Skip to main content

Architecture

Security

MapWeave is a low-risk, highly secure JavaScript library that is unlikely to be affected by common security vulnerabilities.

  • It does not track user data or use any persistent data on local storage.
  • It runs entirely within the browser using standard JavaScript. It has no plug-in or extension requirements.
  • All MapWeave product source code (excluding dependencies) is obfuscated and minified before distribution.
  • Nothing is added to the global scope.
  • It does not pollute prototypes.
  • Any new APIs and features are tested to prevent introduction of vulnerabilities.

Development

MapWeave is a closed source project, with all code (excluding dependencies) controlled by Cambridge Intelligence staff, reviewed by multiple expert developers and tested thoroughly by our experienced QA team.

MapWeave source code is developed and built with an automated toolchain which is configured according to modern best practices to help identify security issues and ensure consistency and quality across the codebase. The toolchain contains a linter (ESlint) and a suite of security scanners, including:

  • Secret scanner - scans the source code for accidental exposure of sensitive security information
  • Container scanner - scans the webserver container for vulnerabilities
  • Dependency scanner - scans our internal and build-time dependencies for known issues and vulnerabilities
  • Static application security testing (SAST) - scans the source code for vulnerabilities, encryption issues and other potentially exploitable holes

If we identify a vulnerability, we review it internally and deal with it before release.

Our JavaScript files are built using secure processes and hosted on secure web servers. We will never add malicious behaviors to our source code, and we are confident that third parties cannot hijack or compromise our downloads. There is no accepted standard scanner for malicious JavaScript code.

Dependencies

MapWeave will automatically install these internal dependencies. If your project already depends on any of these packages, then your package manager will only download these modules once.

"@types/geojson": "^7946.0.14",

MapWeave uses Deck.gl and supports a specific set of versions of its sub-dependencies. To ensure the correct versions are used we have provided a pre-build vendor.js file in the download package. The file is unminified and preserves the licensing text from the original dependencies. Deck.gl is MIT licensed and you will need to ensure these comments are retained after any subsequent code bundling. The pre-build vendor.js file includes the following bundled dependencies:

"@deck.gl/aggregation-layers": "9.0.23",
"@deck.gl/core": "9.0.23",
"@deck.gl/extensions": "9.0.23",
"@deck.gl/geo-layers": "9.0.23",
"@deck.gl/layers": "9.0.23",
"@deck.gl/mapbox": "9.0.23",
"@deck.gl/mesh-layers": "9.0.23",
"@loaders.gl/3d-tiles": "4.2.2",
"@loaders.gl/i3s": "4.2.2",
"@luma.gl/core": "9.0.15",
"@luma.gl/engine": "9.0.15",
"@luma.gl/gltf": "9.0.15",
"@luma.gl/shadertools": "9.0.15",

MapWeave also has the following optional peer dependencies:

If you are using MapLibre install version ^4.4.0.

npm install [email protected]

If you are using Mapbox install version ^3.3.0.

npm i [email protected]

Rendering

MapWeave uses WebGL 2 for high performance rendering of its layers.

WebGL 2, based on OpenGL ES 3.0, supersedes WebGL 1 as a 3D graphics rendering API for the web, but still conforms to platform security principles. For more information about these principles, see Khronos Security.

To check your browser's compatibility with WebGL 2, see the WebGL 2 Report.

TypeScript

MapWeave includes full type definitions for TypeScript compatibility. See the .d.ts files for the definitions.

Types should be automatically available when you import MapWeave.