npm - pompelmi - Versions diffs - 0.35.1 → 0.35.3 - Mend

pompelmi 0.35.1 → 0.35.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +108 -114
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -1,162 +1,152 @@
 <div align="center">
-  <img src="assets/logo.svg" alt="Pompelmi logo" width="160" />
-  <h1>Pompelmi — in-process file upload security for Node.js</h1>
-  <p>Scan and block risky uploads before storage — no cloud API, no daemon, no required data egress.</p>
+  <img src="./assets/logo.svg" alt="Pompelmi logo" width="144" />
+  <h1>Pompelmi</h1>
+  <p><strong>Route-level upload security for Node.js.</strong></p>
+  <p>Inspect untrusted uploads before storage.</p>
   <p>
-    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm version" src="https://img.shields.io/npm/v/pompelmi"></a>
-    <a href="https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?label=ci"></a>
-    <a href="https://codecov.io/gh/pompelmi/pompelmi"><img alt="Codecov" src="https://codecov.io/gh/pompelmi/pompelmi/branch/main/graph/badge.svg?flag=core"></a>
-    <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/pompelmi/pompelmi"></a>
-    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm downloads" src="https://img.shields.io/npm/dm/pompelmi"></a>
+    MIME and extension spoofing · archive abuse · risky document and binary
+    signals · optional YARA
   </p>
+  <p><code>clean</code> · <code>suspicious</code> · <code>malicious</code></p>
   <p>
-    <a href="https://github.com/sorrycc/awesome-javascript"><img alt="Mentioned in Awesome JavaScript" src="https://img.shields.io/badge/mentioned-Awesome%20JavaScript-f59e0b"></a>
-    <a href="https://github.com/dzharii/awesome-typescript"><img alt="Mentioned in Awesome TypeScript" src="https://img.shields.io/badge/mentioned-Awesome%20TypeScript-3178C6"></a>
-    <a href="https://nodeweekly.com/issues/594"><img alt="Featured in Node Weekly #594" src="https://img.shields.io/badge/featured-Node%20Weekly%20%23594-339933?logo=node.js&logoColor=white"></a>
-    <a href="https://bytes.dev/archives/429"><img alt="Featured in Bytes #429" src="https://img.shields.io/badge/featured-Bytes%20%23429-111111"></a>
+    <sub>Express · Next.js · NestJS · Fastify · Koa · Nuxt/Nitro · S3 quarantine flows · CI/CD</sub>
   </p>
+  <p><sub>Open-source core · MIT · Node.js 18+</sub></p>
   <p>
-    <a href="https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon"><img alt="Featured in Detection Engineering Weekly #124" src="https://img.shields.io/badge/featured-Detection%20Engineering%20Weekly%20%23124-0A84FF?logo=substack&logoColor=white"></a>
-    <a href="https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/"><img alt="Featured on Stack Overflow by Ryan Donovan" src="https://img.shields.io/badge/featured-Stack%20Overflow-F48024?logo=stackoverflow&logoColor=white"></a>
-    <a href="https://stackoverflow.blog/newsletter/issue-319-dogfooding-your-sdlc/"><img alt="Featured in The Overflow #319" src="https://img.shields.io/badge/featured-The%20Overflow%20%23319-F48024?logo=stackoverflow&logoColor=white"></a>
-    <a href="https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/"><img alt="Featured in Help Net Security" src="https://img.shields.io/badge/featured-Help%20Net%20Security-2563eb"></a>
+    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm version" src="https://img.shields.io/npm/v/pompelmi" /></a>
+    <a href="https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?label=ci" /></a>
+    <a href="https://codecov.io/gh/pompelmi/pompelmi"><img alt="codecov" src="https://codecov.io/gh/pompelmi/pompelmi/graph/badge.svg" /></a>
+    <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/pompelmi/pompelmi?style=social" /></a>
+    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm weekly downloads" src="https://img.shields.io/npm/dw/pompelmi" /></a>
+    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm monthly downloads" src="https://img.shields.io/npm/dm/pompelmi" /></a>
   </p>
-</div>
-> **Why:** Upload endpoints are part of your attack surface. Pompelmi inspects untrusted files _before_ they hit storage or downstream processors.
-> **How:** in-process scanning + policy packs (MIME sniffing, archive abuse checks, risky structures) with optional YARA.
-> **Works with:** Express, Next.js, NestJS, Fastify, Koa (plus adapters in `packages/`).
+  <p>
+    <a href="https://pompelmi.github.io/pompelmi/getting-started/"><strong>Getting started</strong></a>
+    ·
+    <a href="https://pompelmi.github.io/pompelmi/#browser-preview"><strong>Browser preview</strong></a>
+    ·
+    <a href="./examples/demo"><strong>Express demo</strong></a>
+    ·
+    <a href="./examples/README.md"><strong>Examples</strong></a>
+  </p>
+</div>
-## Demo
+<p align="center">
+  Mentioned by <a href="https://nodeweekly.com/issues/594">Node Weekly</a>,
+  <a href="https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/">Stack Overflow</a>,
+  <a href="https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/">Help Net Security</a>,
+  <a href="https://github.com/sorrycc/awesome-javascript">Awesome JavaScript</a>,
+  and
+  <a href="https://github.com/dzharii/awesome-typescript">Awesome TypeScript</a>.
