npm - pompelmi - Versions diffs - 0.34.2 → 0.34.5 - Mend

pompelmi 0.34.2 → 0.34.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +107 -82
package/package.json +17 -35

package/README.md CHANGED Viewed

@@ -1,119 +1,144 @@
-![Pompelmi banner](./assets/readme-banner.png)
+<div align="center">
+  <img src="assets/logo.svg" alt="Pompelmi logo" width="160" />
+  <h1>Pompelmi</h1>
+  <p>Local-first file upload scanning for Node.js.</p>
+  <p>
+    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm version" src="https://img.shields.io/npm/v/pompelmi"></a>
+    <a href="https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?label=ci"></a>
+    <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/pompelmi/pompelmi"></a>
+    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm downloads" src="https://img.shields.io/npm/dm/pompelmi"></a>
+  </p>
+  <p>
+    <a href="https://github.com/sorrycc/awesome-javascript"><img alt="Mentioned in Awesome JavaScript" src="https://img.shields.io/badge/mentioned-Awesome%20JavaScript-f59e0b"></a>
+    <a href="https://github.com/dzharii/awesome-typescript"><img alt="Mentioned in Awesome TypeScript" src="https://img.shields.io/badge/mentioned-Awesome%20TypeScript-3178C6"></a>
+    <a href="https://nodeweekly.com/issues/594"><img alt="Featured in Node Weekly #594" src="https://img.shields.io/badge/featured-Node%20Weekly%20%23594-339933?logo=node.js&logoColor=white"></a>
+    <a href="https://bytes.dev/archives/429"><img alt="Featured in Bytes #429" src="https://img.shields.io/badge/featured-Bytes%20%23429-111111"></a>
+  </p>
+  <p>
+    <a href="https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon"><img alt="Featured in Detection Engineering Weekly #124" src="https://img.shields.io/badge/featured-Detection%20Engineering%20Weekly%20%23124-0A84FF?logo=substack&logoColor=white"></a>
+    <a href="https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/"><img alt="Featured on Stack Overflow by Ryan Donovan" src="https://img.shields.io/badge/featured-Stack%20Overflow-F48024?logo=stackoverflow&logoColor=white"></a>
+    <a href="https://stackoverflow.blog/newsletter/issue-319-dogfooding-your-sdlc/"><img alt="Featured in The Overflow #319" src="https://img.shields.io/badge/featured-The%20Overflow%20%23319-F48024?logo=stackoverflow&logoColor=white"></a>
+    <a href="https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/"><img alt="Featured in Help Net Security" src="https://img.shields.io/badge/featured-Help%20Net%20Security-2563eb"></a>
+  </p>
+</div>
+Pompelmi inspects untrusted files before storage and helps you decide whether to allow, reject, or quarantine them before they reach downstream systems.
+It is built for upload endpoints that cannot rely on filenames, extensions, or client-provided MIME types alone.
+## Install
-# Pompelmi
+```bash
+npm install pompelmi
+```
-[![GitHub stars](https://img.shields.io/github/stars/pompelmi/pompelmi?style=flat-square&logo=github)](https://github.com/pompelmi/pompelmi/stargazers)
-[![npm version](https://img.shields.io/npm/v/pompelmi?label=version&logo=npm)](https://www.npmjs.com/package/pompelmi)
-[![CI](https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?branch=main&label=CI&logo=github)](https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml)
+Requires Node.js 18+.
-In-process file upload security for Node.js.
+## Quick Start
-Your file upload endpoint is part of your attack surface.
+```ts
+import { scanBytes } from 'pompelmi';
-Pompelmi is an open-source Node.js library that scans and blocks risky uploads before they hit storage or downstream processing. It runs in-process, with no cloud API, no daemon, and no required data egress.
+const report = await scanBytes(file.buffer, {
+  ctx: {
+    filename: file.originalname,
+    mimeType: file.mimetype,
+    size: file.size,
+  },
+});
-Works with Express, Next.js, NestJS, Fastify, and Koa. The MIT-licensed core is the primary path in this repo.
+if (!report.ok) {
+  return res.status(422).json({
+    error: 'Upload blocked',
+    verdict: report.verdict,
+    reasons: report.reasons,
+  });
+}
+```
-## Why this matters
+## What Problem It Solves
-Most upload handlers stop at extension checks or client-provided MIME types. That leaves gaps for spoofed files, archive bombs, polyglots, and script-bearing documents.
+Upload endpoints are part of your attack surface. A renamed executable, a risky PDF, or a hostile archive can look harmless until it is stored, unpacked, served, or parsed by another system.
