npm - pompelmi - Versions diffs - 0.34.4 → 0.34.6 - Mend

pompelmi 0.34.4 → 0.34.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +103 -148
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -1,193 +1,148 @@
 <div align="center">
+  <img src="assets/logo.svg" alt="Pompelmi logo" width="160" />
+  <h1>Pompelmi</h1>
+  <p>Local-first file upload scanning for Node.js.</p>
+  <p>
+    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm version" src="https://img.shields.io/npm/v/pompelmi"></a>
+    <a href="https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?label=ci"></a>
+    <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/pompelmi/pompelmi"></a>
+    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm downloads" src="https://img.shields.io/npm/dm/pompelmi"></a>
+  </p>
+  <p>
+    <a href="https://github.com/sorrycc/awesome-javascript"><img alt="Mentioned in Awesome JavaScript" src="https://img.shields.io/badge/mentioned-Awesome%20JavaScript-f59e0b"></a>
+    <a href="https://github.com/dzharii/awesome-typescript"><img alt="Mentioned in Awesome TypeScript" src="https://img.shields.io/badge/mentioned-Awesome%20TypeScript-3178C6"></a>
+    <a href="https://nodeweekly.com/issues/594"><img alt="Featured in Node Weekly #594" src="https://img.shields.io/badge/featured-Node%20Weekly%20%23594-339933?logo=node.js&logoColor=white"></a>
+    <a href="https://bytes.dev/archives/429"><img alt="Featured in Bytes #429" src="https://img.shields.io/badge/featured-Bytes%20%23429-111111"></a>
+  </p>
+  <p>
+    <a href="https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon"><img alt="Featured in Detection Engineering Weekly #124" src="https://img.shields.io/badge/featured-Detection%20Engineering%20Weekly%20%23124-0A84FF?logo=substack&logoColor=white"></a>
+    <a href="https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/"><img alt="Featured on Stack Overflow by Ryan Donovan" src="https://img.shields.io/badge/featured-Stack%20Overflow-F48024?logo=stackoverflow&logoColor=white"></a>
+    <a href="https://stackoverflow.blog/newsletter/issue-319-dogfooding-your-sdlc/"><img alt="Featured in The Overflow #319" src="https://img.shields.io/badge/featured-The%20Overflow%20%23319-F48024?logo=stackoverflow&logoColor=white"></a>
+    <a href="https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/"><img alt="Featured in Help Net Security" src="https://img.shields.io/badge/featured-Help%20Net%20Security-2563eb"></a>
+  </p>
+</div>
-<picture>
-  <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/pompelmi/pompelmi/main/assets/logo.svg">
-  <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/pompelmi/pompelmi/main/assets/logo.svg">
-  <img src="https://raw.githubusercontent.com/pompelmi/pompelmi/main/assets/logo.svg" alt="Pompelmi logo" width="220" />
-</picture>
-<h1>Pompelmi</h1>
-<p><strong>Stop malicious uploads before they hit storage.</strong></p>
-<p>Secure file upload scanning for Node.js with MIME sniffing, ZIP bomb protection, polyglot detection, risky document checks, and optional YARA.</p>
-<p>
-  <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="Star on GitHub" src="https://img.shields.io/badge/Star%20on%20GitHub-181717?style=for-the-badge&logo=github&logoColor=white"></a>
-  <a href="#quick-start"><img alt="Start in 60 seconds" src="https://img.shields.io/badge/Start%20in-60%20seconds-059669?style=for-the-badge"></a>
-  <a href="https://pompelmi.github.io/pompelmi/"><img alt="Read the docs" src="https://img.shields.io/badge/Read%20the-Docs-2563eb?style=for-the-badge"></a>
-</p>
-<p><strong>Private by design</strong> • <strong>No cloud API</strong> • <strong>No daemon</strong> • <strong>Express / Next.js / Koa / NestJS / Fastify</strong></p>
-<p>
-  <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/pompelmi/pompelmi?style=for-the-badge&logo=github&label=stars"></a>
-  <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm downloads per month" src="https://img.shields.io/npm/dm/pompelmi?style=for-the-badge&logo=npm&label=downloads%2Fmonth"></a>
-  <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm version" src="https://img.shields.io/npm/v/pompelmi?style=for-the-badge&logo=npm&label=npm"></a>
-  <a href="https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?style=for-the-badge&branch=main&label=CI"></a>
-</p>
+Pompelmi inspects untrusted files before storage and helps you decide whether to allow, reject, or quarantine them before they reach downstream systems.
