build(deps): bump @rive-app/canvas-single from 2.37.5 to 2.37.8

[dependabot]

Bumps @rive-app/canvas-single from 2.37.5 to 2.37.8.

Changelog

Sourced from @​rive-app/canvas-single's changelog.

2.37.8

Commits

• fix(unity): add missing neon palette png symbols to fix iOS crash (#12620) 463745fd0b bc56011
• chore(focus): expose focus polling API (#12617) fdb0536723 eaac76e
• refactor(ore): convert ore classes to be virtual with per backend implementations (#12599) e5c20369ec 59b7301
• fix: Scroll to hidden layouts using scrollIndex (#12598) 679b808585 bc0cc5f
• fix: PropertyRecorder UB calling &front() on empty buffers (#12607) 623d5fe7a3 745bf11
• fix(js): restart rAF loop on document visibilitychange event to ensure we pause and resume the state machine accordingly (#12596) 1f69963ced 5d3f1fb
• feat(wgpu): Use wgsl (finally) in the WebGPU backend (#12541) d779307982 21585e3
• fix(runtime): Incorrect modulo in scroll using snap and carousel (#12586) 308565c15e cc214a0
• fix(tests): Update gms & goldens to support 16K page sizes (#12584) 4440cf2dec 002ab0a
• feat: add user-driven focus management support for js/wasm. plumb through focus manager methods to SMI (#12522) ea3739b107 9a17f5a
• fix(apple): retain and clear artboard/image property values in ViewModelInstance (#12561) d938779f2b e500205
• refactor(gpu): move beginRenderPass from GPUCanvas to Context (#12579) 1cac286905 9edf529
• fix: drop 32-bit integer vector VertexFormats (#12570) 2e4ed32ffa 7551667
• fix: pass file to data bind clone (#12569) 717b403dd9 d813fc0
• fix(editor): Stateful component fixes (#12563) 26b149f92c 895600f
• fix(runtime): pass pointerId to drag events (#12559) 43b857965b 1d11be1

2.37.7 - 2026-05-15

Commits

• chore: tag 2.37.7 3984a8a
• fix: Make ViewModelInstanceTrigger keyable for Stateful Components (#12556) c2f1000a63 95048a9
• Support ktx2 (#12385) f454e3170e 3ad1efa
• fix(js): catch errors when creating the renderer and send to Rive LoadError event (#12553) e89dcdca47 b313226
• Fix render_canvas_prepass_multi GL flip pivot (#12488) db997822be 575568e
• chore(runtime): resolve build error after merge conflicts (#12545) 320eff3f97 1603626
• feat(scripting_workspace): HLSLStructLayout v2 with per-resource stageMask (#12544) a9d6eff838 b3c62c7
• chore(rive_native): build microprofiler behind a flag (#12514) 44ba1a605e 8a3046c
• fix: memory pressure during dart allocations from luau trampoline cal… (#12540) 2dab5352d7 cce3914
• fix(scripting_workspace): HLSL export cleanup (#12512) 60b685278c 6d75a6d
• chore: Guard from calling markNeedsUpdate in update (#12525) fab85a4fd5 ea0ff90
• fix(editor): reset scripted objects initialization when data context is cleared (#12523) 9faec1e36e 4d5c72c
• validate inputs for logging (#12521) 8e58f305c1 9d804e3
• Update profiler to fix build (#12515) 687a80a7a8 87f8275
• chore(js): force js/npm/** changes through downstream push with up-to-date versions. add rive_fallback.wasm to webgl2 package files to actually publish with that file (#12502) d3ee0f9e01 a64cc66
• Nnnnn scripted interpolators (#12505) 44b83c5345 310b1b8
• chore(editor): Move stateful toggle to NestedArtboard (#12490) 9f0dc79e3f 3ad6d1f
• refactor(runtime): added overload for decoding shader (#12492) f1c2f2c776 1315a1d
• chore: drop multi-shader machinery, drop legacy ScriptAsset-RSTB fallback (#12485) f74ec7dfd5 c1632cf
• chore(shaders): call draw canvases from the draw command and gate met… (#12489) afccc14a00 e85a10a
• added internal asset loader so you can bypass cmdq (#12487) a53f08a914 ea4e75c
• chore: delay running data binds until necessary (#12469) ee223deb96 0439aba
• Move from .rtex to .ktx2 (#12369) db268e8c81 13064a2

2.37.6 - 2026-05-08

... (truncated)

Commits

• bf02dc7 chore: tag 2.37.8
• bc56011 fix(unity): add missing neon palette png symbols to fix iOS crash (#12620) 46...
• eaac76e chore(focus): expose focus polling API (#12617) fdb0536723
• 59b7301 refactor(ore): convert ore classes to be virtual with per backend implementat...
• bc0cc5f fix: Scroll to hidden layouts using scrollIndex (#12598) 679b808585
• 745bf11 fix: PropertyRecorder UB calling &front() on empty buffers (#12607) 623d5fe7a3
• 5d3f1fb fix(js): restart rAF loop on document visibilitychange event to ensure we pau...
• 21585e3 feat(wgpu): Use wgsl (finally) in the WebGPU backend (#12541) d779307982
• cc214a0 fix(runtime): Incorrect modulo in scroll using snap and carousel (#12586) 308...
• 002ab0a fix(tests): Update gms & goldens to support 16K page sizes (#12584) 4440cf2dec
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Lockfile-only dependency patch bump with no repo code changes; main risk is regressions in Rive canvas animations used on special pages.

