build(deps): bump @rive-app/canvas-single from 2.37.5 to 2.37.8

[dependabot]

Bumps @rive-app/canvas-single from 2.37.5 to 2.37.8.

Changelog

Sourced from @​rive-app/canvas-single's changelog.

2.37.8

Commits

• fix(unity): add missing neon palette png symbols to fix iOS crash (#12620) 463745fd0b bc56011
• chore(focus): expose focus polling API (#12617) fdb0536723 eaac76e
• refactor(ore): convert ore classes to be virtual with per backend implementations (#12599) e5c20369ec 59b7301
• fix: Scroll to hidden layouts using scrollIndex (#12598) 679b808585 bc0cc5f
• fix: PropertyRecorder UB calling &front() on empty buffers (#12607) 623d5fe7a3 745bf11
• fix(js): restart rAF loop on document visibilitychange event to ensure we pause and resume the state machine accordingly (#12596) 1f69963ced 5d3f1fb
• feat(wgpu): Use wgsl (finally) in the WebGPU backend (#12541) d779307982 21585e3
• fix(runtime): Incorrect modulo in scroll using snap and carousel (#12586) 308565c15e cc214a0
• fix(tests): Update gms & goldens to support 16K page sizes (#12584) 4440cf2dec 002ab0a
• feat: add user-driven focus management support for js/wasm. plumb through focus manager methods to SMI (#12522) ea3739b107 9a17f5a
• fix(apple): retain and clear artboard/image property values in ViewModelInstance (#12561) d938779f2b e500205
• refactor(gpu): move beginRenderPass from GPUCanvas to Context (#12579) 1cac286905 9edf529
• fix: drop 32-bit integer vector VertexFormats (#12570) 2e4ed32ffa 7551667
• fix: pass file to data bind clone (#12569) 717b403dd9 d813fc0
• fix(editor): Stateful component fixes (#12563) 26b149f92c 895600f
• fix(runtime): pass pointerId to drag events (#12559) 43b857965b 1d11be1

2.37.7 - 2026-05-15

Commits

• chore: tag 2.37.7 3984a8a
• fix: Make ViewModelInstanceTrigger keyable for Stateful Components (#12556) c2f1000a63 95048a9
• Support ktx2 (#12385) f454e3170e 3ad1efa
• fix(js): catch errors when creating the renderer and send to Rive LoadError event (#12553) e89dcdca47 b313226
• Fix render_canvas_prepass_multi GL flip pivot (#12488) db997822be 575568e
• chore(runtime): resolve build error after merge conflicts (#12545) 320eff3f97 1603626
• feat(scripting_workspace): HLSLStructLayout v2 with per-resource stageMask (#12544) a9d6eff838 b3c62c7
• chore(rive_native): build microprofiler behind a flag (#12514) 44ba1a605e 8a3046c
• fix: memory pressure during dart allocations from luau trampoline cal… (#12540) 2dab5352d7 cce3914
• fix(scripting_workspace): HLSL export cleanup (#12512) 60b685278c 6d75a6d
• chore: Guard from calling markNeedsUpdate in update (#12525) fab85a4fd5 ea0ff90
• fix(editor): reset scripted objects initialization when data context is cleared (#12523) 9faec1e36e 4d5c72c
• validate inputs for logging (#12521) 8e58f305c1 9d804e3
• Update profiler to fix build (#12515) 687a80a7a8 87f8275
• chore(js): force js/npm/** changes through downstream push with up-to-date versions. add rive_fallback.wasm to webgl2 package files to actually publish with that file (#12502) d3ee0f9e01 a64cc66
• Nnnnn scripted interpolators (#12505) 44b83c5345 310b1b8
• chore(editor): Move stateful toggle to NestedArtboard (#12490) 9f0dc79e3f 3ad6d1f
• refactor(runtime): added overload for decoding shader (#12492) f1c2f2c776 1315a1d
• chore: drop multi-shader machinery, drop legacy ScriptAsset-RSTB fallback (#12485) f74ec7dfd5 c1632cf
• chore(shaders): call draw canvases from the draw command and gate met… (#12489) afccc14a00 e85a10a
• added internal asset loader so you can bypass cmdq (#12487) a53f08a914 ea4e75c
• chore: delay running data binds until necessary (#12469) ee223deb96 0439aba
• Move from .rtex to .ktx2 (#12369) db268e8c81 13064a2

