DEV Community: Tommaso Bertocchi

10 npm Packages You'll Actually Use in 2026

Tommaso Bertocchi — Wed, 22 Apr 2026 06:44:10 +0000

Every "must-know npm packages" list links to abandoned repos or tools you already know.
These 10 are actively maintained, TypeScript-native, and earn their spot in production code — not because they went viral.

TL;DR: These 10 npm packages cut real complexity in production Node.js apps — no hype, no toy demos.

zod — runtime validation your TypeScript types can't provide
tsx — run TypeScript instantly without a build step
hono — the web framework fast enough for edge
drizzle-orm — SQL-first ORM that doesn't fight TypeScript
superjson — serialize what JSON.stringify silently mangles
effect — structured concurrency for complex async systems
pino — the logger that won't become your bottleneck
pompelmi — file upload scanning with zero cloud dependencies
got — the HTTP client Node.js deserved from the start
p-queue — concurrency control for async operations

1) zod — runtime validation your TypeScript types can't provide

What it is: A TypeScript-first schema library that validates data at runtime, not just at compile time.

Why it matters in 2026: TypeScript types disappear at runtime. Zod gives you the same guarantees at the API boundary — incoming requests, form submissions, environment variables. It's become the standard because the API is clean and it composes well with frameworks like tRPC.

Best for: API request validation, form parsing, environment variable schemas

colinhacks / zod

TypeScript-first schema validation with static type inference

Zod

TypeScript-first schema validation with static type inference
by @colinhacks

Docs • Discord • 𝕏 • Bluesky

Featured sponsor: Jazz

Learn more about featured sponsorships

Read the docs →

What is Zod?

Zod is a TypeScript-first validation library. Define a schema and parse some data with it. You'll get back a strongly typed, validated result.

import * as z from "zod";

const User = z.object({
  name: z.string(),
});

// some untrusted data...
const input = {
  /* stuff */
};

// the parsed result is validated and type safe!
const data = User.parse(input);

// so you can use it with confidence :)
console.log(data.name);

Features

Zero external dependencies
Works in Node.js and all modern browsers
Tiny: 2kb core bundle (gzipped)
Immutable API: methods…

View on GitHub

2) tsx — run TypeScript without the setup tax

What it is: A zero-config TypeScript runner using esbuild that executes .ts files directly with npx tsx script.ts.

Why it matters in 2026: Setting up ts-node and waiting for tsc just to run a script kills momentum. tsx eliminates all of that — faster than ts-node, no build step for scripts or migrations.

Best for: Scripts, one-off migrations, CLI tools, prototypes

Links:

privatenumber / tsx

⚡️ TypeScript Execute | The easiest way to run TypeScript in Node.js

TypeScript Execute (tsx): The easiest way to run TypeScript in Node.js

Documentation | Getting started →

^{Already a sponsor? Join the discussion in the Development repo!}

3) hono — the web framework built for the edge

What it is: A small, fast, multi-runtime framework running on Cloudflare Workers, Deno, Bun, and Node.js with the same API.

Why it matters in 2026: Express was built for a different era. Hono is designed for edge deployments and V8 isolates — and it significantly outperforms Express on Node.js too. First-class TypeScript support is built in, not bolted on.

Best for: Edge functions, Cloudflare Workers, REST APIs, multi-runtime services

Links: | Website

honojs / hono

Web framework built on Web Standards

Hono - means flame🔥 in Japanese - is a small, simple, and ultrafast web framework built on Web Standards. It works on any JavaScript runtime: Cloudflare Workers, Fastly Compute, Deno, Bun, Vercel, AWS Lambda, Lambda@Edge, and Node.js.

