pompelmi 0.15.2 → 0.16.3

package/README.md

@@ -10,6 +10,8 @@
   </a>
   <br/>
   <a href="https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon"><img alt="Featured in Detection Engineering Weekly #124" src="https://img.shields.io/badge/featured-Detection%20Engineering%20Weekly-0A84FF?logo=substack"></a>
+  <a href="https://nodeweekly.com/issues/594"><img alt="Featured in Node Weekly #594" src="https://img.shields.io/badge/featured-Node%20Weekly%20%23594-FF6600?logo=node.js"></a>
+  <a href="https://bytes.dev/archives/429"><img alt="Featured in Bytes #429" src="https://img.shields.io/badge/featured-Bytes%20%23429-111111"></a>
   <br/>
   
 </p>
@@ -58,6 +60,22 @@
 
 ---
 
+<details>
+<summary><strong>Table of contents</strong></summary>
+
+- [Install](#installation)
+- [Quick‑start](#quick-start)
+- [GitHub Action](#github-action)
+- [Adapters](#adapters)
+- [Diagrams](#diagrams)
+- [Config](#configuration)
+- [Production checklist](#production-checklist)
+- [YARA](#yara-getting-started)
+- [Quick test](#quick-test-no-eicar)
+- [Security](#security-notes)
+- [FAQ](#faq)
+</details>
+
 ## 🚀 Overview
 
 **pompelmi** scans untrusted file uploads **before** they hit disk. A tiny, TypeScript-first toolkit for Node.js with composable scanners, deep ZIP inspection, and optional signature engines.
@@ -79,6 +97,34 @@
 
 > Keywords: file upload security, malware scanning, YARA, Node.js, Express, Koa, Next.js, ZIP scanning, ZIP bomb, PDF JavaScript, Office macros
 
+## 🧠 Why pompelmi?
+
+- **On‑device, private scanning** – no outbound calls, no data sharing.
+- **Blocks early** – runs *before* you write to disk or persist anything.
+- **Fits your stack** – drop‑in adapters for Express, Koa, Next.js (Fastify plugin in alpha).
+- **Defense‑in‑depth** – ZIP traversal limits, ratio caps, server‑side MIME sniffing, size caps.
+- **Pluggable detection** – bring your own engine (e.g., YARA) via a tiny `{ scan(bytes) }` contract.
+
+### Who is it for?
+
+- Teams who can’t send uploads to third‑party AV APIs.
+- Apps that need predictable, low‑latency decisions inline.
+- Developers who want simple, typed building blocks instead of a daemon.
+
+## 🔍 How it compares
+
+| Capability | pompelmi | ClamAV / node‑clam | Cloud AV APIs |
+| --- | --- | --- | --- |
+| Runs fully in‑process | ✅ | ❌ (separate daemon) | ❌ (network calls) |
+| Bytes stay private | ✅ | ✅ | ❌ |
+| Deep ZIP limits & MIME sniff | ✅ | ✅ (archive scan) | ❓ varies |
+| YARA integration | ✅ optional | ❌* | ❓ varies |
+| Framework adapters | ✅ Express/Koa/Next.js | ❌ | ❌ |
+| Works in CI on artifacts | ✅ | ✅ | ❓ varies |
+| Licensing | MIT | GPL (engine) | Proprietary |
+
+\* You can run YARA alongside ClamAV, but it’s not built‑in.
+
 ---
 
 ## 🔧 Installation
@@ -568,6 +614,14 @@ You should see an HTTP **422 Unprocessable Entity** (blocked by policy). Clean f
 
 ---
 
+[...]
+
+## 🔔 Releases & security
+
+- **Changelog / releases:** see [GitHub Releases](https://github.com/pompelmi/pompelmi/releases).
+- **Security disclosures:** please use [GitHub Security Advisories](https://github.com/pompelmi/pompelmi/security/advisories). We’ll coordinate a fix before public disclosure.
+- **Production users:** open a [Discussion](https://github.com/pompelmi/pompelmi/discussions) to share requirements or request adapters.
+
 ## ⭐ Star history
 
 [![Star History Chart](https://api.star-history.com/svg?repos=pompelmi/pompelmi&type=Date)](https://star-history.com/#pompelmi/pompelmi&Date)