2.37.6 - 2026-05-08

... (truncated)

Commits

• bf02dc7 chore: tag 2.37.8
• bc56011 fix(unity): add missing neon palette png symbols to fix iOS crash (#12620) 46...
• eaac76e chore(focus): expose focus polling API (#12617) fdb0536723
• 59b7301 refactor(ore): convert ore classes to be virtual with per backend implementat...
• bc0cc5f fix: Scroll to hidden layouts using scrollIndex (#12598) 679b808585
• 745bf11 fix: PropertyRecorder UB calling &front() on empty buffers (#12607) 623d5fe7a3
• 5d3f1fb fix(js): restart rAF loop on document visibilitychange event to ensure we pau...
• 21585e3 feat(wgpu): Use wgsl (finally) in the WebGPU backend (#12541) d779307982
• cc214a0 fix(runtime): Incorrect modulo in scroll using snap and carousel (#12586) 308...
• 002ab0a fix(tests): Update gms & goldens to support 16K page sizes (#12584) 4440cf2dec
• Additional commits viewable in compare view

---

Note

Low Risk
Lockfile and version range only; no integration or logic changes in this repo, though onboarding Rive UI may pick up upstream runtime behavior changes.

Overview
Bumps @rive-app/canvas-single from 2.37.5 to 2.37.8 in the special-pages workspace (package.json and root package-lock.json). There are no application source changes—only the resolved package version and integrity hash update.

Upstream 2.37.6–2.37.8 includes runtime fixes (e.g. JS visibilitychange handling for the animation loop, scroll/carousel behavior, renderer load errors) and other canvas/WASM changes that may affect onboarding Rive animations indirectly via the shared dependency.

^{Reviewed by Cursor Bugbot for commit 0d0c7a9. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7
Commit	6549917955
Updated	May 26, 2026 at 9:10:35 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#654991795528305a1a623c3f7b437087a4e2354c

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "654991795528305a1a623c3f7b437087a4e2354c")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.7
git -C submodules/content-scope-scripts checkout 654991795528305a1a623c3f7b437087a4e2354c

[cursor]

Stale comment

Web Compatibility Assessment

No findings. The diff only updates @rive-app/canvas-single from 2.37.5 to 2.37.7 in special-pages/package.json and package-lock.json; it does not touch injected runtime code, API wrappers/shims, DOM mutation logic, feature config, or platform entry points.

Security Assessment

No findings. The package has no npm dependencies/peerDependencies, the lockfile is aligned with the declared version, and the changed files do not affect captured globals, messaging transports, message bridge validation, origin checks, or iframe handling.

Risk Level

Low Risk: dependency metadata-only update for a special-pages Rive canvas runtime, with no injected/src or security-sensitive code changes.

Recommendations

No blocking recommendations. I verified npm ci --ignore-scripts and npm run test-unit --workspace=special-pages locally; both completed successfully.

  

_{Sent by Cursor Automation: Web compat and sec}

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[cursor]

Stale comment

Dependency review for @rive-app/canvas-single 2.37.5 -> 2.37.7: no blocking concerns found.

Confirmed evidence:

• The PR only updates special-pages/package.json and package-lock.json for this package.
• npm metadata is stable across the bump: MIT license, 0 dependencies, 12 packaged files. The unpacked bundle grows from ~5.79 MB to ~5.90 MB, expected for the bundled JS/WASM runtime.
• Local usage is limited to special-pages/pages/onboarding/app/shared/components/RiveAnimation.js, used by the v3 Duck Player onboarding flow. That code sets enableRiveAssetCDN: false and loads a local .riv asset, so the Rive asset-CDN path remains disabled.
• Upstream changelog entries for 2.37.6 and 2.37.7 are mostly renderer/runtime changes: compressed texture/KTX2 support, canvas/GL rendering fixes, init/load-error handling, and runtime safety fixes such as overflow/list-size validation and memory pressure fixes.
• npm audit --workspace=special-pages --omit=dev reported 0 production vulnerabilities.