+</p>
-![Pompelmi demo](assets/malware-detection-node-demo.gif)
+## Quick Start
-## Install
+Install the core package:
 ```bash
 npm install pompelmi
 ```
-Requires Node.js 18+.
+Minimal route-level example:
-## Try in 5 minutes
+```ts
+import { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';
-1. Install:
+const report = await scanBytes(req.file.buffer, {
+  filename: req.file.originalname,
+  mimeType: req.file.mimetype,
+  policy: STRICT_PUBLIC_UPLOAD,
+  failClosed: true,
+});
-```bash
-npm install pompelmi
+if (report.verdict !== 'clean') {
+  return res.status(422).json({
+    error: 'Upload blocked',
+    verdict: report.verdict,
+    reasons: report.reasons,
+  });
+}
+return res.status(200).json({ verdict: report.verdict });
 ```
-2. Create `scan-test.mjs`:
+Start with [Getting started](https://pompelmi.github.io/pompelmi/getting-started/) for a local scan in under a minute, open the [browser preview](https://pompelmi.github.io/pompelmi/#browser-preview) to inspect the verdict flow without sending files anywhere, or run the minimal [Express demo](./examples/demo).
-```js
-import { scanBytes } from "pompelmi";
-import { readFileSync } from "node:fs";
+If Pompelmi matches how you want upload security to work, star the repo so more Node.js teams can find it.
-const buffer = readFileSync("./package.json");
+## Why It Exists
-const report = await scanBytes(buffer, {
-  filename: "package.json",
-  mimeType: "application/json",
-});
+Upload endpoints are part of your attack surface. A file can look harmless at the form layer and become dangerous only after storage, extraction, rendering, or downstream parsing.
-console.log("Verdict:", report.verdict);
-console.log("Reasons:", report.reasons);
-console.log("Duration:", report.durationMs, "ms");
-```
+Pompelmi keeps the first decision inside the application path, where the route still knows the file class, trust level, storage path, and failure mode.
-3. Run it:
+## What It Checks
-```bash
-node scan-test.mjs
-```
+- MIME sniffing, magic-byte validation, and extension allowlists
+- risky archive structures such as traversal, deep nesting, entry-count abuse, and ZIP bomb-style expansion
+- suspicious document and binary signals such as risky PDF actions, Office macro hints, PE headers, and polyglot files
+- optional YARA or other scanner matches
+- route-level verdicts that support reject, quarantine, or promote workflows
-Next: see the demo under [examples/demo](./examples/demo) (upload route) or the docs [Getting started](https://pompelmi.github.io/pompelmi/getting-started/) guide.
+## Where It Fits
-## Quick Start
+- public or semi-trusted upload endpoints that should inspect first and store later
+- memory-backed multipart routes in Express, Next.js, NestJS, Fastify, and Koa
+- quarantine and promotion workflows for S3 or other object storage
+- document, image, and archive routes that need different policies
+- CI/CD or internal artifact scanning before promotion
-```ts
-import { scanBytes, STRICT_PUBLIC_UPLOAD } from "pompelmi";
+## Why Not Just X?
-const report = await scanBytes(file.buffer, {
-  filename: file.originalname,
-  mimeType: file.mimetype,
-  policy: STRICT_PUBLIC_UPLOAD,
-  failClosed: true,
-});
-if (report.verdict !== "clean") {
-  return res.status(422).json({
-    error: "Upload blocked",
-    verdict: report.verdict,
-    reasons: report.reasons,
-  });
-}
-```
+| Approach | Useful for | What it misses |
+| --- | --- | --- |
+| Browser MIME and extension checks | Fast client-side hints and UX feedback | Filenames and client-reported MIME are easy to spoof |
+| Simple file-type or magic-byte checks | Confirming the file appears to be the claimed type | Risky internal structure, archive abuse, and route policy decisions |
+| Antivirus-only thinking | Known malicious matches and signature-based detection | Route context, spoofing checks, storage decisions, and non-signature risk signals |
+| Pompelmi at the upload route | Inspect-first, store-later decisions with policy, structure checks, and optional YARA | It is not a full antivirus replacement on its own |
-## Start Here
+## Integrations
-- Express: [Docs](https://pompelmi.github.io/pompelmi/how-to/express/) · [Examples](./examples/express-minimal)
-- Next.js: [Docs](https://pompelmi.github.io/pompelmi/how-to/nextjs/) · [Examples](./examples/next-app-router)
+- Express: [Docs](https://pompelmi.github.io/pompelmi/how-to/express/) · [Minimal example](./examples/express-minimal) · [Demo](./examples/demo)
