is silently dropped (no enumerable own properties); arrays produce numeric-key objects; NullableHeaders exposes its internal values/nulls/brand fields. Downstream buildHeaders/iterateHeaders then treats the result as a record and corrupts the headers.
Reviewed by Cursor Bugbot for commit f31252b. Configure here.
stainless-app
Bot
force-pushed
the
release-please--branches--main--changes--next--components--hypeman
branch
2 times, most recently
from
dc844ea to
34cdd30
Compare
stainless-app
Bot
force-pushed
the
release-please--branches--main--changes--next--components--hypeman
branch
from
34cdd30 to
1e1dd24
Compare
| echo "==> Running prettier --write" | ||
| # format things eslint didn't | ||
| ./node_modules/.bin/prettier --write --cache --cache-strategy metadata . '!**/dist' '!**/*.ts' '!**/*.mts' '!**/*.cts' '!**/*.js' '!**/*.mjs' '!**/*.cjs' | ||
| ./node_modules/.bin/prettier --write --cache --cache-strategy metadata . |
There was a problem hiding this comment.
Prettier now processes dist directory without ignore rule
Medium Severity
The old prettier invocations included '!**/dist' to exclude built output. Now that eslint-plugin-prettier is removed and prettier runs independently, the exclusion patterns were dropped entirely. There is no .prettierignore file in the repository, and prettier only ignores node_modules by default. This means prettier --check . in scripts/lint will fail if dist/ contains files not matching prettier's style, and prettier --write . in scripts/format will unnecessarily reformat build artifacts.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 1e1dd24. Configure here.
stainless-app
Bot
force-pushed
the
release-please--branches--main--changes--next--components--hypeman
branch
from
1e1dd24 to
8796aae
Compare
stainless-app
Bot
force-pushed
the
release-please--branches--main--changes--next--components--hypeman
branch
from
8796aae to
2f48827
Compare
| const parsed: Record<string, string> = {}; | ||
| for (const line of customHeadersEnv.split('\n')) { | ||
| const colon = line.indexOf(':'); | ||
| if (colon >= 0) { |
There was a problem hiding this comment.
Empty header name allowed when line starts with colon
Low Severity
The HYPEMAN_CUSTOM_HEADERS parser uses colon >= 0 which accepts lines starting with :, producing a header with an empty-string name (""). Using colon > 0 would correctly skip such malformed lines, since HTTP header names cannot be empty.
Reviewed by Cursor Bugbot for commit 2f48827. Configure here.
stainless-app
Bot
force-pushed
the
release-please--branches--main--changes--next--components--hypeman
branch
from
2f48827 to
dd4d2d3
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 4 total unresolved issues (including 3 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit dd4d2d3. Configure here.
| # format things eslint didn't | ||
| PRETTIER_FILES="$(grep '\.\(js\|json\)$' "$FILE_LIST" || true)" | ||
| if ! [ -z "$PRETTIER_FILES" ]; then | ||
| echo "$PRETTIER_FILES" | xargs ./node_modules/.bin/prettier \ |
There was a problem hiding this comment.
Guard condition in fast-format is always true
Low Severity
The condition ! [ -z "$FILE_LIST" ] checks whether the FILE_LIST variable (a file path string) is non-empty. Since FILE_LIST is assigned from $1 on line 18 and its existence is validated on lines 22–25, this check is always true at this point — making the if guard meaningless. The old code correctly checked whether $PRETTIER_FILES (the grep output) had content. This could be replaced with a check on the file's contents, e.g. [ -s "$FILE_LIST" ], to match the pattern used for $ESLINT_FILES above.
Reviewed by Cursor Bugbot for commit dd4d2d3. Configure here.
Automated Release PR
0.5.0 (2026-05-08)
Full Changelog: v0.4.0...v0.5.0
Features
Chores
This pull request is managed by Stainless's GitHub App.
The semver version number is based on included commit messages. Alternatively, you can manually set the version number in the title of this pull request.
For a better experience, it is recommended to use either rebase-merge or squash-merge when merging this pull request.
🔗 Stainless website
📚 Read the docs
🙋 Reach out for help or questions
Note
Medium Risk
Introduces env-driven header injection (
HYPEMAN_CUSTOM_HEADERS) and expands sensitive-header redaction in debug logs, which can affect request behavior and observability. Other changes are mostly tooling/release automation adjustments with low runtime impact.Overview
v0.5.0 release bump across
package.json, lockfiles,src/version.ts, and release metadata (CHANGELOG.md, release-please manifest, updated OpenAPI spec pointer).Adds support for setting default request headers from
HYPEMAN_CUSTOM_HEADERSinsrc/client.ts, merging env-provided headers ahead of user-specified defaults.Hardens logging by redacting
api-keyandx-api-keyheader values insrc/internal/utils/log.ts, and updates build/dev tooling: removeseslint-plugin-prettierin favor of running Prettier separately, improves formatting scripts, and extendspostprocess-files.cjsto rewrite emitted/** @ts-ignore */in.d.tsfiles to// @ts-ignoreon its own line.Reviewed by Cursor Bugbot for commit dd4d2d3. Bugbot is set up for automated code reviews on this repo. Configure here.