Pompelmi

Fast file-upload malware scanning for Node.js. Optional YARA, ZIP deep-inspection, MIME/size guards. Express · Koa · Next.js.

Pompelmi scans untrusted file uploads before they hit disk. A tiny, TypeScript-first toolkit for Node.js with composable scanners, deep ZIP inspection, and optional signature engines.

• Private by design — no outbound calls; bytes never leave your process
• Composable scanners — mix heuristics + signatures; set stopOn and timeouts
• ZIP hardening — traversal/bomb guards, polyglot & macro hints
• Drop-in adapters — Express, Koa, Fastify, Next.js
• Typed & tiny — modern TS, minimal surface

Highlights:

• Block risky uploads early — classify uploads as clean, suspicious, or malicious and stop them at the edge.
• Real guards — extension allow-list, server-side MIME sniff (magic bytes), per-file size caps, and deep ZIP traversal with anti-bomb limits.
• Built-in scanners — drop-in CommonHeuristicsScanner (PDF risky actions, Office macros, PE header) and Zip-bomb Guard; add your own or YARA via a tiny { scan(bytes) } contract.
• Compose scanning — run multiple scanners in parallel or sequentially with timeouts and short-circuiting via composeScanners().
• Zero cloud — scans run in-process. Keep bytes private.
• DX first — TypeScript types, ESM/CJS builds, tiny API, adapters for popular web frameworks.