package/package.json

@@ -1,10 +1,9 @@
 {
   "name": "pompelmi",
-  "version": "0.15.2",
+  "version": "0.16.3",
   "description": "RFI-safe file uploads for Node.js — Express/Koa/Next.js middleware with deep ZIP inspection, MIME/size checks, and optional YARA scanning.",
   "main": "./dist/pompelmi.cjs",
   "module": "./dist/pompelmi.esm.js",
-  "types": "./dist/index.d.ts",
   "type": "module",
   "browser": {
     "yara": false,
@@ -26,7 +25,12 @@
       "@babel/helper-create-regexp-features-plugin>regjsgen": "0.8.0",
       "vitest": "2.1.9",
       "@vitest/coverage-v8": "2.1.9",
-      "babel-plugin-polyfill-corejs3": "^0.13.0"
+      "babel-plugin-polyfill-corejs3": "^0.13.0",
+      "@types/cookies": "0.9.1",
+      "@types/koa>@types/cookies": "0.9.1",
+      "pompelmi": "workspace:*",
+      "@pompelmi/core": "workspace:*",
+      "katex": "0.16.10"
     }
   },
   "scripts": {
@@ -39,53 +43,54 @@
     "predocs:deploy": "npm run docs:build",
     "docs:deploy": "gh-pages -d docs -b gh-pages",
     "yara:check": "node scripts/yara-quick-check-cli.mjs",
-    "build:core": "pnpm -r --filter \"./packages/**\" build && pnpm -w run build"
+    "build:core": "pnpm -r --filter '!./examples/*' --if-present build",
+    "preview": "npm pack --dry-run",
+    "typecheck": "tsc -p tsconfig.json --noEmit || tsc -p tsconfig.build.json --noEmit",
+    "typecheck:strict": "tsc -p tsconfig.strict.json --noEmit",
+    "smoke": "node scripts/smoke.mjs",
+    "test:e2e": "node scripts/e2e.mjs",
+    "repo:doctor": "pnpm install --frozen-lockfile && pnpm -r --if-present build && pnpm -r --if-present test && npm run -s preview || true && node scripts/smoke.mjs && node scripts/e2e.mjs || true",
+    "audit:deps": "depcheck --skip-missing true || true",
+    "audit:code": "knip --reporter compact || true",
+    "audit:exports": "ts-prune -p tsconfig.json || true",
+    "repo:audit": "node scripts/audit.mjs",
+    "pack:check": "node scripts/pack-check.mjs",
+    "pack:list": "pnpm -r --filter \"@pompelmi/*\" --if-present pack --json --dry-run",
+    "pack:strict": "node scripts/pack-check.mjs --strict"
   },
   "license": "MIT",
   "devDependencies": {
-    "@astrojs/mdx": "^4.3.3",
-    "@astrojs/sitemap": "^3.4.2",
-    "@astrojs/starlight": "^0.35.2",
-    "@astrojs/tailwind": "^6.0.2",
-    "@babel/core": "^7.28.0",
-    "@babel/preset-env": "^7.28.0",
-    "@babel/preset-typescript": "^7.27.1",
-    "@rollup/plugin-babel": "^6.0.4",
+    "@biomejs/biome": "^2.2.4",
+    "@pompelmi/core": "workspace:*",
+    "@pompelmi/engine": "workspace:0.16.3-dev.6",
+    "@pompelmi/engine-heuristics": "workspace:^0.1.0",
     "@rollup/plugin-commonjs": "^28.0.6",
     "@rollup/plugin-node-resolve": "^16.0.1",
     "@rollup/plugin-typescript": "^12.1.4",
     "@types/cors": "^2.8.19",
     "@types/express": "^5.0.3",
-    "@types/koa": "^2.15.0",
     "@types/multer": "^2.0.0",
     "@types/node": "^24.3.0",
     "@types/react": "^19.1.8",
-    "@types/react-dom": "^19.1.6",
-    "@types/supertest": "^6.0.3",
     "@types/unzipper": "^0.10.11",
     "@vitest/coverage-v8": "^2",
     "cors": "^2.8.5",
+    "depcheck": "^1.4.7",
     "express": "^5.1.0",
     "gh-pages": "^6.3.0",
+    "knip": "^5.64.0",
     "multer": "^2.0.2",
     "react": "^18.0.0",
-    "react-dom": "^18.0.0",
     "rollup": "^4.x",
-    "rollup-plugin-peer-deps-external": "^2.2.4",
-    "supertest": "^7.0.0",
+    "ts-prune": "^0.10.3",
     "tslib": "^2.8.1",
     "tsup": "^8",
     "tsx": "^4.20.3",
     "typescript": "^5.9.2",
-    "vitest": "2.1.9",
-    "yazl": "^3.3.1"
+    "vitest": "2.1.9"
   },
   "dependencies": {
-    "file-type": "^21.0.0",
-    "libyara-wasm": "^1.2.1",
-    "rollup": "^4.45.1",
-    "wasm-feature-detect": "^1.8.0",
-    "yara": "npm:@automattic/yara@^2.6.0-beta.2"
+    "rollup": "^4.45.1"
   },
   "peerDependencies": {
     "react": "^18.0.0 || ^19.0.0",
@@ -95,14 +100,16 @@
     "@litko/yara-x": "^0.2.1"
   },
   "exports": {
-    ".": {
-      "require": "./dist/pompelmi.cjs",
-      "import": "./dist/pompelmi.esm.js",
-      "types": "./dist/index.d.ts"
-    }
+    ".": {},
+    "./package.json": "./package.json"
   },
   "files": [
-    "dist/"
+    "dist/",
+    "dist",
+    "README.md",
+    "LICENSE*",
+    "package.json",
+    "CHANGELOG*"
   ],
   "keywords": [
     "security",
@@ -134,12 +141,15 @@
     "example": "examples"
   },
   "author": "",
-  "private": false,
-  "workspaces": [
-    "packages/*"
-  ],
   "packageManager": "pnpm@9.12.0",
   "resolutions": {
     "process": "0.11.10"
+  },
+  "sideEffects": false,
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
   }
 }