npm - pompelmi - Versions diffs - 0.35.2 → 0.35.4 - Mend

pompelmi 0.35.2 → 0.35.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +139 -114
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -1,29 +1,81 @@
-# Pompelmi
+<div align="center">
+  <img src="./assets/logo.svg" alt="Pompelmi logo" width="120" />
+  <h1>Pompelmi</h1>
+  <p><strong>Secure file uploads in Node.js before storage.</strong></p>
+  <p>
+    Open-source route-level upload security for Node.js teams that need to
+    inspect untrusted files before disk, object storage, previews, or
+    downstream parsers.
+  </p>
+  <p><code>clean</code> · <code>suspicious</code> · <code>malicious</code></p>
+  <p>
+    MIME spoofing · risky archives · document and binary signals · optional
+    YARA
+  </p>
+  <p>
+    <sub>Express · Next.js · NestJS · Fastify · Koa · Nuxt/Nitro · S3 quarantine flows · CI/CD</sub>
+  </p>
+  <p>
+    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm version" src="https://img.shields.io/npm/v/pompelmi" /></a>
+    <a href="https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?label=ci" /></a>
+    <a href="https://codecov.io/gh/pompelmi/pompelmi"><img alt="codecov" src="https://codecov.io/gh/pompelmi/pompelmi/graph/badge.svg" /></a>
+    <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/pompelmi/pompelmi?style=social" /></a>
+  </p>
+  <p>
+    <a href="https://pompelmi.app/"><strong>Docs</strong></a>
+    ·
+    <a href="https://pompelmi.app/getting-started/"><strong>Getting started</strong></a>
+    ·
+    <a href="https://pompelmi.app/#browser-preview"><strong>Browser preview</strong></a>
+    ·
+    <a href="./examples/demo"><strong>Express demo</strong></a>
+    ·
+    <a href="./examples/README.md"><strong>Examples</strong></a>
+  </p>
+  <p><sub>Node.js 18+ · MIT</sub></p>
+</div>
+<p align="center">
+  <strong>Mentioned by</strong>
+  <a href="https://nodeweekly.com/issues/594">Node Weekly</a>,
+  <a href="https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/">Stack Overflow</a>,
+  <a href="https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/">Help Net Security</a>,
+  <a href="https://github.com/sorrycc/awesome-javascript">Awesome JavaScript</a>,
+  and
+  <a href="https://github.com/dzharii/awesome-typescript">Awesome TypeScript</a>
+</p>
+<p align="center">
+  <sub>If you want upload security to start at the route boundary instead of after storage, consider starring the repo.</sub>
+</p>
+> Upload endpoints are part of your attack surface. Pompelmi helps Node.js teams scan files before storage and make the decision while the route still has context: accept, quarantine, or reject.
-In-process file upload security for Node.js. Inspect untrusted files before storage so your application can reject, quarantine, or accept with context.
-[![npm version](https://img.shields.io/npm/v/pompelmi)](https://www.npmjs.com/package/pompelmi)
-[![CI](https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?label=ci)](https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml)
-[![GitHub stars](https://img.shields.io/github/stars/pompelmi/pompelmi)](https://github.com/pompelmi/pompelmi/stargazers)
-Pompelmi helps reduce:
+## Quick Start
-- MIME / extension spoofing and magic-byte mismatches
-- risky archive structures such as ZIP bombs, traversal, and deep nesting
-- risky document and binary patterns such as PDF actions, Office macro hints, PE signatures, and polyglot files
-- store-first upload flows that need a clean / suspicious / malicious verdict before persistence
-- known malicious matches when you plug in YARA or another scanner
+Install the core package:
-Install: `npm install pompelmi`
+```bash
+npm install pompelmi
+```
-## Quick Start
+This is the core pattern: inspect bytes, get a verdict, and only store clean files.
 ```ts
 import { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';
-const report = await scanBytes(file.buffer, {
-  filename: file.originalname,
-  mimeType: file.mimetype,
+const report = await scanBytes(req.file.buffer, {
+  filename: req.file.originalname,
+  mimeType: req.file.mimetype,
   policy: STRICT_PUBLIC_UPLOAD,
   failClosed: true,
 });
@@ -35,128 +87,101 @@ if (report.verdict !== 'clean') {
     reasons: report.reasons,
   });
 }
-```
-Need a local scan in under a minute? Start with [Getting started](https://pompelmi.github.io/pompelmi/getting-started/). Want a preview of the verdict flow first? Open the [browser preview](https://pompelmi.github.io/pompelmi/#browser-preview). Want a minimal server route? See [examples/demo](./examples/demo).
