Security
ReGraph is a low-risk, highly secure JavaScript library that is unlikely to be affected by common security vulnerabilities.
- It does not initiate data transfers with remote servers or server-side dependencies.
- It does not track user data or use any persistent data on local storage.
- It runs entirely within the browser using standard JavaScript. It has no plug-in or extension requirements.
- All source code is obfuscated and minified before distribution.
- Nothing is added to the global scope.
- It does not pollute prototypes.
- Any new APIs and features are tested to prevent introduction of vulnerabilities.
Development
ReGraph is a closed source project, with all code controlled by Cambridge Intelligence staff, reviewed by multiple expert developers and tested thoroughly by our experienced QA team.
ReGraph source code is developed and built with an automated toolchain which is configured according to modern best practices to help identify security issues and ensure consistency and quality across the codebase. The toolchain contains a linter (ESlint), a compiler (Babel) and a suite of security scanners, including:
- Secret scanner - scans the source code for accidental exposure of sensitive security information
- Container scanner - scans the webserver container for vulnerabilities
- Dependency scanner - scans our internal and build-time dependencies for known issues and vulnerabilities
- Static application security testing (SAST) - scans the source code for vulnerabilities, encryption issues and other potentially exploitable holes
If we identify a vulnerability, we review it internally and deal with it before release.
Our JavaScript files are built using secure processes and hosted on secure web servers. We will never add malicious behaviors to our source code, and we are confident that third parties cannot hijack or compromise our downloads. There is no accepted standard scanner for malicious JavaScript code.
Dependencies
ReGraph requires React (^16.6.0) as peer dependency. You can install it for example:
npm install react@^16.6.0 yarn add react@^16.6.0 pnpm install react@^16.6.0 ReGraph also requires Lodash (lodash@^4.0.0), Web Font Loader (webfontloader@^1.6.28) and Babel's modular runtime helpers (@babel/runtime-corejs3@^7.20); these are internal dependencies and will be automatically installed when you install ReGraph. If your project already depends on any of these packages, then your package manager will only download these modules once.
Leaflet Integration
To integrate ReGraph with Leaflet, ReGraph requires Leaflet (1.9.x). You can install it for example:
ReGraph uses OpenStreetMap as a default map tile provider.
PDF export
To use PDF export, ReGraph requires PDFKit and SVG-to-PDFKit. You can install them for example:
npm install pdfkit svg-to-pdfkit yarn add pdfkit svg-to-pdfkit pnpm install pdfkit svg-to-pdfkit Once the dependencies are installed, import the export.js file into your project:
import 'regraph/export'; We strongly recommend that you only use the following versions which have been successfully tested to work with ReGraph:
- PDFKit
0.14.0 - SVG-to-PDFKit
0.1.8
Uncaught ReferenceError: process is not defined
If you manually installed the above polyfills but you still see this error in the console, this might be because your build tool doesn't polyfill the process global variable. To fix this, add your own code to polyfill the process variable before calling the function that fetches and downloads the image:
window.process = {
nextTick(callback, ...args) {
window.requestAnimationFrame(() => callback(...args));
},
}; Rendering
ReGraph uses WebGL to render charts. This enables it to use hardware acceleration when supported by the browser. If WebGL is disabled or unsupported, ReGraph uses HTML5 Canvas to render components.
Vector images, such as SVGs, are rasterized when loaded into the chart to improve performance. See Images for more details.
Chart Latency
Sometimes, very large charts can seem slow to load or respond to user actions. This is very rarely a rendering issue, and is more likely to be caused by computationally expensive chart actions, like layouts. See our Performance showcase to compare rendering against other operations.
TypeScript
ReGraph includes full type definitions for TypeScript. The minimum supported version is TypeScript 4.7. Older versions may function as well but they haven't been tested and are not officially supported.
See index.d.ts for chart, time bar and object format definitions, and analysis.d.ts for analysis functions. Types should be automatically available when you import ReGraph.
For complete code examples using TypeScript, see the TypeScript stories.
Compliance
Cambridge Intelligence has implemented an information security management system that is certified to ISO 27001:2022 for the operations of software development, sale and associated support, all information assets processed and managed and all systems and services where information is processed by Cambridge Intelligence.
This includes:
- Software Development Life Cycle
- Risk management
- Information classification
- Business continuity and backups
- Software development and code security
- Vulnerability management
- Logging and monitoring
- External penetration testing
- Physical security
- Training and awareness
For further information, please contact our security team.