Residual validation risk:

• Existing automated coverage exercises the v3 Duck Player step and toggle telemetry, but the screenshot test masks the Rive <canvas>, so it does not directly assert rendered pixels or state-machine visual output. I ran the targeted v3 Duck Player integration tests and they passed, but a visual check of the v3 Duck Player animation is the remaining confidence gap for this renderer bump.

Still needed:

• The dependency is still needed while v3 onboarding remains supported/tested. Since v4 appears to use video/static assets instead, removing Rive can be revisited when v3 onboarding is retired.

Verification run:

• npm ci
• npm run build --workspace=special-pages
• npm run test-int --workspace=special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --grep "duck player step" --reporter list
• npm audit --workspace=special-pages --omit=dev

No separate fix PR drafted because I did not find a required code change for this update.

  

_{Sent by Cursor Automation: Review dependabot}

[github-actions]

[Beta] Generated file diff

Time updated: Fri, 22 May 2026 10:34:56 GMT

Apple

    - apple/pages/onboarding/dist/index.js

File has changed

Integration

    - integration/pages/onboarding/dist/index.js

File has changed

Windows

    - windows/pages/onboarding/dist/index.js

File has changed

[cursor]

Stale comment

Dependency review for @rive-app/canvas-single 2.37.5 -> 2.37.7: no blocking concerns found.

Confirmed evidence:

• The PR only changes special-pages/package.json and package-lock.json for this direct production dependency.
• Local usage is limited to special-pages/pages/onboarding/app/shared/components/RiveAnimation.js, reached by the v3 onboarding Duck Player step. The wrapper sets enableRiveAssetCDN: false and loads the local bundled .riv asset, so this bump does not introduce a new runtime network fetch path.
• Package metadata is stable across 2.37.5 and 2.37.7: MIT license, 0 npm dependencies, 12 published files, no bundled deps. The unpacked package grows from ~5.79 MB to ~5.90 MB, consistent with an inline JS/WASM runtime update.
• Upstream changelog entries for 2.37.6/2.37.7 are renderer/runtime oriented: compressed texture/KTX2 support, canvas/GL rendering fixes, JS load-error handling, runtime validation/safety fixes, and memory-pressure fixes. I did not see changelog evidence of a new browser permission, dependency, or CDN requirement relevant to this repo’s current usage.
• npm audit --workspace=special-pages --omit=dev reported 0 production vulnerabilities.

Coverage and residual risk:

• Existing onboarding integration coverage exercises the v3 Duck Player step and toggle telemetry. I also ran targeted v3 Duck Player tests after the bump and they passed.
• Remaining validation gap is visual fidelity of the Rive-rendered <canvas> itself: the automated tests assert page behavior around the step, not pixel-level state-machine output. A quick manual visual check of the v3 Duck Player animation would be the only extra confidence I’d ask for, not a blocker.

Dependency need:

• The dependency is still needed while v3 onboarding remains supported. Since v4 appears to avoid Rive for this flow, removing @rive-app/canvas-single can be revisited when v3 onboarding is retired.

Verification run:

• npm ci
• npm pack @rive-app/canvas-single@2.37.5 --json --dry-run
• npm pack @rive-app/canvas-single@2.37.7 --json --dry-run
• npm audit --workspace=special-pages --omit=dev
• npm run build --workspace=special-pages
• npm run test-int --workspace=special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --grep "duck player step" --reporter list

No separate fix PR drafted because I did not find a required code change.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Stale comment

Dependency update review for @rive-app/canvas-single 2.37.5 -> 2.37.7:

No confirmed blocking concerns found.

Confirmed evidence:

• Diff only updates special-pages/package.json and package-lock.json; the package still has 0 npm dependencies and the lockfile integrity matches npm metadata for 2.37.7.
• Local usage is limited to special-pages/pages/onboarding/app/shared/components/RiveAnimation.js, reached by onboarding v3’s Duck Player step.
• Upstream changelog for 2.37.6/2.37.7 includes renderer/runtime fixes, compressed texture/ktx2 support, and JS load-error handling changes. These could affect Rive canvas rendering/load behavior, but no repo API usage change was required.
• npm audit --omit=dev --workspace=special-pages reports 0 production vulnerabilities.

