Pompelmi — in-process file upload security for Node.js

Scan and block risky uploads before storage — no cloud API, no daemon, no required data egress.

Why: Upload endpoints are part of your attack surface. Pompelmi inspects untrusted files before they hit storage or downstream processors. How: in-process scanning + policy packs (MIME sniffing, archive abuse checks, risky structures) with optional YARA. Works with: Express, Next.js, NestJS, Fastify, Koa (plus adapters in packages/).

npm install pompelmi

Requires Node.js 18+.

1. Install:

npm install pompelmi

2. Create scan-test.mjs:

import { scanBytes } from "pompelmi";
import { readFileSync } from "node:fs";

const buffer = readFileSync("./package.json");

const report = await scanBytes(buffer, {
  filename: "package.json",
  mimeType: "application/json",
});

console.log("Verdict:", report.verdict);
console.log("Reasons:", report.reasons);
console.log("Duration:", report.durationMs, "ms");

3. Run it:

node scan-test.mjs

Next: see the demo under examples/demo (upload route) or the docs Getting started guide.

import { scanBytes, STRICT_PUBLIC_UPLOAD } from "pompelmi";

const report = await scanBytes(file.buffer, {
  filename: file.originalname,
  mimeType: file.mimetype,
  policy: STRICT_PUBLIC_UPLOAD,
  failClosed: true,
});

if (report.verdict !== "clean") {
  return res.status(422).json({
    error: "Upload blocked",
    verdict: report.verdict,
    reasons: report.reasons,
  });
}

• Documentation
• Examples index
• Demo example
• Contributing
• Security
• Roadmap

Upload endpoints are part of your attack surface. A renamed executable, a risky PDF, or a hostile archive can look harmless until it is stored, unpacked, served, or parsed by another system.

Pompelmi adds checks at the upload boundary for:

• MIME spoofing and magic-byte mismatches
• Archive abuse such as ZIP bombs, traversal, and deep nesting
• Polyglot files and risky document structures
• Optional YARA-based signature matching

The goal is simple: inspect first, store later.

• Plain Markdown, readable in GitHub and in a terminal
• Fast path first: install, example, then deeper links
• Minimal top-level detail, with docs and examples for everything else

• pompelmi
• @pompelmi/express-middleware
• @pompelmi/koa-middleware
• @pompelmi/next-upload
• @pompelmi/nestjs-integration
• @pompelmi/fastify-plugin
• @pompelmi/ui-react
• @pompelmi/cli

• src/ core library
• packages/ framework adapters and supporting packages
• examples/ runnable examples
• tests/ test coverage
• website/ documentation site

pnpm install
pnpm test
pnpm build

Last updated: March 20, 2026

• Awesome JavaScript — sorrycc
• Awesome TypeScript — dzharii

• The Overflow Issue 319: Dogfooding your SDLC — Stack Overflow (2026-03-04)
• Hottest cybersecurity open-source tools of the month: February 2026 — Help Net Security (2026-02-26)
• Bytes #429 — Bytes (2025-10-03)
• Node Weekly Issue 594 — Node Weekly (2025-09-30)
• Det. Eng. Weekly Issue #124 - The DEFCON hangover is real — Detection Engineering (2025-08-13)

• Defense against uploads: Q&A with OSS file scanner, pompelmi — Stack Overflow (2026-02-23)
• Pompelmi: Open-source secure file upload scanning for Node.js — Help Net Security (2026-02-02)

Found 9 mentions. To update, run npm run mentions:update.

MIT