Architecture

Security

MapWeave is a low-risk, highly secure JavaScript library that is unlikely to be affected by common security vulnerabilities.

  • It does not track user data or use any persistent data on local storage.
  • It runs entirely within the browser using standard JavaScript. It has no plug-in or extension requirements.
  • All MapWeave product source code (excluding dependencies) is obfuscated and minified before distribution.
  • Nothing is added to the global scope.
  • It does not pollute prototypes.
  • Any new APIs and features are tested to prevent introduction of vulnerabilities.

Development

MapWeave is a closed source project, with all code (excluding dependencies) controlled by Cambridge Intelligence staff, reviewed by multiple expert developers and tested thoroughly by our experienced QA team.

MapWeave source code is developed and built with an automated toolchain which is configured according to modern best practices to help identify security issues and ensure consistency and quality across the codebase. The toolchain contains a linter (ESlint) and a suite of security scanners, including:

  • Secret scanner - scans the source code for accidental exposure of sensitive security information
  • Container scanner - scans the webserver container for vulnerabilities
  • Dependency scanner - scans our internal and build-time dependencies for known issues and vulnerabilities
  • Static application security testing (SAST) - scans the source code for vulnerabilities, encryption issues and other potentially exploitable holes

If we identify a vulnerability, we review it internally and deal with it before release.

Our JavaScript files are built using secure processes and hosted on secure web servers. We will never add malicious behaviors to our source code, and we are confident that third parties cannot hijack or compromise our downloads. There is no accepted standard scanner for malicious JavaScript code.

Dependencies

MapWeave will automatically install these internal dependencies. If your project already depends on any of these packages, then your package manager will only download these modules once.

"@types/geojson": "^7946.0.14",

MapWeave uses Deck.gl and supports a specific set of versions of its sub-dependencies. To ensure the correct versions are used we have provided a pre-build vendor.js file in the download package. The file is unminified and preserves the licensing text from the original dependencies. Deck.gl is MIT licensed and you will need to ensure these comments are retained after any subsequent code bundling. The pre-build vendor.js file includes the following bundled dependencies:

"@deck.gl/aggregation-layers": "9.0.23",
"@deck.gl/core": "9.0.23",
"@deck.gl/extensions": "9.0.23",
"@deck.gl/geo-layers": "9.0.23",
"@deck.gl/layers": "9.0.23",
"@deck.gl/mapbox": "9.0.23",
"@deck.gl/mesh-layers": "9.0.23",
"@loaders.gl/3d-tiles": "4.2.2",
"@loaders.gl/i3s": "4.2.2",
"@luma.gl/core": "9.0.15",
"@luma.gl/engine": "9.0.15",
"@luma.gl/gltf": "9.0.15",
"@luma.gl/shadertools": "9.0.15",

MapWeave also has the following optional peer dependencies:

If you are using MapLibre install version ^4.4.0.

npm install [email protected]
pnpm install [email protected]

If you are using Mapbox install version ^3.3.0.

Install React version ^18.3.1.

npm install [email protected]
pnpm install [email protected]

Rendering

MapWeave uses WebGL 2 for high performance rendering of its layers.

WebGL 2, based on OpenGL ES 3.0, supersedes WebGL 1 as a 3D graphics rendering API for the web, but still conforms to platform security principles. For more information about these principles, see Khronos Security.

To check your browser's compatibility with WebGL 2, see the WebGL 2 Report.

TypeScript

MapWeave includes full type definitions for TypeScript compatibility. See the .d.ts files for the definitions.

Types should be automatically available when you import MapWeave.

Compliance

Cambridge Intelligence has implemented an information security management system that is certified to ISO 27001:2022 for the operations of software development, sale and associated support, all information assets processed and managed and all systems and services where information is processed by Cambridge Intelligence.

This includes:

  • Software Development Life Cycle
  • Risk management
  • Information classification
  • Business continuity and backups
  • Software development and code security
  • Vulnerability management
  • Logging and monitoring
  • External penetration testing
  • Physical security
  • Training and awareness

For further information, please contact our security team.

Terms of use

These terms do not alter or supersede any existing agreements between you (or your employer) and us.

By accessing or using any Content you agree to be bound by these Terms of Use. Please review these terms carefully before using the website.

The contents of this website, including but not limited to any text, code samples, API references, schemas, interactive tools, and other materials (collectively, the 'Content'), are made available for informational and internal evaluation purposes only. All intellectual property rights in the Content are reserved. No licence is granted to use the Content for any commercial purpose, or to copy, distribute, modify, reverse-engineer, or incorporate any part of the Content into any product or service, without our prior written consent.

This Content is provided “as is” and “as available,” without any representations, warranties, or guarantees of any kind, whether express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, non-infringement, or accuracy. To the fullest extent permitted by applicable law, we expressly exclude and disclaim all implied warranties, conditions, and other terms that might otherwise be implied.

We disclaim all liability for any loss or damage, whether direct, indirect, incidental, consequential, or otherwise, arising from any reliance placed on the Content or from your use of it, to the fullest extent permitted by applicable law. By continuing to access or use the Content, you acknowledge and agree to these terms.