-<p>
-  <img alt="Node 18+" src="https://img.shields.io/badge/node-%3E%3D18-339933?style=for-the-badge&logo=node.js&logoColor=white">
-  <img alt="TypeScript" src="https://img.shields.io/badge/types-TypeScript-3178C6?style=for-the-badge&logo=typescript&logoColor=white">
-  <img alt="MIT license" src="https://img.shields.io/badge/license-MIT-0f172a?style=for-the-badge">
-  <img alt="Zero cloud dependency" src="https://img.shields.io/badge/cloud-none-059669?style=for-the-badge">
-</p>
+It is built for upload endpoints that cannot rely on filenames, extensions, or client-provided MIME types alone.
-<p>
-  <strong>
-    <a href="https://pompelmi.github.io/pompelmi/">Docs</a> •
-    <a href="#quick-start">Quick start</a> •
-    <a href="./examples">Examples</a> •
-    <a href="#frameworks">Frameworks</a> •
-    <a href="#star-history">Star history</a>
-  </strong>
-</p>
+## Demo
-<p>If Pompelmi saves you from building upload security plumbing from scratch, give it a star. It helps the project grow and helps more Node.js teams find it.</p>
+![Pompelmi demo](assets/malware-detection-node-demo.gif)
-</div>
+## Install
-<p align="center">
-  <img src="https://raw.githubusercontent.com/pompelmi/pompelmi/main/assets/readme-banner.png" alt="Pompelmi banner" width="100%">
-</p>
-## Featured In
+```bash
+npm install pompelmi
+```
-Picked up by developer newsletters, security media, and curated awesome lists.
+Requires Node.js 18+.
-<p align="center">
-  <a href="https://www.producthunt.com/products/pompelmi"><img alt="Featured on Product Hunt" src="https://img.shields.io/badge/featured-Product%20Hunt-da552f?style=for-the-badge&logo=producthunt&logoColor=white"></a>
-  <a href="https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/"><img alt="Featured on Help Net Security" src="https://img.shields.io/badge/featured-Help%20Net%20Security-ff6b35?style=for-the-badge"></a>
-  <a href="https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/"><img alt="Featured on Stack Overflow Blog" src="https://img.shields.io/badge/featured-Stack%20Overflow%20Blog-f58025?style=for-the-badge&logo=stackoverflow&logoColor=white"></a>
-  <a href="https://nodeweekly.com/issues/594"><img alt="Featured in Node Weekly issue 594" src="https://img.shields.io/badge/featured-Node%20Weekly%20%23594-43853d?style=for-the-badge&logo=node.js&logoColor=white"></a>
-  <a href="https://bytes.dev/archives/429"><img alt="Featured in Bytes issue 429" src="https://img.shields.io/badge/featured-Bytes%20%23429-111111?style=for-the-badge"></a>
-  <a href="https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon"><img alt="Featured in Detection Engineering Weekly issue 124" src="https://img.shields.io/badge/featured-Detection%20Engineering%20Weekly-2563eb?style=for-the-badge&logo=substack&logoColor=white"></a>
-</p>
+## Quick Start
-<p align="center">
-  <a href="https://github.com/sorrycc/awesome-javascript"><img alt="Included in Awesome JavaScript" src="https://img.shields.io/badge/awesome-Awesome%20JavaScript-f7df1e?style=for-the-badge&logo=javascript&logoColor=black"></a>
-  <a href="https://github.com/dzharii/awesome-typescript"><img alt="Included in Awesome TypeScript" src="https://img.shields.io/badge/awesome-Awesome%20TypeScript-3178c6?style=for-the-badge&logo=typescript&logoColor=white"></a>
-</p>
+```ts
+import { scanBytes } from 'pompelmi';
-## Why It Exists
+const report = await scanBytes(file.buffer, {
+  ctx: {
+    filename: file.originalname,
+    mimeType: file.mimetype,
+    size: file.size,
+  },
+});
-Your file upload endpoint is part of your attack surface.
