MalaGIS

Sharing GIS Technologies, Resources and News.

In recent years, WebGIS and map visualization have become increasingly dependent on the open-source stack. As an open-source continuation of Mapbox GL JS, MapLibre is widely used on the browser side due to its top-tier visualization quality. Meanwhile, many teams have started using AI coding assistants like Cursor and Claude Code to accelerate development. However, models are not reliable when it comes to API details and common issues of specific libraries—problems such as blank basemaps or misconfigured tile sources can arise, and debugging them often takes even more time.

Recently, we noticed that the MapLibre team open-sourced a project on GitHub called maplibre-agent-skills. It provides a series of skills for common MapLibre development issues. Currently, three skills are included, with more updates to come. If you're doing MapLibre development, this is worth your attention.

Introduction to MapLibre Agent Skills

MapLibre Agent Skills is a collection of Markdown skill files for AI agents. The content covers how to build applications with MapLibre, known API calls, and high-frequency pain points from GitHub Issues and Stack Overflow. Each skill is evaluated with Promptfoo using real developer questions, making AI coding more reliable in everyday use.

Simply put, it solves the problem of "let the assistant guess less and follow verified practices more." It is especially suitable for GIS and front-end developers who are already using or planning to use MapLibre for 2D/3D web mapping.

Official website: https://github.com/maplibre/maplibre-agent-skills

more >>

During my recent internet explorations, I stumbled upon a fascinating website: Soviet Military Maps of China. I was taken aback by what I found. This collection consists of 381 declassified map sheets, originally part of the Soviet Union's military mapping of China. The creator has georeferenced these maps and built them into an online WebGIS. I tested it myself and confirmed it can also be loaded in QGIS and ArcGIS Pro.

more >>

It's Friday, are you starting to slack off and prepare for the weekend? Hold on, just yesterday (December 3, 2025), React official and the Next.js team jointly disclosed a Critical-level security vulnerability. This is not just an ordinary bug, but a 'nuclear-level' vulnerability that allows unauthorized remote code execution (RCE). If your WebGIS project uses Next.js or React 19, please investigate promptly. This vulnerability is extremely dangerous and could lead to further data leakage risks.

Vulnerability Details

Vulnerability ID: CVE-2025-55182 (React) / CVE-2025-66478 (Next.js)

Affected Scope: As long as your project has React Server Components (RSC) enabled, even if you think you haven't written any backend logic, you could be affected.

Severity Level: CVSS 10.0 (maximum score) — This means attackers can execute arbitrary code on your Node.js server without logging in or performing complex operations, just by sending a carefully crafted HTTP request.

Affected Versions:

• React: 19.0.0 to 19.2.0
• Next.js: 15.x, 16.x, and versions after 14.3.0-canary.77

more >>

During a casual chat in the MalaGIS WeChat group, someone asked when GIS skills become most useful in daily life. Answers ranged from food delivery route optimization to travel planning, but the most insightful response was "assessing location (including Feng Shui) for property purchases". Among factors like sunlight access—a critical yet often overlooked parameter—most standard map apps fail to provide this data, requiring specialized GIS software (refer to methods in "ArcGIS 3D Handbook: Sunlight and 3D Path Analysis"). Recently, I discovered an online WebGIS application that simulates sunlight and shadows for any global location at any date—an excellent tool worth sharing.

Official site: https://shademap.app/

ShadeMap enables browser-based simulation of mountain, building, and tree shadows at any global coordinate for customizable dates/times. Users achieve precise, interactive sunlight and shadow analysis without client installations.

more >>

Three months ago, during preparations for a leadership inspection of our WebGIS dashboard project (arguably its most critical application), our project manager urgently contacted me the night before: "XXX, emergency! The basemap's peripheral elements on the GIS dashboard have disappeared—only data remains visible!"

Reluctantly accessing the system, I discovered the dynamic visualizations had vanished. Console errors revealed resource loading failures traced to our CDN service. Checking my personal CDN account (used due to small company scale), I found payment overdue—promptly recharging 200 CNY.

A month later, while debugging new features, CDN errors recurred. Initially attributing this to post-exhibition traffic spikes (even boasting about "high system usage" to my manager), I recharged another 200 CNY.

When another billing alert arrived just weeks later—despite the exhibition ending months prior—abnormal traffic patterns became undeniable.

Initial Investigation

Qiniu Cloud's backend revealed alarming patterns:

more >>