Why: Upload endpoints are part of your attack surface. Pompelmi inspects untrusted files before they hit storage or downstream processors. How: in-process scanning + policy packs (MIME sniffing, archive abuse checks, risky structures) with optional YARA. Works with: Express, Next.js, NestJS, Fastify, Koa (plus adapters in packages/).

Demo

Install

npm install pompelmi

Requires Node.js 18+.

Try in 5 minutes

1. Install:

npm install pompelmi

2. Create scan-test.mjs:

import { scanBytes } from "pompelmi";
import { readFileSync } from "node:fs";

const buffer = readFileSync("./package.json");

const report = await scanBytes(buffer, {
  filename: "package.json",
  mimeType: "application/json",
});

console.log("Verdict:", report.verdict);
console.log("Reasons:", report.reasons);
console.log("Duration:", report.durationMs, "ms");

3. Run it:

node scan-test.mjs

Next: see the demo under examples/demo (upload route) or the docs Getting started guide.

Quick Start

import { scanBytes, STRICT_PUBLIC_UPLOAD } from "pompelmi";

const report = await scanBytes(file.buffer, {
  filename: file.originalname,
  mimeType: file.mimetype,
  policy: STRICT_PUBLIC_UPLOAD,
  failClosed: true,
});

if (report.verdict !== "clean") {
  return res.status(422).json({
    error: "Upload blocked",
    verdict: report.verdict,
    reasons: report.reasons,
  });
}

Start Here

• Express: Docs · Examples
• Next.js: Docs · Examples
• NestJS: Docs · Example app
• Fastify: Docs · Package
• Koa: Docs · Package
• CI/CD: Use case · Blog
• S3 / object storage: Tutorial · Use case

Go Deeper

• Docs home
• Use cases
• Comparisons
• Tutorials
• Featured in
• Translations
• Examples index
• Demo example
• Contributing
• Security
• Roadmap

What It Checks

Upload endpoints are part of your attack surface. A renamed executable, a risky PDF, or a hostile archive can look harmless until it is stored, unpacked, served, or parsed by another system.

Pompelmi adds checks at the upload boundary for:

• MIME spoofing and magic-byte mismatches
• Archive abuse such as ZIP bombs, traversal, and deep nesting
• Polyglot files and risky document structures
• Optional YARA-based signature matching

The goal is simple: inspect first, store later.

Ecosystem

• pompelmi
• @pompelmi/express-middleware
• @pompelmi/koa-middleware
• @pompelmi/next-upload
• @pompelmi/nestjs-integration
• @pompelmi/fastify-plugin
• @pompelmi/ui-react
• @pompelmi/cli

Repository Layout

• src/ core library
• packages/ framework adapters and supporting packages
• examples/ runnable examples
• tests/ test coverage
• website/ public docs, blog, and discovery site

Development

pnpm install
pnpm test
pnpm build

Featured In

Full page: pompelmi.github.io/pompelmi/featured-in

Last updated: March 20, 2026

Awesome Lists & Curated Collections

• Awesome JavaScript — sorrycc
• Awesome TypeScript — dzharii

Newsletters & Roundups

• The Overflow Issue 319: Dogfooding your SDLC — Stack Overflow (2026-03-04)
• Hottest cybersecurity open-source tools of the month: February 2026 — Help Net Security (2026-02-26)
• Bytes #429 — Bytes (2025-10-03)
• Node Weekly Issue 594 — Node Weekly (2025-09-30)
• Det. Eng. Weekly Issue #124 - The DEFCON hangover is real — Detection Engineering (2025-08-13)

Other Mentions

• Defense against uploads: Q&A with OSS file scanner, pompelmi — Stack Overflow (2026-02-23)
• Pompelmi: Open-source secure file upload scanning for Node.js — Help Net Security (2026-02-02)

Found 9 mentions. To update, run npm run mentions:update.

License

MIT