+if (!report.ok) {
+  return res.status(422).json({
+    error: 'Upload blocked',
+    verdict: report.verdict,
+    reasons: report.reasons,
+  });
+}
+```
-Most upload handlers still trust filenames, extensions, or client-provided MIME types. That leaves room for renamed files, archive bombs, polyglots, active PDFs, and other risky payloads to land in storage before your app notices.
+## What Problem It Solves
-Without Pompelmi:
+Upload endpoints are part of your attack surface. A renamed executable, a risky PDF, or a hostile archive can look harmless until it is stored, unpacked, served, or parsed by another system.
-`upload -> trust filename/MIME -> store -> parse or serve later`
+Pompelmi adds checks at the upload boundary for:
-With Pompelmi:
+- MIME spoofing and magic-byte mismatches
+- Archive abuse such as ZIP bombs, traversal, and deep nesting
+- Polyglot files and risky document structures
+- Optional YARA-based signature matching
-`upload -> inspect bytes + structure -> allow | quarantine | reject -> store/process`
+The goal is simple: inspect first, store later.
-Why teams choose it:
+## Why This Shape
-- In-process and local-first. No cloud API, no daemon, no data egress.
-- Built for the stuff attackers actually abuse: spoofed MIME, nested archives, ZIP bombs, traversal, polyglots, macro hints, and active documents.
-- Typed and composable APIs with `scanBytes`, `scanFile`, policy packs, hooks, and optional YARA.
-- Drop-in packages for Express, Next.js, Koa, NestJS, Fastify, CLI workflows, and React UI.
+- Plain Markdown, readable in GitHub and in a terminal
+- Fast path first: install, example, then deeper links
+- Minimal top-level detail, with docs and examples for everything else
-## Why People Star It
+## Ecosystem
-- It solves a real pain point fast: secure uploads are usually more dangerous and more annoying than they look.
-- It is easy to adopt: `npm install`, add a policy, block risky files before storage.
-- It stays privacy-first: no cloud dependency, no file egress, no extra scanning service to operate.
-- It feels production-minded: structured verdicts, clear reasons, adapters, examples, docs, and active release history.
+- `pompelmi`
+- `@pompelmi/express-middleware`
+- `@pompelmi/koa-middleware`
+- `@pompelmi/next-upload`
+- `@pompelmi/nestjs-integration`
+- `@pompelmi/fastify-plugin`
+- `@pompelmi/ui-react`
+- `@pompelmi/cli`
-## Demo
+## Repository Layout
-<p align="center">
-  <img src="https://raw.githubusercontent.com/pompelmi/pompelmi/main/assets/malware-detection-node-demo.gif" alt="Pompelmi demo showing a risky upload being blocked" width="920">
-</p>
+- `src/` core library
+- `packages/` framework adapters and supporting packages
+- `examples/` runnable examples
+- `tests/` test coverage
+- `website/` documentation site
-## Quick Start
+## Development
 ```bash
-npm install pompelmi
-```
-```ts
-import { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';
-const report = await scanBytes(file.buffer, {
-  filename: file.originalname,
-  mimeType: file.mimetype,
-  policy: STRICT_PUBLIC_UPLOAD,
-  failClosed: true,
-});
-if (report.verdict !== 'clean') {
-  return res.status(422).json({
-    error: 'Upload blocked',
-    reasons: report.reasons,
-  });
-}
+pnpm install
+pnpm test
+pnpm build
 ```
-Start here next:
+## Links
-- [Getting started](https://pompelmi.github.io/pompelmi/getting-started/)
-- [Express guide](https://pompelmi.github.io/pompelmi/how-to/express/)
+- [Documentation](https://pompelmi.github.io/pompelmi/)
 - [Examples](./examples)
-- [Threat model and architecture](https://pompelmi.github.io/pompelmi/explaination/architecture/)
-## What It Checks
+- [Contributing](./CONTRIBUTING.md)
+- [Security](./SECURITY.md)
+- [Roadmap](./ROADMAP.md)
-- Extension, size, and declared MIME policy checks.
-- Magic-byte validation for renamed or disguised files.
-- Archive protections for ZIP bombs, traversal, and nesting depth.
-- Heuristics for risky structures such as executables, polyglots, script-bearing documents, and macro hints.
-- Optional YARA matching when you need signature-based rules.