Validation run:

• npm ci
• npm run build --workspace=special-pages
• npm run test-int --workspace=special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --grep "shows v3 flow" --reporter list -> 12 passed

Residual risk / test coverage:

• Existing v3 flow tests exercise the Duck Player page path and toggles, but screenshots mask the Rive canvas to avoid animation flake, so they do not prove pixel-for-pixel rendering equivalence. Given this is a patch bump with no new transitive deps and runtime smoke coverage passed, I do not think this needs a blocking fix.

Dependency need / alternative:

• The dependency is still needed for onboarding v3. Onboarding v4 appears to use video for the Duck Player animation path, so a future cleanup could remove Rive only if/when v3 and RiveAnimation are retired or ported.

I did not draft a separate fixes PR because I did not find a concrete issue requiring code changes.

  

_{Sent by Cursor Automation: Review dependabot}

[daxtheduck]

@dependabot recreate

[cursor]

Web Compatibility Assessment

No findings. The changed lines only update @rive-app/canvas-single from 2.37.5 to 2.37.8 in special-pages/package.json and package-lock.json; there are no changes under injected/src, wrapper utilities, API shims, DOM manipulation, feature config, or platform entry points.

Security Assessment

No findings. The package still declares no npm dependencies or peer dependencies, and the lockfile integrity matches the published 2.37.8 npm metadata. This diff does not affect captured globals, messaging transports, message bridge validation, origin checks, postMessage usage, or iframe handling.

Risk Level

Low Risk: dependency metadata-only update for the special-pages Rive canvas runtime, with no injected-runtime or security-sensitive code changes.

Recommendations

No blocking recommendations. I verified npm audit --omit=dev --workspace=special-pages reports 0 vulnerabilities and npm run build --workspace=special-pages completes locally. Remaining non-blocking coverage gap is visual fidelity of the onboarding Rive <canvas> itself; upstream 2.37.8 includes renderer/runtime changes such as rAF restart on visibilitychange, while existing tests mostly cover page flow around the animation rather than pixel output.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Stale comment

Dependency update review for @rive-app/canvas-single 2.37.5 -> 2.37.8.

Confirmed issues: none found.

Evidence reviewed:

• PR only changes special-pages/package.json and package-lock.json; the package remains MIT-licensed and has 0 npm dependencies.
• Local usage is limited to special-pages/pages/onboarding/app/shared/components/RiveAnimation.js, currently used by the v3 onboarding Duck Player step. The component uses canvas-single with bundled WASM and sets enableRiveAssetCDN: false, so this update does not add a new runtime CDN fetch path in our integration.
• Upstream changelog between 2.37.5 and 2.37.8 includes runtime/rendering fixes, onLoadError handling improvements, document.visibilitychange rAF handling, KTX2/compressed texture work, and new JS/WASM focus/keyboard traversal support. The relevant behavioral surfaces for us are Rive initialization, state-machine inputs, render loop timing after page visibility changes, and focus handling if the .riv asset contains focus nodes.
• Package metadata changed from 12 files / ~5.8 MB unpacked to 13 files / ~5.9 MB unpacked; changed files are the bundled rive.js, source map, package metadata, and type declarations including a new keyboard interactions helper.

Validation performed:

• npm ci
• npm run build --workspace special-pages
• npm run test-int --workspace special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --grep "shows v3 flow" --reporter list -> 12 passed
• npm run test-int --workspace special-pages -- pages/onboarding/integration-tests/onboarding.v4.spec.js --grep "duck player step" --reporter list -> 12 passed

Residual risk / suggested validation:

• The v3 onboarding screenshot test masks the Rive canvas to avoid animation-frame flakes, so CI does not assert pixel-level rendering of the updated runtime. A quick manual visual check of the v3 Duck Player Rive animation on the build artifact would cover that gap.
• The new focus/keyboard runtime support appears gated on focus nodes in the Rive state machine. I did not confirm the binary .riv asset contents, so manual tab-order validation on the v3 Duck Player step is the specific accessibility check I would do if this flow is still shipped.