-If Pompelmi fits the way you handle upload risk, a GitHub star helps more Node.js teams find the project.
-## Why It Exists
-Upload endpoints are part of your attack surface. A file can look harmless at the form layer and only become dangerous after storage, extraction, rendering, or downstream parsing.
-Pompelmi keeps the first decision inside the application path, where the route still knows the file class, the trust level, and the right failure mode.
+return res.status(200).json({ verdict: report.verdict });
+```
-## Where It Fits
+Start with [Getting started](https://pompelmi.app/getting-started/) for a local scan in under a minute, open the [browser preview](https://pompelmi.app/#browser-preview) to inspect the verdict flow without sending files anywhere, or run the minimal [Express demo](./examples/demo).
-- public or semi-trusted upload endpoints that should inspect first and store later
-- memory-backed multipart routes in Express, Next.js, NestJS, Fastify, and Koa
-- quarantine and promotion workflows for S3 or other object storage
-- document, image, and archive routes that need different policies
-- CI/CD or internal artifact scanning before promotion
+## Why teams use Pompelmi
-## Integrations
+- File upload endpoints are not just form validation. Files can become risky after storage, extraction, rendering, or downstream parsing.
+- Pompelmi keeps the first trust decision inside the application path, where the route still knows the file class, trust level, storage path, and failure mode.
+- It gives Node.js teams a practical way to build secure file uploads with route-level decisions instead of bolting checks on after persistence.
-- Express: [Docs](https://pompelmi.github.io/pompelmi/how-to/express/) · [Example](./examples/express-minimal)
-- Next.js: [Docs](https://pompelmi.github.io/pompelmi/how-to/nextjs/) · [Example](./examples/next-app-router)
-- NestJS: [Docs](https://pompelmi.github.io/pompelmi/how-to/nestjs/) · [Example app](./examples/nestjs-app)
-- Fastify: [Docs](https://pompelmi.github.io/pompelmi/how-to/fastify/) · [Package](./packages/fastify-plugin)
-- Koa: [Docs](https://pompelmi.github.io/pompelmi/how-to/koa/) · [Package](./packages/koa-middleware)
-- Nuxt/Nitro: [Docs](https://pompelmi.github.io/pompelmi/how-to/nuxt-nitro/)
-- S3 / object storage: [Tutorial](https://pompelmi.github.io/pompelmi/tutorials/secure-s3-presigned-uploads-with-malware-scanning/) · [Use case](https://pompelmi.github.io/pompelmi/use-cases/s3-presigned-upload-security/)
-- CI/CD: [Use case](https://pompelmi.github.io/pompelmi/use-cases/cicd-artifact-scanning/) · [Blog](https://pompelmi.github.io/pompelmi/blog/cicd-scan-build-artifacts/)
+## What it checks
-## Docs and Examples
+- MIME sniffing, magic-byte validation, and extension mismatch detection
+- Risky archives such as ZIP bombs, traversal attempts, deep nesting, and entry-count abuse
+- Risky document and binary signals such as PDF actions, Office macro hints, PE headers, and polyglot files
+- Optional YARA-based matches when you want malware scanning uploads as part of the flow
+- Verdicts and reasons you can use for fail-closed routes, quarantine flows, and auditability
-- [Docs home](https://pompelmi.github.io/pompelmi/)
-- [Getting started](https://pompelmi.github.io/pompelmi/getting-started/)
-- [Use cases](https://pompelmi.github.io/pompelmi/use-cases/)
-- [Comparisons](https://pompelmi.github.io/pompelmi/comparisons/)
-- [Tutorials](https://pompelmi.github.io/pompelmi/tutorials/)
-- [Examples index](./examples/README.md)
-- [Demo example](./examples/demo)
-- [Featured in](https://pompelmi.github.io/pompelmi/featured-in/)
-- [Translations](https://pompelmi.github.io/pompelmi/translations/)
-- [Contributing](./CONTRIBUTING.md)
-- [Security](./SECURITY.md)
-- [Roadmap](./ROADMAP.md)
+## Where it fits in the upload pipeline
-## Demo
+1. Receive the upload into memory or an isolated staging or quarantine area.