+<!-- MENTIONS:START -->
-## Frameworks
+## 🌟 Featured In
-| Use case | Package or guide |
-| --- | --- |
-| Core library | `pompelmi` |
-| Express | `@pompelmi/express-middleware` |
-| Next.js | `@pompelmi/next-upload` |
-| Koa | `@pompelmi/koa-middleware` |
-| NestJS | `@pompelmi/nestjs-integration` |
-| Fastify | `@pompelmi/fastify-plugin` |
-| React UI | `@pompelmi/ui-react` |
-| CLI | `@pompelmi/cli` |
+*Last updated: March 20, 2026*
-## Why Not Just MIME Checks, Cloud AV, or ClamAV?
+### 📋 Awesome Lists & Curated Collections
-| Approach | Where it helps | Where it falls short |
-| --- | --- | --- |
-| File extensions or MIME checks only | Cheap allowlists and quick policy enforcement | Renamed files and client-provided MIME values are easy to fake. |
-| DIY upload validation | Full control over your own rules | Easy to miss archive handling, polyglots, structured verdicts, and consistent fail-closed behavior. |
-| Cloud scanning APIs | Outsourced detection and managed infrastructure | Adds data egress, network latency, and a hard dependency on an external service. |
-| ClamAV or daemon-based setups | Familiar signature scanning and existing operations model | Adds process overhead and still benefits from an application-layer upload gate before storage. |
+- [Awesome JavaScript](https://github.com/sorrycc/awesome-javascript) — sorrycc
+- [Awesome TypeScript](https://github.com/dzharii/awesome-typescript) — dzharii
-Pompelmi focuses on the upload gate itself. It can complement YARA or ClamAV. It is not presented as a full antivirus replacement.
+### 📰 Newsletters & Roundups
-## Star History
+- [The Overflow Issue 319: Dogfooding your SDLC](https://stackoverflow.blog/newsletter/issue-319-dogfooding-your-sdlc/) — Stack Overflow (2026-03-04)
+- [Hottest cybersecurity open-source tools of the month: February 2026](https://www.helpnetsecurity.com/2026/02/26/hottest-cybersecurity-open-source-tools-of-the-month-february-2026/) — Help Net Security (2026-02-26)
+- [Bytes #429](https://bytes.dev/archives/429) — Bytes (2025-10-03)
+- [Node Weekly Issue 594](https://nodeweekly.com/issues/594) — Node Weekly (2025-09-30)
+- [Det. Eng. Weekly Issue #124 - The DEFCON hangover is real](https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon) — Detection Engineering (2025-08-13)
-If you want to follow the project as it grows, star the repo and keep an eye on releases.
+### 🔗 Other Mentions
-<p align="center">
-  <a href="https://star-history.com/#pompelmi/pompelmi&Date">
-    <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=pompelmi/pompelmi&type=Date">
-  </a>
-</p>
+- [Defense against uploads: Q&A with OSS file scanner, pompelmi](https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/) — Stack Overflow (2026-02-23)
+- [Pompelmi: Open-source secure file upload scanning for Node.js](https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/) — Help Net Security (2026-02-02)
-## Community
-- [Contributing guide](./CONTRIBUTING.md)
-- [Roadmap](./ROADMAP.md)
-- [GitHub Discussions](https://github.com/pompelmi/pompelmi/discussions)
-- [GitHub Issues](https://github.com/pompelmi/pompelmi/issues)
-- [Changelog](./CHANGELOG.md)
-- [Security policy](./SECURITY.md)
+*Found 9 mentions. To update, run `npm run mentions:update`.*
-Questions, docs fixes, examples, tests, and real-world integration feedback are all useful here.
+<!-- MENTIONS:END -->
 ## License
-MIT. See [LICENSE](./LICENSE). Also: [Docs](https://pompelmi.github.io/pompelmi/), [GitHub](https://github.com/pompelmi/pompelmi), [npm](https://www.npmjs.com/package/pompelmi).
+[MIT](./LICENSE)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pompelmi",
-  "version": "0.34.4",
+  "version": "0.34.6",
   "description": "Secure file uploads for Node.js. Scan untrusted files before storage with in-process, local-first checks for MIME spoofing, archive bombs, risky document structures, and optional YARA.",
   "main": "./dist/pompelmi.cjs",
   "module": "./dist/pompelmi.esm.js",