build(deps): bump @rive-app/canvas-single from 2.37.5 to 2.37.6

[dependabot]

Bumps @rive-app/canvas-single from 2.37.5 to 2.37.6.

Changelog

Sourced from @​rive-app/canvas-single's changelog.

2.37.6

Commits

• Fix/render bc7 images (#12344) 3b74a52148 2833de3
• fix(browserstack): Fix the browserstack run for vk gms (#12473) b70b191146 1a46ed8
• fix(glmsaa): Fix MSAA artifacts with dstBlend barriers and no KHR (#12413) 82af6951bf f59f28b
• chore: drop D3D11/D3D12 pre-compiled DXBC ingestion path (#12475) 1de58d297c 381df50
• feature: track ShaderAsset assetId on ShaderModule (TRACK_RIVE_SHADER_ID) (#12474) d2e31a1f65 dcb1ecb
• chore(runtime): improve initialization performance of clipping shapes… (#12472) 666dc5691e 7ae4825
• fix(tests): gate render_canvas GMs behind with_rive_canvas (#12441) 1aab0beb60 4c3a7c8
• fix: Absolute layout fill behavior (#12471) 6cce514679 3e32f3f
• fix(runtime): Fix top level artboard hug behavior (#12462) 0e91142f40 775e004
• fixes(editor and runtime): follow path and editor reload (#12461) ed48c0a53d 8ea2397
• fix(js): ensure onLoadError is invoked for any part of the initialization process (#12394) ebd828108a 1eaaced
• fix(tests): make Rand produce identical sequences across platforms (#12432) 9a8f7e7a19 817fdbb
• feat(scripting): Mat4 affine fast paths + reverse-Z perspective (#12454) 072832aecc 889f9fb
• feat(Command Queue): Add draw key cancellation (#12451) 7c539a46ff 7dcec81
• track state machine state for profiler (#12434) 565f8ad739 5d8b0fe
• feat(scripting): first-class Mat4 type with SIMD multiply (#12445) a076a8abde db0eb6c
• chore: Add more Stateful Component tests (#12438) 13be041786 b5b04d3
• Split Ore Context into per-backend subclasses (#12442) ee268b5467 26f62a9
• refactor(unreal): main branch compatability (#12440) 66dbcd05f3 d8a5b83
• Add code for tier levels on profiler (#12411) 0a621bb320 576069d
• fix(vulkan): Resolve driver crash on some mobile GPUs (#12403) 1deebb93aa 9d47a27
• fix: make SimpleArray constructor overflow safe(r) (#12313) ea38312ee1 5adb712
• Expose context:preferredCanvasFormat() to Dart-hosted scripts (#12419) 852622182f 273da87
• chore: Stateful component input/output display name (#12406) 1c0be407fa 0d8993e
• fix(ore): depth only pipeline (#12408) a2f90edf62 815c0f4
• feat(ore): 3D (#12319) 462e0574ec c9a1f12
• fix(d3d12): sampler heap rotation must re-create immutable samplers & initialize unused SRV (#12399) 27bd52389b 9612c65
• feature(scripting): expose view model image properties (#12390) 48d4b69f15 de7f580
• Enumerate Compressed texture formats (#12358) 5e9fc9910b 080455a
• fix(d3d12): image samplers must use default-mode filter, not comparison (#12395) cdfb9acc06 d0c1286
• fix(cmdq) fix race condition (#12392) 3698608ea4 bb0a661
• Nnnnn scripted properties lifecycle (#12375) 1df363d3b8 fd4761f
• fix: Layout ScaleType keying with percent units bug (#12388) 1f4b65d3dd b21dfb2
• fix(d3d12): rebind invalidated root descriptor tables after sampler heap rotation (#12387) 9354e62e9a aeea3b2
• feat(ui update): data value toggle [flagged] (#12357) c8af6cfdcc 206f1aa
• chore: Rebaseline silvers (#12379) a3dd13b312 35dc420
• chore: validate size of lists before iterating (#12365) 1a5100efcf 391862d
• fix(renderer): Only apply barriers on drawGoup boundaries (#12347) 31aa875e47 3eba7f0
• feat(cmdq): sync mouse events (#12322) d2cf8f885b 5b5a3e5
• Fix Runtime Compressed texture loading (#12338) 5e1daebe83 960167f
• feature(scripting): expose access to list index property (#12286) 1b04939b52 6f90515
• feature - RSTB edit-time generation (#12341) 25e5123be4 0334eaa
• feature(focus): add support for focus traversal actions (#12327) eb578eb9f6 097073a

Commits

• 219bd99 chore: tag 2.37.6
• 2833de3 Fix/render bc7 images (#12344) 3b74a52148
• 1a46ed8 fix(browserstack): Fix the browserstack run for vk gms (#12473) b70b191146
• f59f28b fix(glmsaa): Fix MSAA artifacts with dstBlend barriers and no KHR (#12413) 82...
• 381df50 chore: drop D3D11/D3D12 pre-compiled DXBC ingestion path (#12475) 1de58d297c
• dcb1ecb feature: track ShaderAsset assetId on ShaderModule (TRACK_RIVE_SHADER_ID) (#1...
• 7ae4825 chore(runtime): improve initialization performance of clipping shapes… (#1247...
• 4c3a7c8 fix(tests): gate render_canvas GMs behind with_rive_canvas (#12441) 1aab0beb60
• 3e32f3f fix: Absolute layout fill behavior (#12471) 6cce514679
• 775e004 fix(runtime): Fix top level artboard hug behavior (#12462) 0e91142f40
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency-only change; main impact is potential rendering/wasm behavior differences from the upstream Rive update.