-Without Pompelmi:
+Pompelmi adds checks at the upload boundary for:
-`upload -> trust filename/MIME -> store -> parse or serve later`
+- MIME spoofing and magic-byte mismatches
+- Archive abuse such as ZIP bombs, traversal, and deep nesting
+- Polyglot files and risky document structures
+- Optional YARA-based signature matching
-With Pompelmi:
+The goal is simple: inspect first, store later.
-`upload -> inspect bytes + structure -> allow | quarantine | reject -> store/process`
+## Why This Shape
-## Key protections
+- Plain Markdown, readable in GitHub and in a terminal
+- Fast path first: install, example, then deeper links
+- Minimal top-level detail, with docs and examples for everything else
-- Extension, size, and declared MIME policy checks.
-- Magic-byte validation for renamed or disguised files.
-- Archive controls for ZIP bombs, traversal, and nesting depth.
-- Heuristics for risky structures such as executables, polyglots, and script-bearing documents.
-- Optional YARA matching when you need signature-based rules.
+## Ecosystem
-## Quick start
+- `pompelmi`
+- `@pompelmi/express-middleware`
+- `@pompelmi/koa-middleware`
+- `@pompelmi/next-upload`
+- `@pompelmi/nestjs-integration`
+- `@pompelmi/fastify-plugin`
+- `@pompelmi/ui-react`
+- `@pompelmi/cli`
-```bash
-npm install pompelmi
-```
+## Repository Layout
-```ts
-import { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';
+- `src/` core library
+- `packages/` framework adapters and supporting packages
+- `examples/` runnable examples
+- `tests/` test coverage
+- `website/` documentation site
-const report = await scanBytes(file.buffer, {
-  filename: file.originalname,
-  mimeType: file.mimetype,
-  policy: STRICT_PUBLIC_UPLOAD,
-  failClosed: true,
-});
+## Development
-if (report.verdict !== 'clean') {
-  return res.status(422).json({ error: 'Upload blocked', reasons: report.reasons });
-}
+```bash
+pnpm install
+pnpm test
+pnpm build
 ```
-Next steps:
-- [Getting started](https://pompelmi.github.io/pompelmi/getting-started/)
-- [Framework guides](https://pompelmi.github.io/pompelmi/how-to/express/)
-- [Threat model and architecture](https://pompelmi.github.io/pompelmi/explaination/architecture/)
-## Framework support
-| Framework | Package or guide |
-| --- | --- |
-| Express | `@pompelmi/express-middleware` |
-| Next.js | `@pompelmi/next-upload` |
-| NestJS | `@pompelmi/nestjs-integration` |
-| Koa | `@pompelmi/koa-middleware` |
-| Fastify | `@pompelmi/fastify-plugin` |
-| Nuxt/Nitro | guide in docs |
-## Trust / production readiness
-- MIT-licensed core, typed APIs, framework adapters, and composable policy packs.
-- Structured verdicts, reasons, and rule matches for logging, quarantine, and review flows.
-- Public docs, examples, changelog, tests, and a security disclosure policy.
-- Local-first deployment model with no required cloud scanning dependency.
-- Built as a defense-in-depth upload gate, not a full antivirus replacement.
-Start here:
-- [Production readiness](https://pompelmi.github.io/pompelmi/production-readiness/)
-- [Threat model and architecture](https://pompelmi.github.io/pompelmi/explaination/architecture/)
-- [Examples directory](./examples)
-- [Security policy](./SECURITY.md)
-- [Tests](./tests)
+## Links
-## FAQ
+- [Documentation](https://pompelmi.github.io/pompelmi/)
+- [Examples](./examples)
+- [Contributing](./CONTRIBUTING.md)
+- [Security](./SECURITY.md)
+- [Roadmap](./ROADMAP.md)
-### Does Pompelmi send files to a cloud API?
+<!-- MENTIONS:START -->
-No. Scanning runs in-process by default. File bytes do not need to leave your infrastructure.
+## 🌟 Featured In
-### Does it require ClamAV, a sidecar, or another daemon?
+*Last updated: March 20, 2026*
-No. Built-in heuristics work without a daemon. ClamAV and YARA integrations are optional.
+### 📋 Awesome Lists & Curated Collections
-### What does it help block?
+- [Awesome JavaScript](https://github.com/sorrycc/awesome-javascript) — sorrycc
+- [Awesome TypeScript](https://github.com/dzharii/awesome-typescript) — dzharii
-It adds a layered upload gate before storage or downstream processing. That helps catch spoofed files, archive bombs, polyglots, and common risky document structures.