No fix PR drafted: I did not find a concrete code issue to patch. Longer-term, if v3 onboarding is no longer shipped, removing the Rive path would eliminate this dependency; if it is still needed, the current canvas-single + enableRiveAssetCDN: false setup is the right privacy-preserving shape. A size-focused alternative worth evaluating separately is @rive-app/canvas-lite, but only if the Onboarding.riv asset does not require Rive Text.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Stale comment

No blocking concerns found for this dependency bump.

Confirmed scope: the PR only updates @rive-app/canvas-single from 2.37.5 to 2.37.8 in special-pages/package.json and package-lock.json. The package has no transitive dependencies; published package size increases from ~5.79 MB to ~5.92 MB unpacked and adds utils/registerKeyboardInteractions.d.ts.

Changelog impact: upstream changes between 2.37.5 and 2.37.8 include JS/runtime load-error handling, visibilitychange rAF restart behavior, focus/pointer support, compressed texture support, and broader renderer/runtime fixes. Local usage is limited to RiveAnimation in the v3 onboarding Duck Player step. The code does not opt into automatic Rive event handling, so the OpenUrl/special event handling path remains disabled by default.

Coverage checked: after refreshing dependencies with npm ci, I validated against installed @rive-app/canvas-single@2.37.8 with:

• npm run build --workspace special-pages
• npm run test-unit --workspace special-pages (104 passing)
• npx playwright test pages/onboarding/integration-tests/onboarding.v3.spec.js --project windows --reporter list (42 passing, 1 skipped)
• npx playwright test pages/onboarding/integration-tests/onboarding.v3.spec.js --project macos --reporter list (43 passing)

Residual risk: the existing v3 onboarding tests exercise the Duck Player step and toggle flow, but they do not directly assert Rive canvas load events or state-machine input values. Given the bump is patch-level, local focused browser coverage passes, and v4 no longer uses Rive for this step, I do not think a separate fix PR is needed. Longer term, if v3 onboarding is retired, removing @rive-app/canvas-single would reduce a large WASM/runtime dependency surface.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Stale comment

Dependency risk review for @rive-app/canvas-single 2.37.5 -> 2.37.8:

No confirmed blocking issues found.

Evidence checked:

• PR changes only special-pages/package.json and package-lock.json for the direct production dependency bump.
• Upstream changelog/compare covers 84 commits, including JS renderer/load-error handling, rAF restart on visibilitychange, focus/keyboard API additions, runtime/layout fixes, KTX2/compressed texture work, and WebGPU/WASM/runtime refactors.
• Package metadata remains no-transitive-dependency and MIT; unpacked size changes from ~5.79 MB to ~5.92 MB. The new npm artifact has registry signature and SLSA provenance attestation.
• Repo usage is narrow: @rive-app/canvas-single is imported by special-pages/pages/onboarding/app/shared/components/RiveAnimation.js, used for the v3 onboarding Duck Player .riv animation. enableRiveAssetCDN: false remains set, so the component should not fetch Rive-hosted assets.

Residual concerns / validation needed:

• The upstream runtime delta is broad for a patch release. The main app-facing risk is behavioral/visual regression in the v3 onboarding Duck Player canvas, especially around state-machine input application, load-error behavior, and pause/resume after page visibility changes.
• Existing onboarding integration tests exercise the Duck Player toggle path, but the screenshot test masks the Rive canvas, so frame-level visual/rendering regressions are not covered by automated screenshots.
• CI integration/snapshot jobs were still in progress when reviewed; merge should wait for those to complete.

Local validation run:

• npm ci
• npm run test-unit --workspace=special-pages passed: 104 tests
• npm run build --workspace=special-pages && npm run test-int --workspace=special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --project windows --grep "duck player" --reporter list passed: 3 tests

No separate fix PR drafted because I did not find a required code fix. Optional hardening for a future PR would be explicit loaderror handling in RiveAnimation, but that is not a blocker for this dependency update based on the current evidence.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Stale comment

Dependency risk assessment for @rive-app/canvas-single 2.37.5 -> 2.37.8:

No confirmed blocking issues found.