+- Next.js: [Docs](https://pompelmi.github.io/pompelmi/how-to/nextjs/) · [Example](./examples/next-app-router)
 - NestJS: [Docs](https://pompelmi.github.io/pompelmi/how-to/nestjs/) · [Example app](./examples/nestjs-app)
 - Fastify: [Docs](https://pompelmi.github.io/pompelmi/how-to/fastify/) · [Package](./packages/fastify-plugin)
 - Koa: [Docs](https://pompelmi.github.io/pompelmi/how-to/koa/) · [Package](./packages/koa-middleware)
-- CI/CD: [Use case](https://pompelmi.github.io/pompelmi/use-cases/cicd-artifact-scanning/) · [Blog](https://pompelmi.github.io/pompelmi/blog/cicd-scan-build-artifacts/)
+- Nuxt/Nitro: [Docs](https://pompelmi.github.io/pompelmi/how-to/nuxt-nitro/)
 - S3 / object storage: [Tutorial](https://pompelmi.github.io/pompelmi/tutorials/secure-s3-presigned-uploads-with-malware-scanning/) · [Use case](https://pompelmi.github.io/pompelmi/use-cases/s3-presigned-upload-security/)
+- CI/CD: [Use case](https://pompelmi.github.io/pompelmi/use-cases/cicd-artifact-scanning/) · [Blog](https://pompelmi.github.io/pompelmi/blog/cicd-scan-build-artifacts/)
+## Demo, Preview, and Examples
-## Go Deeper
+![Pompelmi upload security demo](assets/malware-detection-node-demo.gif)
+- [Browser preview](https://pompelmi.github.io/pompelmi/#browser-preview) for a fast local evaluation of the verdict UX
+- [Demo](./examples/demo) for a tiny Express upload gate that returns `clean`, `suspicious`, or `malicious` before storage
+- [Examples index](./examples/README.md) for framework-specific and production-oriented examples
+## Docs
 - [Docs home](https://pompelmi.github.io/pompelmi/)
+- [Getting started](https://pompelmi.github.io/pompelmi/getting-started/)
 - [Use cases](https://pompelmi.github.io/pompelmi/use-cases/)
 - [Comparisons](https://pompelmi.github.io/pompelmi/comparisons/)
 - [Tutorials](https://pompelmi.github.io/pompelmi/tutorials/)
 - [Featured in](https://pompelmi.github.io/pompelmi/featured-in/)
 - [Translations](https://pompelmi.github.io/pompelmi/translations/)
-- [Examples index](./examples/README.md)
-- [Demo example](./examples/demo)
-- [Contributing](./CONTRIBUTING.md)
-- [Security](./SECURITY.md)
-- [Roadmap](./ROADMAP.md)
-## What It Checks
-Upload endpoints are part of your attack surface. A renamed executable, a risky PDF, or a hostile archive can look harmless until it is stored, unpacked, served, or parsed by another system.
-Pompelmi adds checks at the upload boundary for:
-- MIME spoofing and magic-byte mismatches
-- Archive abuse such as ZIP bombs, traversal, and deep nesting
-- Polyglot files and risky document structures
-- Optional YARA-based signature matching
-The goal is simple: inspect first, store later.
-## Ecosystem
-- `pompelmi`
-- `@pompelmi/express-middleware`
-- `@pompelmi/koa-middleware`
-- `@pompelmi/next-upload`
-- `@pompelmi/nestjs-integration`
-- `@pompelmi/fastify-plugin`
-- `@pompelmi/ui-react`
-- `@pompelmi/cli`
+## Enterprise and Commercial Support
-## Repository Layout
-- `src/` core library
-- `packages/` framework adapters and supporting packages
-- `examples/` runnable examples
-- `tests/` test coverage
-- `website/` public docs, blog, and discovery site
-## Development
-```bash
-pnpm install
-pnpm test
-pnpm build
-```
+The MIT core remains the primary path. Teams that need private rollout help, architecture review, or policy tuning can use the existing [enterprise support path](https://pompelmi.github.io/pompelmi/enterprise/).
 <!-- MENTIONS:START -->
@@ -189,6 +179,10 @@ Full page: [pompelmi.github.io/pompelmi/featured-in](https://pompelmi.github.io/
 <!-- MENTIONS:END -->
-## License
+## Project
-[MIT](./LICENSE)
+- [Contributing](./CONTRIBUTING.md)
+- [Security](./SECURITY.md)
+- [Roadmap](./ROADMAP.md)
+- [GitHub Discussions](https://github.com/pompelmi/pompelmi/discussions)
+- [License](./LICENSE)

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "pompelmi",
-  "version": "0.35.1",
-  "description": "Secure file uploads for Node.js. Scan untrusted files before storage with in-process, local-first checks for MIME spoofing, archive bombs, risky document structures, and optional YARA.",
+  "version": "0.35.3",
+  "description": "Inspect untrusted uploads before storage in Node.js. Open-source upload security with checks for spoofing, archive abuse, risky document and binary signals, and optional YARA.",
   "main": "./dist/pompelmi.cjs",
   "module": "./dist/pompelmi.esm.js",
   "type": "module",