build(deps): bump @rive-app/canvas-single from 2.37.5 to 2.37.7

[dependabot]

Bumps @rive-app/canvas-single from 2.37.5 to 2.37.7.

Changelog

Sourced from @​rive-app/canvas-single's changelog.

2.37.7

Commits

• fix: Make ViewModelInstanceTrigger keyable for Stateful Components (#12556) c2f1000a63 95048a9
• Support ktx2 (#12385) f454e3170e 3ad1efa
• fix(js): catch errors when creating the renderer and send to Rive LoadError event (#12553) e89dcdca47 b313226
• Fix render_canvas_prepass_multi GL flip pivot (#12488) db997822be 575568e
• chore(runtime): resolve build error after merge conflicts (#12545) 320eff3f97 1603626
• feat(scripting_workspace): HLSLStructLayout v2 with per-resource stageMask (#12544) a9d6eff838 b3c62c7
• chore(rive_native): build microprofiler behind a flag (#12514) 44ba1a605e 8a3046c
• fix: memory pressure during dart allocations from luau trampoline cal… (#12540) 2dab5352d7 cce3914
• fix(scripting_workspace): HLSL export cleanup (#12512) 60b685278c 6d75a6d
• chore: Guard from calling markNeedsUpdate in update (#12525) fab85a4fd5 ea0ff90
• fix(editor): reset scripted objects initialization when data context is cleared (#12523) 9faec1e36e 4d5c72c
• validate inputs for logging (#12521) 8e58f305c1 9d804e3
• Update profiler to fix build (#12515) 687a80a7a8 87f8275
• chore(js): force js/npm/** changes through downstream push with up-to-date versions. add rive_fallback.wasm to webgl2 package files to actually publish with that file (#12502) d3ee0f9e01 a64cc66
• Nnnnn scripted interpolators (#12505) 44b83c5345 310b1b8
• chore(editor): Move stateful toggle to NestedArtboard (#12490) 9f0dc79e3f 3ad6d1f
• refactor(runtime): added overload for decoding shader (#12492) f1c2f2c776 1315a1d
• chore: drop multi-shader machinery, drop legacy ScriptAsset-RSTB fallback (#12485) f74ec7dfd5 c1632cf
• chore(shaders): call draw canvases from the draw command and gate met… (#12489) afccc14a00 e85a10a
• added internal asset loader so you can bypass cmdq (#12487) a53f08a914 ea4e75c
• chore: delay running data binds until necessary (#12469) ee223deb96 0439aba
• Move from .rtex to .ktx2 (#12369) db268e8c81 13064a2

2.37.6 - 2026-05-08

Commits

• chore: tag 2.37.6 219bd99
• Fix/render bc7 images (#12344) 3b74a52148 2833de3
• fix(browserstack): Fix the browserstack run for vk gms (#12473) b70b191146 1a46ed8
• fix(glmsaa): Fix MSAA artifacts with dstBlend barriers and no KHR (#12413) 82af6951bf f59f28b
• chore: drop D3D11/D3D12 pre-compiled DXBC ingestion path (#12475) 1de58d297c 381df50
• feature: track ShaderAsset assetId on ShaderModule (TRACK_RIVE_SHADER_ID) (#12474) d2e31a1f65 dcb1ecb
• chore(runtime): improve initialization performance of clipping shapes… (#12472) 666dc5691e 7ae4825
• fix(tests): gate render_canvas GMs behind with_rive_canvas (#12441) 1aab0beb60 4c3a7c8
• fix: Absolute layout fill behavior (#12471) 6cce514679 3e32f3f
• fix(runtime): Fix top level artboard hug behavior (#12462) 0e91142f40 775e004
• fixes(editor and runtime): follow path and editor reload (#12461) ed48c0a53d 8ea2397
• fix(js): ensure onLoadError is invoked for any part of the initialization process (#12394) ebd828108a 1eaaced
• fix(tests): make Rand produce identical sequences across platforms (#12432) 9a8f7e7a19 817fdbb
• feat(scripting): Mat4 affine fast paths + reverse-Z perspective (#12454) 072832aecc 889f9fb
• feat(Command Queue): Add draw key cancellation (#12451) 7c539a46ff 7dcec81
• track state machine state for profiler (#12434) 565f8ad739 5d8b0fe
• feat(scripting): first-class Mat4 type with SIMD multiply (#12445) a076a8abde db0eb6c
• chore: Add more Stateful Component tests (#12438) 13be041786 b5b04d3
• Split Ore Context into per-backend subclasses (#12442) ee268b5467 26f62a9

