Route-level upload security for Node.js.
Inspect untrusted uploads before storage.
MIME and extension spoofing · archive abuse · risky document and binary signals · optional YARA
clean · suspicious · malicious
Express · Next.js · NestJS · Fastify · Koa · Nuxt/Nitro · S3 quarantine flows · CI/CD
Open-source core · MIT · Node.js 18+
Mentioned by Node Weekly, Stack Overflow, Help Net Security, Awesome JavaScript, and Awesome TypeScript.
Install the core package:
npm install pompelmiMinimal route-level example:
import { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';
const report = await scanBytes(req.file.buffer, {
filename: req.file.originalname,
mimeType: req.file.mimetype,
policy: STRICT_PUBLIC_UPLOAD,
failClosed: true,
});
if (report.verdict !== 'clean') {
return res.status(422).json({
error: 'Upload blocked',
verdict: report.verdict,
reasons: report.reasons,
});
}
return res.status(200).json({ verdict: report.verdict });Start with Getting started for a local scan in under a minute, open the browser preview to inspect the verdict flow without sending files anywhere, or run the minimal Express demo.
If Pompelmi matches how you want upload security to work, star the repo so more Node.js teams can find it.
Upload endpoints are part of your attack surface. A file can look harmless at the form layer and become dangerous only after storage, extraction, rendering, or downstream parsing.
Pompelmi keeps the first decision inside the application path, where the route still knows the file class, trust level, storage path, and failure mode.
- MIME sniffing, magic-byte validation, and extension allowlists
- risky archive structures such as traversal, deep nesting, entry-count abuse, and ZIP bomb-style expansion
- suspicious document and binary signals such as risky PDF actions, Office macro hints, PE headers, and polyglot files
- optional YARA or other scanner matches
- route-level verdicts that support reject, quarantine, or promote workflows
- public or semi-trusted upload endpoints that should inspect first and store later
- memory-backed multipart routes in Express, Next.js, NestJS, Fastify, and Koa
- quarantine and promotion workflows for S3 or other object storage
- document, image, and archive routes that need different policies
- CI/CD or internal artifact scanning before promotion
| Approach | Useful for | What it misses |
|---|---|---|
| Browser MIME and extension checks | Fast client-side hints and UX feedback | Filenames and client-reported MIME are easy to spoof |
| Simple file-type or magic-byte checks | Confirming the file appears to be the claimed type | Risky internal structure, archive abuse, and route policy decisions |
| Antivirus-only thinking | Known malicious matches and signature-based detection | Route context, spoofing checks, storage decisions, and non-signature risk signals |
| Pompelmi at the upload route | Inspect-first, store-later decisions with policy, structure checks, and optional YARA | It is not a full antivirus replacement on its own |
- Express: Docs · Minimal example · Demo
- Next.js: Docs · Example
- NestJS: Docs · Example app
- Fastify: Docs · Package
- Koa: Docs · Package
- Nuxt/Nitro: Docs
- S3 / object storage: Tutorial · Use case
- CI/CD: Use case · Blog
- Browser preview for a fast local evaluation of the verdict UX
- Demo for a tiny Express upload gate that returns
clean,suspicious, ormaliciousbefore storage - Examples index for framework-specific and production-oriented examples
The MIT core remains the primary path. Teams that need private rollout help, architecture review, or policy tuning can use the existing enterprise support path.
Full page: pompelmi.github.io/pompelmi/featured-in
Last updated: March 20, 2026
- Awesome JavaScript — sorrycc
- Awesome TypeScript — dzharii
- The Overflow Issue 319: Dogfooding your SDLC — Stack Overflow (2026-03-04)
- Hottest cybersecurity open-source tools of the month: February 2026 — Help Net Security (2026-02-26)
- Bytes #429 — Bytes (2025-10-03)
- Node Weekly Issue 594 — Node Weekly (2025-09-30)
- Det. Eng. Weekly Issue #124 - The DEFCON hangover is real — Detection Engineering (2025-08-13)
- Defense against uploads: Q&A with OSS file scanner, pompelmi — Stack Overflow (2026-02-23)
- Pompelmi: Open-source secure file upload scanning for Node.js — Help Net Security (2026-02-02)
Found 9 mentions. To update, run npm run mentions:update.