+2. Scan the bytes with a route policy.
+3. Act on the verdict: `clean`, `suspicious`, or `malicious`.
+4. Persist, quarantine, or reject based on the route's rules.
-![Pompelmi demo](assets/malware-detection-node-demo.gif)
+That inspect-first, store-later shape is where Pompelmi is strongest.
-The website includes a client-side [browser preview](https://pompelmi.github.io/pompelmi/#browser-preview) for fast evaluation. The repo also ships a minimal [Express upload gate demo](./examples/demo) that returns `clean`, `suspicious`, or `malicious` before storage.
+## What it is and isn't
-## What It Checks
+| Approach | Useful for | What it misses |
+| --- | --- | --- |
+| Browser MIME and extension checks | Fast client-side hints and UX feedback | Client MIME and filenames are easy to spoof |
+| File-type or magic-byte validation only | Confirming a file looks like the claimed type | Archive abuse, risky internal structure, and route policy decisions |
+| Antivirus or YARA only | Known malicious matches and signature-style detection | Route context, spoofing checks, and before-storage handling |
+| Pompelmi at the upload route | Node.js file upload security, scan files before storage, and verdict-driven workflow decisions | It is not a full antivirus replacement on its own |
-Pompelmi is designed for the upload boundary, not as a full antivirus replacement.
+## Supported frameworks and workflows
-It can combine:
+| Stack or workflow | Links |
+| --- | --- |
+| Express | [Docs](https://pompelmi.app/how-to/express/) · [Minimal example](./examples/express-minimal) · [Demo](./examples/demo) |
+| Next.js | [Docs](https://pompelmi.app/how-to/nextjs/) · [Example](./examples/next-app-router) · [Package](./packages/next-upload) |
+| NestJS | [Docs](https://pompelmi.app/how-to/nestjs/) · [Package](./packages/nestjs) · [Example app](./examples/nestjs-app) |
+| Fastify | [Docs](https://pompelmi.app/how-to/fastify/) · [Package](./packages/fastify-plugin) |
+| Koa | [Docs](https://pompelmi.app/how-to/koa/) · [Package](./packages/koa-middleware) |
+| Nuxt/Nitro | [Docs](https://pompelmi.app/how-to/nuxt-nitro/) · [Example](./examples/nuxt-nitro) |
+| S3 / object storage | [Tutorial](https://pompelmi.app/tutorials/secure-s3-presigned-uploads-with-malware-scanning/) · [Use case](https://pompelmi.app/use-cases/object-storage-promotion-workflows/) |
+| CI/CD | [Use case](https://pompelmi.app/use-cases/cicd-artifact-scanning/) · [Blog](https://pompelmi.app/blog/cicd-scan-build-artifacts/) |
-- MIME sniffing, magic-byte checks, and extension allowlists
-- archive controls such as ZIP bombs, traversal, entry counts, expansion limits, and nesting limits
-- common heuristics for risky PDFs, Office macro hints, executables, and other suspicious structures
-- optional YARA-based signature matching
-- route-level `clean`, `suspicious`, and `malicious` decisions with quarantine-friendly workflows
+## Demo, preview, and examples
-## Ecosystem
+![Pompelmi upload security demo](assets/malware-detection-node-demo.gif)
-- `pompelmi`
-- `@pompelmi/express-middleware`
-- `@pompelmi/koa-middleware`
-- `@pompelmi/next-upload`
-- `@pompelmi/nestjs-integration`
-- `@pompelmi/fastify-plugin`
-- `@pompelmi/ui-react`
-- `@pompelmi/cli`
+- [Browser preview](https://pompelmi.app/#browser-preview) for a fast local look at the verdict UX without uploading files anywhere
+- [Express demo](./examples/demo) for a tiny upload gate that returns `clean`, `suspicious`, or `malicious` before storage
+- [Examples index](./examples/README.md) for framework-specific and production-oriented patterns
+- [Docs home](https://pompelmi.app/) for guides, comparisons, use cases, and tutorials
-## Repository Layout
+## Why star this repo
-- `src/` core library
-- `packages/` framework adapters and supporting packages
-- `examples/` runnable examples
-- `tests/` test coverage
-- `website/` public docs, blog, and discovery site
-## Development
-```bash
-pnpm install
-pnpm test
-pnpm build
-```
+Pompelmi is focused on a real gap in most Node.js stacks: secure file uploads that make a decision before storage, not after. If that matches how you want upload security to work, star the repo to follow the project and help more teams discover the inspect-before-storage model.