... (truncated)

Commits

• 3984a8a chore: tag 2.37.7
• 95048a9 fix: Make ViewModelInstanceTrigger keyable for Stateful Components (#12556) c...
• 3ad1efa Support ktx2 (#12385) f454e3170e
• b313226 fix(js): catch errors when creating the renderer and send to Rive LoadError e...
• 575568e Fix render_canvas_prepass_multi GL flip pivot (#12488) db997822be
• 1603626 chore(runtime): resolve build error after merge conflicts (#12545) 320eff3f97
• b3c62c7 feat(scripting_workspace): HLSLStructLayout v2 with per-resource stageMask (#...
• 8a3046c chore(rive_native): build microprofiler behind a flag (#12514) 44ba1a605e
• cce3914 fix: memory pressure during dart allocations from luau trampoline cal… (#1254...
• 6d75a6d fix(scripting_workspace): HLSL export cleanup (#12512) 60b685278c
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency-only bump; main risk is potential rendering/runtime regressions in pages that use Rive due to updated WASM/canvas code.

Overview
Updates the special-pages dependency on @rive-app/canvas-single from 2.37.5 to 2.37.7, with corresponding package-lock.json resolution/integrity updates.

^{Reviewed by Cursor Bugbot for commit e468ced. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7
Commit	47e9092293
Updated	May 22, 2026 at 10:34:14 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#47e9092293bb844aa8fd48996679746f188eae71

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "47e9092293bb844aa8fd48996679746f188eae71")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7
git -C submodules/content-scope-scripts checkout 47e9092293bb844aa8fd48996679746f188eae71

[cursor]

Web Compatibility Assessment

No findings. The diff only updates @rive-app/canvas-single from 2.37.5 to 2.37.7 in special-pages/package.json and package-lock.json; it does not touch injected runtime code, API wrappers/shims, DOM mutation logic, feature config, or platform entry points.

Security Assessment

No findings. The package has no npm dependencies/peerDependencies, the lockfile is aligned with the declared version, and the changed files do not affect captured globals, messaging transports, message bridge validation, origin checks, or iframe handling.

Risk Level

Low Risk: dependency metadata-only update for a special-pages Rive canvas runtime, with no injected/src or security-sensitive code changes.

Recommendations

No blocking recommendations. I verified npm ci --ignore-scripts and npm run test-unit --workspace=special-pages locally; both completed successfully.

  

_{Sent by Cursor Automation: Web compat and sec}

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[cursor]

Stale comment

Dependency review for @rive-app/canvas-single 2.37.5 -> 2.37.7: no blocking concerns found.

Confirmed evidence:

• The PR only updates special-pages/package.json and package-lock.json for this package.
• npm metadata is stable across the bump: MIT license, 0 dependencies, 12 packaged files. The unpacked bundle grows from ~5.79 MB to ~5.90 MB, expected for the bundled JS/WASM runtime.
• Local usage is limited to special-pages/pages/onboarding/app/shared/components/RiveAnimation.js, used by the v3 Duck Player onboarding flow. That code sets enableRiveAssetCDN: false and loads a local .riv asset, so the Rive asset-CDN path remains disabled.
• Upstream changelog entries for 2.37.6 and 2.37.7 are mostly renderer/runtime changes: compressed texture/KTX2 support, canvas/GL rendering fixes, init/load-error handling, and runtime safety fixes such as overflow/list-size validation and memory pressure fixes.
• npm audit --workspace=special-pages --omit=dev reported 0 production vulnerabilities.

Residual validation risk:

• Existing automated coverage exercises the v3 Duck Player step and toggle telemetry, but the screenshot test masks the Rive <canvas>, so it does not directly assert rendered pixels or state-machine visual output. I ran the targeted v3 Duck Player integration tests and they passed, but a visual check of the v3 Duck Player animation is the remaining confidence gap for this renderer bump.

Still needed:

• The dependency is still needed while v3 onboarding remains supported/tested. Since v4 appears to use video/static assets instead, removing Rive can be revisited when v3 onboarding is retired.

Verification run:

• npm ci
• npm run build --workspace=special-pages
• npm run test-int --workspace=special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --grep "duck player step" --reporter list
• npm audit --workspace=special-pages --omit=dev

No separate fix PR drafted because I did not find a required code change for this update.