Overview
Bumps @rive-app/canvas-single in the special-pages package from 2.37.5 to 2.37.8, with the matching package-lock.json resolution updates. There are no application source changes—only dependency version pins.

Onboarding and related UI still load Rive through the existing RiveAnimation wrapper; this PR only picks up upstream runtime fixes and behavior changes in the 2.37.6–2.37.8 release line (for example JS visibility/requestAnimationFrame handling, scroll/layout fixes, and renderer error handling noted in the upstream changelog).

^{Reviewed by Cursor Bugbot for commit 4cdceaf. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.8
Commit	58bca14358
Updated	May 27, 2026 at 11:50:14 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.8

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.8")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.8
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.8

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#58bca14358391f522272fb9606fbed56617096b6

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "58bca14358391f522272fb9606fbed56617096b6")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/rive-app/canvas-single-2.37.8
git -C submodules/content-scope-scripts checkout 58bca14358391f522272fb9606fbed56617096b6

[cursor]

Web Compatibility Assessment

No findings.

The PR only bumps @rive-app/canvas-single in special-pages/package.json and the matching package-lock.json entry. It does not touch injected runtime code, browser API wrappers/shims, captured globals, messaging transports, message bridge checks, DOM manipulation code, or platform entry points.

Relevant upstream changes between 2.37.5 and 2.37.8 include JS/WASM runtime fixes around load-error reporting, restarting the rAF loop on document.visibilitychange, renderer creation errors, focus/keyboard interaction helpers, and assorted renderer/runtime fixes. The package remains dependency-free. Current repo usage is limited to onboarding’s RiveAnimation component, which does not opt into the new keyboard/focus helpers.

Security Assessment

No findings.

No new network requests, postMessage, dynamic code execution, native messaging payload changes, iframe access, origin checks, or injected page-world global reads were introduced by this diff.

Risk Level

Low Risk: dependency-only special-pages update with aligned lockfile changes and no injected web-page runtime surface changes.

Recommendations

No blocking recommendations.

Validated locally:

• npm run build --workspace=special-pages
• npm run test-unit --workspace=special-pages

Optional release confidence: smoke-test the onboarding Duck Player Rive animation/before-after toggle on at least one WebKit-based target, since upstream changed runtime rAF/visibility handling and renderer error propagation.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Dependency risk review for @rive-app/canvas-single 2.37.5 -> 2.37.8

Confirmed issues: none found.

Evidence reviewed:

• PR only changes special-pages/package.json and package-lock.json; no app code changes.
• Current repo usage is limited to onboarding v3’s RiveAnimation wrapper, which instantiates Rive for the Duck Player animation with enableRiveAssetCDN: false.
• Upstream changelog for 2.37.6-2.37.8 includes runtime-visible changes: canvas focus/keyboard handling, visibilitychange render-loop handling, stricter LoadError paths, renderer creation error handling, compressed texture/runtime fixes, and WebGPU/GPU/backend work. These are broader than a metadata-only patch, but the local usage stays on canvas-single with inline WASM and local .riv assets.
• Supply chain: npm metadata still reports MIT license, zero package dependencies, same maintainers, registry signature plus SLSA provenance attestation for 2.37.8. npm audit --omit=dev --workspace special-pages reported 0 vulnerabilities.
• Tests: GitHub checks show special-pages integration and snapshots passing. I also ran npm run test-int --workspace=special-pages -- pages/onboarding/integration-tests/onboarding.v3.spec.js --grep "shows v3 flow" --reporter list, which passed (12 passed) and covers navigation through the onboarding v3 Duck Player step that creates the Rive canvas.

Uncertain/residual risk:

• Existing screenshot coverage masks the Rive canvas, so it will not catch visual rendering regressions inside the animation. Manual/native smoke validation of the onboarding v3 Duck Player step is still useful if this dependency is high-risk for release.
• The new upstream focus handling can set tabIndex and intercept Tab when a Rive file has focus nodes. I did not see focus-related strings in the checked-in onboarding .riv asset, so this is not a confirmed issue, but keyboard tab order would be the specific behavior to validate if the asset changes.
• The dependency still appears needed while onboarding v3 is supported. Once v3 is retired, @rive-app/canvas-single should be removable since v4 appears to use non-Rive media for this step.

No separate fix PR drafted: I did not find a concrete defect needing a code change, and I did not push changes to this PR.

  

_{Sent by Cursor Automation: Review dependabot}