Evidence reviewed:

• The PR only updates special-pages/package.json and package-lock.json for @rive-app/canvas-single; no new transitive dependency is introduced by the package.
• Current in-repo use is limited to onboarding v3 via special-pages/pages/onboarding/app/shared/components/RiveAnimation.js, with enableRiveAssetCDN: false and a local .riv asset path, so I did not see new network exposure from this update in our integration.
• Upstream changelog entries for 2.37.6-2.37.8 include JS/runtime-relevant changes: onLoadError coverage during initialization, renderer creation errors emitted as LoadError, rAF restart on document.visibilitychange, and focus/keyboard APIs, plus several renderer/runtime fixes. These could affect the onboarding canvas/state-machine path but do not imply an API removal for our usage.
• Package type diffs add optional tabIndex, keyboard interaction exports, and runtime loader error callback support; no breaking signature change was visible for the new Rive({ src, canvas, autoplay, artboard, stateMachines }) usage here.

Validation performed:

• npm audit --workspace=special-pages --omit=dev --json: 0 prod advisories.
• npm run build --workspace=special-pages: passed.
• npm run test-int --workspace=special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --reporter list: one Windows full-flow timeout on the second Duck Player toggle, while the focused Duck Player toggle telemetry tests passed.
• Reran the failed Windows flow with --project windows --grep "shows v3 flow" --reporter list: passed all 6 matched tests.

Residual risk / suggested validation:

• The onboarding v3 screenshot test masks the Rive canvas, so CI mostly validates page load and controls, not rendered animation correctness. Given the upstream renderer/runtime changes, I would still manually smoke the v3 Duck Player onboarding animation on a build branch, including toggling before/after and backgrounding/restoring the page, before merging if this page is release-critical.

No fix PR drafted because I did not find a confirmed issue requiring code changes.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Dependency review for @rive-app/canvas-single 2.37.5 -> 2.37.8:

No confirmed dependency-related blocker found.

Evidence checked:

• PR diff only changes special-pages/package.json and package-lock.json.
• The package is a direct production dependency used only by onboarding v3’s RiveAnimation / Duck Player step; v4 uses video/Lottie instead.
• npm metadata for 2.37.8 still shows no transitive dependencies or install scripts, and the lockfile integrity matches the registry integrity.
• Runtime is configured with enableRiveAssetCDN: false, so this path should keep loading the local bundled .riv asset rather than remote Rive assets.
• Upstream 2.37.6-2.37.8 changelog includes broad renderer/runtime/WASM changes: compressed texture/KTX2 support, ORE/WebGPU refactors, layout/scroll fixes, JS load-error handling, JS visibilitychange rAF restart, and memory-safety-adjacent fixes such as SimpleArray overflow hardening and PropertyRecorder empty-buffer UB.

Validation run locally:

• npm ci
• npm run build -w special-pages
• npm run test-unit -w special-pages
• npm run test-int -w special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --project windows --grep "duck player step" --reporter list (3 passed)

Uncertain/residual concerns:

• Existing tests cover the page loading and Duck Player toggle telemetry, but they do not assert the actual Rive canvas output/state-machine rendering. The onboarding screenshot test masks the canvas explicitly to avoid animation flake, so a renderer regression that leaves the canvas blank could still escape. Required validation, if we want higher confidence, is a targeted non-flaky canvas smoke check such as “Rive canvas becomes non-blank/no load error” or a manual verification on the built onboarding v3 Duck Player step.
• If onboarding v3 is no longer shipped, the better long-term fix is to remove this dependency and the remaining v3 Rive path instead of continuing to carry a WASM animation runtime. I did not draft a separate PR for that because current code/tests still keep v3 active, so removal needs product/platform confirmation.

Non-dependency CI note: the review_validation failure log shows DAX_PAT returned 401, which looks like repo automation/token configuration rather than a package-update failure.

  

_{Sent by Cursor Automation: Review dependabot}

[dependabot]

Superseded by #2719.