pompelmi 0.34.8 → 0.34.10

package/CHANGELOG.md

@@ -5,6 +5,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased (main)
+
+### Highlights
+
+- Fixed `@pompelmi/fastify-plugin` multipart dependency wiring and removed an unnecessary promise hop.
+- Refined the root README layout for faster first-run onboarding and clearer repo entry points.
+- Refreshed README badges and demo media so the public repo surface is easier to scan quickly.
+- Added verified mention badges to strengthen the top-level trust signals around adoption.
+- Tightened onboarding copy across the repo surfaces to make the docs-and-examples path easier to follow.
+
+### Notes
+
+This section summarizes changes since the last tag: `v0.34.8`.
+Post-tag activity is currently limited, so the highlights above also surface the most recent user-visible commits from the current `v0.34.x` line for context.
+For full details, see GitHub Releases / tag diffs.
+
 ## [0.27.1] - 2026-01-26
 
 ### Security

package/README.md

@@ -1,10 +1,11 @@
 <div align="center">
   <img src="assets/logo.svg" alt="Pompelmi logo" width="160" />
-  <h1>Pompelmi</h1>
-  <p>Local-first file upload scanning for Node.js.</p>
+  <h1>Pompelmi — in-process file upload security for Node.js</h1>
+  <p>Scan and block risky uploads before storage — no cloud API, no daemon, no required data egress.</p>
   <p>
     <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm version" src="https://img.shields.io/npm/v/pompelmi"></a>
     <a href="https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?label=ci"></a>
+    <a href="https://codecov.io/gh/pompelmi/pompelmi"><img alt="Codecov" src="https://codecov.io/gh/pompelmi/pompelmi/branch/main/graph/badge.svg?flag=core"></a>
     <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/pompelmi/pompelmi"></a>
     <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm downloads" src="https://img.shields.io/npm/dm/pompelmi"></a>
   </p>
@@ -22,9 +23,9 @@
   </p>
 </div>
 
-Pompelmi inspects untrusted files before storage and helps you decide whether to allow, reject, or quarantine them before they reach downstream systems.
-
-It is built for upload endpoints that cannot rely on filenames, extensions, or client-provided MIME types alone.
+> **Why:** Upload endpoints are part of your attack surface. Pompelmi inspects untrusted files _before_ they hit storage or downstream processors.
+> **How:** in-process scanning + policy packs (MIME sniffing, archive abuse checks, risky structures) with optional YARA.
+> **Works with:** Express, Next.js, NestJS, Fastify, Koa (plus adapters in `packages/`).
 
 ## Demo
 
@@ -38,28 +39,70 @@ npm install pompelmi
 
 Requires Node.js 18+.
 
+## Try in 5 minutes
+
+1. Install:
+
+```bash
+npm install pompelmi
+```
+
+2. Create `scan-test.mjs`:
+
+```js
+import { scanBytes } from "pompelmi";
+import { readFileSync } from "node:fs";
+
+const buffer = readFileSync("./package.json");
+
+const report = await scanBytes(buffer, {
+  filename: "package.json",
+  mimeType: "application/json",
+});
+
+console.log("Verdict:", report.verdict);
+console.log("Reasons:", report.reasons);
+console.log("Duration:", report.durationMs, "ms");
+```
+
+3. Run it:
+
+```bash
+node scan-test.mjs
+```
+
+Next: see the demo under [examples/demo](./examples/demo) (upload route) or the docs [Getting started](https://pompelmi.github.io/pompelmi/getting-started/) guide.
+
 ## Quick Start
 
 ```ts
-import { scanBytes } from 'pompelmi';
+import { scanBytes, STRICT_PUBLIC_UPLOAD } from "pompelmi";
 
 const report = await scanBytes(file.buffer, {
-  ctx: {
-    filename: file.originalname,
-    mimeType: file.mimetype,
-    size: file.size,
-  },
+  filename: file.originalname,
+  mimeType: file.mimetype,
+  policy: STRICT_PUBLIC_UPLOAD,
+  failClosed: true,
 });
 
-if (!report.ok) {
+if (report.verdict !== "clean") {
   return res.status(422).json({
-    error: 'Upload blocked',
+    error: "Upload blocked",
     verdict: report.verdict,
     reasons: report.reasons,
   });
 }
 ```
 
+## Next steps
+
+- [Documentation](https://pompelmi.github.io/pompelmi/)
+- [Examples index](./examples/README.md)
+- [Demo example](./examples/demo)
+- [Contributing](./CONTRIBUTING.md)
+- [Security](./SECURITY.md)
+- [Roadmap](./ROADMAP.md)
+
 ## What Problem It Solves
 
 Upload endpoints are part of your attack surface. A renamed executable, a risky PDF, or a hostile archive can look harmless until it is stored, unpacked, served, or parsed by another system.
@@ -106,14 +149,6 @@ pnpm test
 pnpm build
 ```
 
-## Links
-
-- [Documentation](https://pompelmi.github.io/pompelmi/)
-- [Examples](./examples)
-- [Contributing](./CONTRIBUTING.md)
-- [Security](./SECURITY.md)
-- [Roadmap](./ROADMAP.md)
-
 <!-- MENTIONS:START -->
 
 ## 🌟 Featured In

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pompelmi",
-  "version": "0.34.8",
+  "version": "0.34.10",
   "description": "Secure file uploads for Node.js. Scan untrusted files before storage with in-process, local-first checks for MIME spoofing, archive bombs, risky document structures, and optional YARA.",
   "main": "./dist/pompelmi.cjs",
   "module": "./dist/pompelmi.esm.js",
@@ -89,6 +89,10 @@
     "docs:build": "hugo -s docs -D -d docs",
     "predocs:deploy": "npm run docs:build",
     "docs:deploy": "gh-pages -d docs -b gh-pages",
+    "format": "biome format --write .",
+    "format:check": "biome format .",
+    "lint": "biome ci .",
+    "lint:fix": "biome check --write .",
     "yara:check": "node scripts/yara-quick-check-cli.mjs",
     "build:core": "pnpm -r --filter '!./examples/*' --if-present build",
     "preview": "npm pack --dry-run",