npm - pompelmi - Versions diffs - 0.34.8 → 0.34.9 - Mend

pompelmi 0.34.8 → 0.34.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## Unreleased (main)
+### Highlights
+- Fixed `@pompelmi/fastify-plugin` multipart dependency wiring and removed an unnecessary promise hop.
+- Refined the root README layout for faster first-run onboarding and clearer repo entry points.
+- Refreshed README badges and demo media so the public repo surface is easier to scan quickly.
+- Added verified mention badges to strengthen the top-level trust signals around adoption.
+- Tightened onboarding copy across the repo surfaces to make the docs-and-examples path easier to follow.
+### Notes
+This section summarizes changes since the last tag: `v0.34.8`.
+Post-tag activity is currently limited, so the highlights above also surface the most recent user-visible commits from the current `v0.34.x` line for context.
+For full details, see GitHub Releases / tag diffs.
 ## [0.27.1] - 2026-01-26
 ### Security

package/README.md CHANGED Viewed

@@ -1,7 +1,7 @@
 <div align="center">
   <img src="assets/logo.svg" alt="Pompelmi logo" width="160" />
-  <h1>Pompelmi</h1>
-  <p>Local-first file upload scanning for Node.js.</p>
+  <h1>Pompelmi — in-process file upload security for Node.js</h1>
+  <p>Scan and block risky uploads before storage — no cloud API, no daemon, no required data egress.</p>
   <p>
     <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm version" src="https://img.shields.io/npm/v/pompelmi"></a>
     <a href="https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?label=ci"></a>
@@ -22,9 +22,9 @@
   </p>
 </div>
-Pompelmi inspects untrusted files before storage and helps you decide whether to allow, reject, or quarantine them before they reach downstream systems.
-It is built for upload endpoints that cannot rely on filenames, extensions, or client-provided MIME types alone.
+> **Why:** Upload endpoints are part of your attack surface. Pompelmi inspects untrusted files _before_ they hit storage or downstream processors.
+> **How:** in-process scanning + policy packs (MIME sniffing, archive abuse checks, risky structures) with optional YARA.
+> **Works with:** Express, Next.js, NestJS, Fastify, Koa (plus adapters in `packages/`).
 ## Demo
@@ -38,28 +38,70 @@ npm install pompelmi
 Requires Node.js 18+.
+## Try in 5 minutes
+1. Install:
+```bash
+npm install pompelmi
+```
+2. Create `scan-test.mjs`:
+```js
+import { scanBytes } from "pompelmi";
+import { readFileSync } from "node:fs";
+const buffer = readFileSync("./package.json");
+const report = await scanBytes(buffer, {
+  filename: "package.json",
+  mimeType: "application/json",
+});
+console.log("Verdict:", report.verdict);
+console.log("Reasons:", report.reasons);
+console.log("Duration:", report.durationMs, "ms");
+```
+3. Run it:
+```bash
+node scan-test.mjs
+```
+Next: see the demo under [examples/demo](./examples/demo) (upload route) or the docs [Getting started](https://pompelmi.github.io/pompelmi/getting-started/) guide.
 ## Quick Start
 ```ts
-import { scanBytes } from 'pompelmi';
+import { scanBytes, STRICT_PUBLIC_UPLOAD } from "pompelmi";
 const report = await scanBytes(file.buffer, {
-  ctx: {
-    filename: file.originalname,
-    mimeType: file.mimetype,
-    size: file.size,
-  },
+  filename: file.originalname,
+  mimeType: file.mimetype,
+  policy: STRICT_PUBLIC_UPLOAD,
+  failClosed: true,
 });
-if (!report.ok) {
+if (report.verdict !== "clean") {
   return res.status(422).json({
-    error: 'Upload blocked',
+    error: "Upload blocked",
     verdict: report.verdict,
     reasons: report.reasons,
   });
 }
 ```
+## Next steps
+- [Documentation](https://pompelmi.github.io/pompelmi/)
+- [Examples index](./examples/README.md)
+- [Demo example](./examples/demo)
+- [Contributing](./CONTRIBUTING.md)
+- [Security](./SECURITY.md)
+- [Roadmap](./ROADMAP.md)
 ## What Problem It Solves
 Upload endpoints are part of your attack surface. A renamed executable, a risky PDF, or a hostile archive can look harmless until it is stored, unpacked, served, or parsed by another system.
@@ -106,14 +148,6 @@ pnpm test
 pnpm build
 ```
-## Links
-- [Documentation](https://pompelmi.github.io/pompelmi/)
-- [Examples](./examples)
-- [Contributing](./CONTRIBUTING.md)
-- [Security](./SECURITY.md)
-- [Roadmap](./ROADMAP.md)
 <!-- MENTIONS:START -->
 ## 🌟 Featured In

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pompelmi",
-  "version": "0.34.8",
+  "version": "0.34.9",
   "description": "Secure file uploads for Node.js. Scan untrusted files before storage with in-process, local-first checks for MIME spoofing, archive bombs, risky document structures, and optional YARA.",
   "main": "./dist/pompelmi.cjs",
   "module": "./dist/pompelmi.esm.js",
@@ -89,6 +89,10 @@
     "docs:build": "hugo -s docs -D -d docs",
     "predocs:deploy": "npm run docs:build",
     "docs:deploy": "gh-pages -d docs -b gh-pages",
+    "format": "biome format --write .",
+    "format:check": "biome format .",
+    "lint": "biome ci .",
+    "lint:fix": "biome check --write .",
     "yara:check": "node scripts/yara-quick-check-cli.mjs",
     "build:core": "pnpm -r --filter '!./examples/*' --if-present build",
     "preview": "npm pack --dry-run",