  

_{Sent by Cursor Automation: Review dependabot}

[github-actions]

[Beta] Generated file diff

Time updated: Fri, 22 May 2026 10:34:56 GMT

Apple

    - apple/pages/onboarding/dist/index.js

File has changed

Integration

    - integration/pages/onboarding/dist/index.js

File has changed

Windows

    - windows/pages/onboarding/dist/index.js

File has changed

[cursor]

Dependency review for @rive-app/canvas-single 2.37.5 -> 2.37.7: no blocking concerns found.

Confirmed evidence:

• The PR only changes special-pages/package.json and package-lock.json for this direct production dependency.
• Local usage is limited to special-pages/pages/onboarding/app/shared/components/RiveAnimation.js, reached by the v3 onboarding Duck Player step. The wrapper sets enableRiveAssetCDN: false and loads the local bundled .riv asset, so this bump does not introduce a new runtime network fetch path.
• Package metadata is stable across 2.37.5 and 2.37.7: MIT license, 0 npm dependencies, 12 published files, no bundled deps. The unpacked package grows from ~5.79 MB to ~5.90 MB, consistent with an inline JS/WASM runtime update.
• Upstream changelog entries for 2.37.6/2.37.7 are renderer/runtime oriented: compressed texture/KTX2 support, canvas/GL rendering fixes, JS load-error handling, runtime validation/safety fixes, and memory-pressure fixes. I did not see changelog evidence of a new browser permission, dependency, or CDN requirement relevant to this repo’s current usage.
• npm audit --workspace=special-pages --omit=dev reported 0 production vulnerabilities.

Coverage and residual risk:

• Existing onboarding integration coverage exercises the v3 Duck Player step and toggle telemetry. I also ran targeted v3 Duck Player tests after the bump and they passed.
• Remaining validation gap is visual fidelity of the Rive-rendered <canvas> itself: the automated tests assert page behavior around the step, not pixel-level state-machine output. A quick manual visual check of the v3 Duck Player animation would be the only extra confidence I’d ask for, not a blocker.

Dependency need:

• The dependency is still needed while v3 onboarding remains supported. Since v4 appears to avoid Rive for this flow, removing @rive-app/canvas-single can be revisited when v3 onboarding is retired.

Verification run:

• npm ci
• npm pack @rive-app/canvas-single@2.37.5 --json --dry-run
• npm pack @rive-app/canvas-single@2.37.7 --json --dry-run
• npm audit --workspace=special-pages --omit=dev
• npm run build --workspace=special-pages
• npm run test-int --workspace=special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --grep "duck player step" --reporter list

No separate fix PR drafted because I did not find a required code change.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Dependency update review for @rive-app/canvas-single 2.37.5 -> 2.37.7:

No confirmed blocking concerns found.

Confirmed evidence:

• Diff only updates special-pages/package.json and package-lock.json; the package still has 0 npm dependencies and the lockfile integrity matches npm metadata for 2.37.7.
• Local usage is limited to special-pages/pages/onboarding/app/shared/components/RiveAnimation.js, reached by onboarding v3’s Duck Player step.
• Upstream changelog for 2.37.6/2.37.7 includes renderer/runtime fixes, compressed texture/ktx2 support, and JS load-error handling changes. These could affect Rive canvas rendering/load behavior, but no repo API usage change was required.
• npm audit --omit=dev --workspace=special-pages reports 0 production vulnerabilities.

Validation run:

• npm ci
• npm run build --workspace=special-pages
• npm run test-int --workspace=special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --grep "shows v3 flow" --reporter list -> 12 passed

Residual risk / test coverage:

• Existing v3 flow tests exercise the Duck Player page path and toggles, but screenshots mask the Rive canvas to avoid animation flake, so they do not prove pixel-for-pixel rendering equivalence. Given this is a patch bump with no new transitive deps and runtime smoke coverage passed, I do not think this needs a blocking fix.

Dependency need / alternative:

• The dependency is still needed for onboarding v3. Onboarding v4 appears to use video for the Duck Player animation path, so a future cleanup could remove Rive only if/when v3 and RiveAnimation are retired or ported.

I did not draft a separate fixes PR because I did not find a concrete issue requiring code changes.

  

_{Sent by Cursor Automation: Review dependabot}