+### 📰 Newsletters & Roundups
-### Is this a complete antivirus replacement?
+- [The Overflow Issue 319: Dogfooding your SDLC](https://stackoverflow.blog/newsletter/issue-319-dogfooding-your-sdlc/) — Stack Overflow (2026-03-04)
+- [Hottest cybersecurity open-source tools of the month: February 2026](https://www.helpnetsecurity.com/2026/02/26/hottest-cybersecurity-open-source-tools-of-the-month-february-2026/) — Help Net Security (2026-02-26)
+- [Bytes #429](https://bytes.dev/archives/429) — Bytes (2025-10-03)
+- [Node Weekly Issue 594](https://nodeweekly.com/issues/594) — Node Weekly (2025-09-30)
+- [Det. Eng. Weekly Issue #124 - The DEFCON hangover is real](https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon) — Detection Engineering (2025-08-13)
-No. Pompelmi is an upload security layer and risk-reduction control. It should sit inside a broader defense-in-depth design.
+### 🔗 Other Mentions
-### Can it help in privacy-sensitive or regulated environments?
+- [Defense against uploads: Q&A with OSS file scanner, pompelmi](https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/) — Stack Overflow (2026-02-23)
+- [Pompelmi: Open-source secure file upload scanning for Node.js](https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/) — Help Net Security (2026-02-02)
-It can support internal control objectives by reducing upload risk and producing structured scan outcomes. It is not itself a compliance certification.
-## Commercial / enterprise
+*Found 9 mentions. To update, run `npm run mentions:update`.*
-Commercial support and enterprise options are available for teams that need rollout help, advanced auditability, or additional operational features. The open-source MIT core remains the default path. See [Support options](https://pompelmi.github.io/pompelmi/support/) and [`@pompelmi/enterprise`](https://pompelmi.github.io/pompelmi/enterprise/).
+<!-- MENTIONS:END -->
 ## License
-MIT. See [LICENSE](./LICENSE). Also: [Docs](https://pompelmi.github.io/pompelmi/), [GitHub](https://github.com/pompelmi/pompelmi), [npm](https://www.npmjs.com/package/pompelmi).
+[MIT](./LICENSE)

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "pompelmi",
-  "version": "0.34.2",
-  "description": "In-process file upload security for Node.js — no cloud API, no daemon, no data egress. TypeScript-first library with Express, Next.js, NestJS, Fastify, Koa, and Nuxt/Nitro adapters. Features magic-byte MIME validation, ZIP bomb protection, YARA integration, and layered heuristic scanning. Built for privacy-sensitive and self-hosted environments.",
+  "version": "0.34.5",
+  "description": "Secure file uploads for Node.js. Scan untrusted files before storage with in-process, local-first checks for MIME spoofing, archive bombs, risky document structures, and optional YARA.",
   "main": "./dist/pompelmi.cjs",
   "module": "./dist/pompelmi.esm.js",
   "type": "module",
@@ -215,48 +215,30 @@
     "CHANGELOG*"
   ],
   "keywords": [
-    "malware-scanner",
-    "file-upload-security",
     "secure-file-upload",
+    "file-upload-security",
     "upload-security",
-    "virus-scanner",
-    "antivirus",
-    "malware-detection",
-    "threat-detection",
-    "security-scanner",
-    "file-scanner",
+    "upload-scanning",
     "file-scanning",
+    "file-validation",
+    "malware-scanner",
+    "mime-sniffing",
+    "magic-bytes",
+    "archive-security",
+    "zip-bomb-protection",
     "yara",
     "yara-rules",
-    "zip-bomb-protection",
-    "express-middleware",
-    "koa-middleware",
-    "fastify-plugin",
-    "nextjs",
-    "next-js",
-    "nestjs",
-    "nuxt",
+    "local-first-security",
+    "self-hosted-security",
     "nodejs-security",
-    "typescript-security",
-    "file-validation",
-    "upload-sanitization",
-    "mime-type-validation",
-    "magic-bytes",
-    "security",
-    "cybersecurity",
-    "devsecops",
-    "gdpr-compliance",
-    "hipaa-compliance",
-    "privacy-first",
-    "in-process-scanning",
-    "zero-cloud",
-    "self-hosted",
-    "node",
-    "nodejs",
     "typescript",
+    "nodejs",
     "express",
+    "nextjs",
+    "nestjs",
+    "fastify",
     "koa",
-    "fastify"
+    "nuxt"
   ],
   "directories": {
     "example": "examples"