pompelmi 0.34.4 → 0.34.5

package/README.md

@@ -1,193 +1,144 @@
 <div align="center">
-
-<picture>
-  <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/pompelmi/pompelmi/main/assets/logo.svg">
-  <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/pompelmi/pompelmi/main/assets/logo.svg">
-  <img src="https://raw.githubusercontent.com/pompelmi/pompelmi/main/assets/logo.svg" alt="Pompelmi logo" width="220" />
-</picture>
-
-<h1>Pompelmi</h1>
-
-<p><strong>Stop malicious uploads before they hit storage.</strong></p>
-
-<p>Secure file upload scanning for Node.js with MIME sniffing, ZIP bomb protection, polyglot detection, risky document checks, and optional YARA.</p>
-
-<p>
-  <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="Star on GitHub" src="https://img.shields.io/badge/Star%20on%20GitHub-181717?style=for-the-badge&logo=github&logoColor=white"></a>
-  <a href="#quick-start"><img alt="Start in 60 seconds" src="https://img.shields.io/badge/Start%20in-60%20seconds-059669?style=for-the-badge"></a>
-  <a href="https://pompelmi.github.io/pompelmi/"><img alt="Read the docs" src="https://img.shields.io/badge/Read%20the-Docs-2563eb?style=for-the-badge"></a>
-</p>
-
-<p><strong>Private by design</strong> • <strong>No cloud API</strong> • <strong>No daemon</strong> • <strong>Express / Next.js / Koa / NestJS / Fastify</strong></p>
-
-<p>
-  <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/pompelmi/pompelmi?style=for-the-badge&logo=github&label=stars"></a>
-  <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm downloads per month" src="https://img.shields.io/npm/dm/pompelmi?style=for-the-badge&logo=npm&label=downloads%2Fmonth"></a>
-  <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm version" src="https://img.shields.io/npm/v/pompelmi?style=for-the-badge&logo=npm&label=npm"></a>
-  <a href="https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?style=for-the-badge&branch=main&label=CI"></a>
-</p>
-
-<p>
-  <img alt="Node 18+" src="https://img.shields.io/badge/node-%3E%3D18-339933?style=for-the-badge&logo=node.js&logoColor=white">
-  <img alt="TypeScript" src="https://img.shields.io/badge/types-TypeScript-3178C6?style=for-the-badge&logo=typescript&logoColor=white">
-  <img alt="MIT license" src="https://img.shields.io/badge/license-MIT-0f172a?style=for-the-badge">
-  <img alt="Zero cloud dependency" src="https://img.shields.io/badge/cloud-none-059669?style=for-the-badge">
-</p>
-
-<p>
-  <strong>
-    <a href="https://pompelmi.github.io/pompelmi/">Docs</a> •
-    <a href="#quick-start">Quick start</a> •
-    <a href="./examples">Examples</a> •
-    <a href="#frameworks">Frameworks</a> •
-    <a href="#star-history">Star history</a>
-  </strong>
-</p>
-
-<p>If Pompelmi saves you from building upload security plumbing from scratch, give it a star. It helps the project grow and helps more Node.js teams find it.</p>
-
+  <img src="assets/logo.svg" alt="Pompelmi logo" width="160" />
+  <h1>Pompelmi</h1>
+  <p>Local-first file upload scanning for Node.js.</p>
+  <p>
+    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm version" src="https://img.shields.io/npm/v/pompelmi"></a>
+    <a href="https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?label=ci"></a>
+    <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/pompelmi/pompelmi"></a>
+    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm downloads" src="https://img.shields.io/npm/dm/pompelmi"></a>
+  </p>
+  <p>
+    <a href="https://github.com/sorrycc/awesome-javascript"><img alt="Mentioned in Awesome JavaScript" src="https://img.shields.io/badge/mentioned-Awesome%20JavaScript-f59e0b"></a>
+    <a href="https://github.com/dzharii/awesome-typescript"><img alt="Mentioned in Awesome TypeScript" src="https://img.shields.io/badge/mentioned-Awesome%20TypeScript-3178C6"></a>
+    <a href="https://nodeweekly.com/issues/594"><img alt="Featured in Node Weekly #594" src="https://img.shields.io/badge/featured-Node%20Weekly%20%23594-339933?logo=node.js&logoColor=white"></a>
+    <a href="https://bytes.dev/archives/429"><img alt="Featured in Bytes #429" src="https://img.shields.io/badge/featured-Bytes%20%23429-111111"></a>
+  </p>
+  <p>
+    <a href="https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon"><img alt="Featured in Detection Engineering Weekly #124" src="https://img.shields.io/badge/featured-Detection%20Engineering%20Weekly%20%23124-0A84FF?logo=substack&logoColor=white"></a>
+    <a href="https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/"><img alt="Featured on Stack Overflow by Ryan Donovan" src="https://img.shields.io/badge/featured-Stack%20Overflow-F48024?logo=stackoverflow&logoColor=white"></a>
+    <a href="https://stackoverflow.blog/newsletter/issue-319-dogfooding-your-sdlc/"><img alt="Featured in The Overflow #319" src="https://img.shields.io/badge/featured-The%20Overflow%20%23319-F48024?logo=stackoverflow&logoColor=white"></a>
+    <a href="https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/"><img alt="Featured in Help Net Security" src="https://img.shields.io/badge/featured-Help%20Net%20Security-2563eb"></a>
+  </p>
 </div>
 