Overview
Updates @rive-app/canvas-single from 2.37.5 to 2.37.6 for special-pages, including the corresponding package-lock.json resolution/integrity changes.

^{Reviewed by Cursor Bugbot for commit df57475. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.6
Commit	8cd2ad2345
Updated	May 13, 2026 at 10:55:08 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.6

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.6")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.6
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.6

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#8cd2ad2345861c28f475a5187750f905233ec515

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "8cd2ad2345861c28f475a5187750f905233ec515")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.6
git -C submodules/content-scope-scripts checkout 8cd2ad2345861c28f475a5187750f905233ec515

[cursor]

Web Compatibility Assessment

No findings.

special-pages/package.json and package-lock.json only bump @rive-app/canvas-single from 2.37.5 to 2.37.6. The diff does not touch injected/src, wrapper utilities, captured globals, message bridge/transports, API overrides, config-gated feature code, DOM patching, or platform entry points. The package is only imported by special-pages/pages/onboarding/app/shared/components/RiveAnimation.js, so the practical compat surface is onboarding Rive animation rendering rather than arbitrary-page injected behavior.

Security Assessment

No findings.

The npm package metadata still reports no dependencies, peer dependencies, or optional dependencies, and the lockfile churn is limited to the expected version/resolved/integrity changes. Upstream package contents changed in rive.js, rive.js.map, runtimeLoader.d.ts, and package.json; the notable API typing change is an optional onError callback for runtime loading, which this repo does not call. Existing local usage keeps enableRiveAssetCDN: false, so this PR does not introduce a new repo-level network/CDN path.

Risk Level

Low Risk: semver-patch dependency-only update in special-pages; no injected runtime, wrapper, messaging, origin-validation, or security-sensitive code changes.

Recommendations

Merge if CI passes. As a product smoke check, verify the onboarding Rive animation still loads/renders on at least one WebKit-based target and one Chromium/WebView target, since upstream includes renderer/runtime fixes.

Validation run:

• npm ci succeeded, with existing ESLint peer/audit warnings unrelated to this bump.
• npm run build --workspace=special-pages passed.
• npm run test-unit --workspace=special-pages passed: 104 tests, 0 failures.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Dependency Risk Review

No blocking findings.

Confirmed evidence:

• PR only changes special-pages/package.json and package-lock.json, bumping direct production dependency @rive-app/canvas-single from 2.37.5 to 2.37.6.
• Current repo usage is limited to special-pages/pages/onboarding/app/shared/components/RiveAnimation.js, reached from onboarding v3 Duck Player. No injected-page privacy feature code is touched.
• Upstream 2.37.6 changelog includes renderer/runtime/layout fixes plus fix(js): ensure onLoadError is invoked for any part of the initialization process; package diff changes rive.js, rive.js.map, runtimeLoader.d.ts, and package.json.
• npm metadata still shows MIT license, zero dependencies, same file count, and unpacked size increasing from 5,785,261 to 5,887,306 bytes.
• Local usage keeps enableRiveAssetCDN: false, so this does not introduce a new CDN/network asset path.

Uncertain/residual concern:

• The most relevant regression surface is visual/runtime behavior of the Rive canvas. Existing onboarding screenshot coverage explicitly masks the canvas, so it will not catch visual changes inside the animation. Functional onboarding tests cover the Duck Player step/toggle, and my focused local validation passed on both Chromium-like (windows) and WebKit-like (macos) projects.

Validation run:

• npm ci passed, with existing peer/audit warnings unrelated to this package.
• npm run build --workspace=special-pages passed.
• npm run test-int --workspace=special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --project windows --project macos --grep "duck player" --reporter list passed: 6/6.
• PR CI relevant status when checked: release build, special-pages unit tests, and special-pages Chromium integration passed; special-pages WebKit integration was still running.

Dependency still needed:

• It is still required while onboarding v3 Duck Player uses RiveAnimation/Onboarding.riv. If v3 onboarding can be retired or migrated to the v4-style video/static asset path, that would be the cleaner way to remove this WASM runtime dependency, but that is outside the scope of this patch bump.

No separate fix PR drafted because I did not find a concrete code issue to fix.

  

_{Sent by Cursor Automation: Review dependabot}

[dependabot]

Superseded by #2708.