 <!-- MENTIONS:START -->
-## Featured In
-Full page: [pompelmi.github.io/pompelmi/featured-in](https://pompelmi.github.io/pompelmi/featured-in/)
-*Last updated: March 20, 2026*
-### Awesome Lists & Curated Collections
+## Mentioned by
-- [Awesome JavaScript](https://github.com/sorrycc/awesome-javascript) — sorrycc
-- [Awesome TypeScript](https://github.com/dzharii/awesome-typescript) — dzharii
+- [Node Weekly](https://nodeweekly.com/issues/594)
+- [Defense against uploads: Q&A with OSS file scanner, pompelmi](https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/) — Stack Overflow
+- [Pompelmi: Open-source secure file upload scanning for Node.js](https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/) — Help Net Security
+- [Awesome JavaScript](https://github.com/sorrycc/awesome-javascript)
+- [Awesome TypeScript](https://github.com/dzharii/awesome-typescript)
+- [See all mentions](https://pompelmi.app/featured-in/)
-### Newsletters & Roundups
-- [The Overflow Issue 319: Dogfooding your SDLC](https://stackoverflow.blog/newsletter/issue-319-dogfooding-your-sdlc/) — Stack Overflow (2026-03-04)
-- [Hottest cybersecurity open-source tools of the month: February 2026](https://www.helpnetsecurity.com/2026/02/26/hottest-cybersecurity-open-source-tools-of-the-month-february-2026/) — Help Net Security (2026-02-26)
-- [Bytes #429](https://bytes.dev/archives/429) — Bytes (2025-10-03)
-- [Node Weekly Issue 594](https://nodeweekly.com/issues/594) — Node Weekly (2025-09-30)
-- [Det. Eng. Weekly Issue #124 - The DEFCON hangover is real](https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon) — Detection Engineering (2025-08-13)
-### Other Mentions
+<!-- MENTIONS:END -->
-- [Defense against uploads: Q&A with OSS file scanner, pompelmi](https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/) — Stack Overflow (2026-02-23)
-- [Pompelmi: Open-source secure file upload scanning for Node.js](https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/) — Help Net Security (2026-02-02)
+## Docs
+- [Getting started](https://pompelmi.app/getting-started/)
+- [Use cases](https://pompelmi.app/use-cases/)
+- [Comparisons](https://pompelmi.app/comparisons/)
+- [Tutorials](https://pompelmi.app/tutorials/)
+- [Browser preview](https://pompelmi.app/#browser-preview)
+- [Featured in](https://pompelmi.app/featured-in/)
+- [Translations](https://pompelmi.app/translations/)
-*Found 9 mentions. To update, run `npm run mentions:update`.*
+## Commercial support
-<!-- MENTIONS:END -->
+The MIT core remains the primary path. Teams that need private rollout help, architecture review, or policy tuning can use the existing [enterprise support path](https://pompelmi.app/enterprise/).
-## License
+## Project
-[MIT](./LICENSE)
+- [Contributing](./CONTRIBUTING.md)
+- [Security](./SECURITY.md)
+- [Roadmap](./ROADMAP.md)
+- [GitHub Discussions](https://github.com/pompelmi/pompelmi/discussions)
+- [License](./LICENSE)

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "pompelmi",
-  "version": "0.35.2",
-  "description": "Secure file uploads for Node.js. Scan untrusted files before storage with in-process, local-first checks for MIME spoofing, archive bombs, risky document structures, and optional YARA.",
+  "version": "0.35.4",
+  "description": "Inspect untrusted uploads before storage in Node.js. Open-source upload security with checks for spoofing, archive abuse, risky document and binary signals, and optional YARA.",
   "main": "./dist/pompelmi.cjs",
   "module": "./dist/pompelmi.esm.js",
   "type": "module",