-<p align="center">
-  <img src="https://raw.githubusercontent.com/pompelmi/pompelmi/main/assets/readme-banner.png" alt="Pompelmi banner" width="100%">
-</p>
+Pompelmi inspects untrusted files before storage and helps you decide whether to allow, reject, or quarantine them before they reach downstream systems.
 
-## Featured In
+It is built for upload endpoints that cannot rely on filenames, extensions, or client-provided MIME types alone.
 
-Picked up by developer newsletters, security media, and curated awesome lists.
+## Install
 
-<p align="center">
-  <a href="https://www.producthunt.com/products/pompelmi"><img alt="Featured on Product Hunt" src="https://img.shields.io/badge/featured-Product%20Hunt-da552f?style=for-the-badge&logo=producthunt&logoColor=white"></a>
-  <a href="https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/"><img alt="Featured on Help Net Security" src="https://img.shields.io/badge/featured-Help%20Net%20Security-ff6b35?style=for-the-badge"></a>
-  <a href="https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/"><img alt="Featured on Stack Overflow Blog" src="https://img.shields.io/badge/featured-Stack%20Overflow%20Blog-f58025?style=for-the-badge&logo=stackoverflow&logoColor=white"></a>
-  <a href="https://nodeweekly.com/issues/594"><img alt="Featured in Node Weekly issue 594" src="https://img.shields.io/badge/featured-Node%20Weekly%20%23594-43853d?style=for-the-badge&logo=node.js&logoColor=white"></a>
-  <a href="https://bytes.dev/archives/429"><img alt="Featured in Bytes issue 429" src="https://img.shields.io/badge/featured-Bytes%20%23429-111111?style=for-the-badge"></a>
-  <a href="https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon"><img alt="Featured in Detection Engineering Weekly issue 124" src="https://img.shields.io/badge/featured-Detection%20Engineering%20Weekly-2563eb?style=for-the-badge&logo=substack&logoColor=white"></a>
-</p>
-
-<p align="center">
-  <a href="https://github.com/sorrycc/awesome-javascript"><img alt="Included in Awesome JavaScript" src="https://img.shields.io/badge/awesome-Awesome%20JavaScript-f7df1e?style=for-the-badge&logo=javascript&logoColor=black"></a>
-  <a href="https://github.com/dzharii/awesome-typescript"><img alt="Included in Awesome TypeScript" src="https://img.shields.io/badge/awesome-Awesome%20TypeScript-3178c6?style=for-the-badge&logo=typescript&logoColor=white"></a>
-</p>
+```bash
+npm install pompelmi
+```
 
-## Why It Exists
+Requires Node.js 18+.
 
-Your file upload endpoint is part of your attack surface.
+## Quick Start
 
-Most upload handlers still trust filenames, extensions, or client-provided MIME types. That leaves room for renamed files, archive bombs, polyglots, active PDFs, and other risky payloads to land in storage before your app notices.
+```ts
+import { scanBytes } from 'pompelmi';
 
-Without Pompelmi:
+const report = await scanBytes(file.buffer, {
+  ctx: {
+    filename: file.originalname,
+    mimeType: file.mimetype,
+    size: file.size,
+  },
+});
 
-`upload -> trust filename/MIME -> store -> parse or serve later`
+if (!report.ok) {
+  return res.status(422).json({
+    error: 'Upload blocked',
+    verdict: report.verdict,
+    reasons: report.reasons,
+  });
+}
+```
 
-With Pompelmi:
+## What Problem It Solves
 
-`upload -> inspect bytes + structure -> allow | quarantine | reject -> store/process`
+Upload endpoints are part of your attack surface. A renamed executable, a risky PDF, or a hostile archive can look harmless until it is stored, unpacked, served, or parsed by another system.
 
-Why teams choose it:
+Pompelmi adds checks at the upload boundary for:
 
-- In-process and local-first. No cloud API, no daemon, no data egress.
-- Built for the stuff attackers actually abuse: spoofed MIME, nested archives, ZIP bombs, traversal, polyglots, macro hints, and active documents.
-- Typed and composable APIs with `scanBytes`, `scanFile`, policy packs, hooks, and optional YARA.
-- Drop-in packages for Express, Next.js, Koa, NestJS, Fastify, CLI workflows, and React UI.
+- MIME spoofing and magic-byte mismatches
+- Archive abuse such as ZIP bombs, traversal, and deep nesting
+- Polyglot files and risky document structures
+- Optional YARA-based signature matching
 
-## Why People Star It
+The goal is simple: inspect first, store later.
 
-- It solves a real pain point fast: secure uploads are usually more dangerous and more annoying than they look.
-- It is easy to adopt: `npm install`, add a policy, block risky files before storage.
-- It stays privacy-first: no cloud dependency, no file egress, no extra scanning service to operate.
-- It feels production-minded: structured verdicts, clear reasons, adapters, examples, docs, and active release history.
+## Why This Shape
 
-## Demo
+- Plain Markdown, readable in GitHub and in a terminal
+- Fast path first: install, example, then deeper links
+- Minimal top-level detail, with docs and examples for everything else
 
-<p align="center">
-  <img src="https://raw.githubusercontent.com/pompelmi/pompelmi/main/assets/malware-detection-node-demo.gif" alt="Pompelmi demo showing a risky upload being blocked" width="920">
-</p>
+## Ecosystem
 
-## Quick Start
+- `pompelmi`
+- `@pompelmi/express-middleware`
+- `@pompelmi/koa-middleware`
+- `@pompelmi/next-upload`
+- `@pompelmi/nestjs-integration`
+- `@pompelmi/fastify-plugin`
+- `@pompelmi/ui-react`
+- `@pompelmi/cli`
 
-```bash
-npm install pompelmi
-```
+## Repository Layout
 
-```ts
-import { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';
+- `src/` core library
+- `packages/` framework adapters and supporting packages
+- `examples/` runnable examples
+- `tests/` test coverage
+- `website/` documentation site
 
-const report = await scanBytes(file.buffer, {
-  filename: file.originalname,
-  mimeType: file.mimetype,
-  policy: STRICT_PUBLIC_UPLOAD,
-  failClosed: true,
-});
+## Development
 
-if (report.verdict !== 'clean') {
-  return res.status(422).json({
-    error: 'Upload blocked',
-    reasons: report.reasons,
-  });
-}
+```bash
+pnpm install
+pnpm test
+pnpm build
 ```
 
-Start here next:
+## Links
 
-- [Getting started](https://pompelmi.github.io/pompelmi/getting-started/)
-- [Express guide](https://pompelmi.github.io/pompelmi/how-to/express/)
+- [Documentation](https://pompelmi.github.io/pompelmi/)
 - [Examples](./examples)
-- [Threat model and architecture](https://pompelmi.github.io/pompelmi/explaination/architecture/)
-
-## What It Checks
+- [Contributing](./CONTRIBUTING.md)
+- [Security](./SECURITY.md)
+- [Roadmap](./ROADMAP.md)
 
-- Extension, size, and declared MIME policy checks.
-- Magic-byte validation for renamed or disguised files.
-- Archive protections for ZIP bombs, traversal, and nesting depth.
-- Heuristics for risky structures such as executables, polyglots, script-bearing documents, and macro hints.
-- Optional YARA matching when you need signature-based rules.
+<!-- MENTIONS:START -->
 
-## Frameworks
+## 🌟 Featured In
 
-| Use case | Package or guide |
-| --- | --- |
-| Core library | `pompelmi` |
-| Express | `@pompelmi/express-middleware` |
-| Next.js | `@pompelmi/next-upload` |
-| Koa | `@pompelmi/koa-middleware` |
-| NestJS | `@pompelmi/nestjs-integration` |
-| Fastify | `@pompelmi/fastify-plugin` |
-| React UI | `@pompelmi/ui-react` |
-| CLI | `@pompelmi/cli` |
+*Last updated: March 20, 2026*
 
-## Why Not Just MIME Checks, Cloud AV, or ClamAV?
+### 📋 Awesome Lists & Curated Collections
 
-| Approach | Where it helps | Where it falls short |
-| --- | --- | --- |
-| File extensions or MIME checks only | Cheap allowlists and quick policy enforcement | Renamed files and client-provided MIME values are easy to fake. |
-| DIY upload validation | Full control over your own rules | Easy to miss archive handling, polyglots, structured verdicts, and consistent fail-closed behavior. |
-| Cloud scanning APIs | Outsourced detection and managed infrastructure | Adds data egress, network latency, and a hard dependency on an external service. |
-| ClamAV or daemon-based setups | Familiar signature scanning and existing operations model | Adds process overhead and still benefits from an application-layer upload gate before storage. |
+- [Awesome JavaScript](https://github.com/sorrycc/awesome-javascript) — sorrycc
+- [Awesome TypeScript](https://github.com/dzharii/awesome-typescript) — dzharii
 
-Pompelmi focuses on the upload gate itself. It can complement YARA or ClamAV. It is not presented as a full antivirus replacement.
+### 📰 Newsletters & Roundups
 
-## Star History
+- [The Overflow Issue 319: Dogfooding your SDLC](https://stackoverflow.blog/newsletter/issue-319-dogfooding-your-sdlc/) — Stack Overflow (2026-03-04)
+- [Hottest cybersecurity open-source tools of the month: February 2026](https://www.helpnetsecurity.com/2026/02/26/hottest-cybersecurity-open-source-tools-of-the-month-february-2026/) — Help Net Security (2026-02-26)
+- [Bytes #429](https://bytes.dev/archives/429) — Bytes (2025-10-03)
+- [Node Weekly Issue 594](https://nodeweekly.com/issues/594) — Node Weekly (2025-09-30)
+- [Det. Eng. Weekly Issue #124 - The DEFCON hangover is real](https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon) — Detection Engineering (2025-08-13)
 
-If you want to follow the project as it grows, star the repo and keep an eye on releases.
+### 🔗 Other Mentions
 
-<p align="center">
-  <a href="https://star-history.com/#pompelmi/pompelmi&Date">
-    <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=pompelmi/pompelmi&type=Date">
-  </a>
-</p>
+- [Defense against uploads: Q&A with OSS file scanner, pompelmi](https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/) — Stack Overflow (2026-02-23)
+- [Pompelmi: Open-source secure file upload scanning for Node.js](https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/) — Help Net Security (2026-02-02)
 
-## Community
 
-- [Contributing guide](./CONTRIBUTING.md)
-- [Roadmap](./ROADMAP.md)
-- [GitHub Discussions](https://github.com/pompelmi/pompelmi/discussions)
-- [GitHub Issues](https://github.com/pompelmi/pompelmi/issues)
-- [Changelog](./CHANGELOG.md)
-- [Security policy](./SECURITY.md)
+*Found 9 mentions. To update, run `npm run mentions:update`.*
 
-Questions, docs fixes, examples, tests, and real-world integration feedback are all useful here.
+<!-- MENTIONS:END -->
 
 ## License
 
-MIT. See [LICENSE](./LICENSE). Also: [Docs](https://pompelmi.github.io/pompelmi/), [GitHub](https://github.com/pompelmi/pompelmi), [npm](https://www.npmjs.com/package/pompelmi).
+[MIT](./LICENSE)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pompelmi",
-  "version": "0.34.4",
+  "version": "0.34.5",
   "description": "Secure file uploads for Node.js. Scan untrusted files before storage with in-process, local-first checks for MIME spoofing, archive bombs, risky document structures, and optional YARA.",
   "main": "./dist/pompelmi.cjs",
   "module": "./dist/pompelmi.esm.js",