Fast, but not only fast.

import { Hono } from 'hono'
const app = new Hono()
app.get('/', (c) => c.text('Hono!'))

export default app

Quick Start

npm create hono@latest

Features

Ultrafast 🚀 - The router RegExpRouter is really fast. Not using linear loops. Fast.
Lightweight 🪶 - The hono/tiny preset is under 12kB. Hono has zero dependencies and uses only the Web Standard API.
Multi-runtime 🌍 - Works on Cloudflare Workers, Fastly Compute, Deno, Bun, AWS Lambda, Lambda@Edge, or Node.js. The same code runs on all platforms.
Batteries Included 🔋 - Hono has built-in middleware, custom middleware, and third-party…

View on GitHub

When your web framework runs on Node.js, Bun, Deno, and the edge. Source: Giphy

4) drizzle-orm — the ORM that doesn't hide SQL from you

What it is: A TypeScript ORM with a SQL-like query API that generates type-safe queries without abstracting the database.

Why it matters in 2026: ORMs that hide SQL work until queries get complex. Drizzle stays close to SQL, generates types from your schema, and runs cleanly in serverless environments where Prisma's connection model struggles.

Best for: PostgreSQL, MySQL, SQLite, apps with complex queries, serverless environments

Links: | Website

drizzle-team / drizzle-orm

ORM

Headless ORM for NodeJS, TypeScript and JavaScript 🚀

Website • Documentation • Twitter • Discord

What's Drizzle?

Drizzle is a modern TypeScript ORM developers wanna use in their next project It is lightweight at only ~7.4kb minified+gzipped, and it's tree shakeable with exactly 0 dependencies.

Drizzle supports every PostgreSQL, MySQL and SQLite database, including serverless ones like Turso, Neon, Xata, PlanetScale, Cloudflare D1, FlyIO LiteFS, Vercel Postgres, Supabase and AWS Data API. No bells and whistles, no Rust binaries, no serverless adapters, everything just works out of the box.

Drizzle is serverless-ready by design. It works in every major JavaScript runtime like NodeJS, Bun, Deno, Cloudflare Workers, Supabase functions, any Edge runtime, and even in browsers.
With Drizzle you can be fast out of the box and save time and costs while never introducing any data proxies into your…

View on GitHub

5) superjson — serialize what JSON.stringify silently mangles

What it is: A drop-in JSON replacement that handles Date, Map, Set, BigInt, and undefined without silent type coercion.

Why it matters in 2026: Every full-stack app gets burned by JSON.stringify turning Date objects into strings or dropping undefined silently. Superjson extends JSON with type metadata — predictable serialization across every server/client boundary.

Best for: tRPC, Next.js, full-stack apps with complex data types

Links:

flightcontrolhq / superjson

Safely serialize JavaScript expressions to a superset of JSON, which includes Dates, BigInts, and more.

Safely serialize JavaScript expressions to a superset of JSON, which includes Dates, BigInts, and more

Key features

🍱 Reliable serialization and deserialization
🔐 Type safety with autocompletion
🐾 Negligible runtime footprint
💫 Framework agnostic
🛠 Perfect fix for Next.js's serialisation limitations in getServerSideProps and getInitialProps

Backstory

At Blitz, we have struggled with the limitations of JSON. We often find ourselves working with Date, Map, Set or BigInt, but JSON.stringify doesn't support any of them without going through the hassle of converting manually!

Superjson solves these issues by providing a thin wrapper over JSON.stringify and JSON.parse.

Getting started

Install the library with your package manager of choice, e.g.:

yarn add superjson

Basic Usage

The easiest way to use Superjson is with its stringify and parse functions. If you know how to use JSON.stringify, you already know Superjson!

Easily stringify…

View on GitHub

6) effect — structured concurrency for when async/await breaks down

What it is: A TypeScript library for reliable applications using typed effects, structured concurrency, and composable error handling.

Why it matters in 2026: Retries, timeouts, cancellation, and dependency injection all become ad hoc bolted-on solutions with async/await. Effect provides a principled model for these problems. The learning curve is real and the payoff matches it.

Best for: Complex backend services, data pipelines, apps with sophisticated retry/timeout/cancellation needs

Links: | Website

Effect-TS / effect

Build production-ready applications in TypeScript

Effect Monorepo

An ecosystem of tools to build robust applications in TypeScript

Introduction

Welcome to Effect, a powerful TypeScript framework that provides a fully-fledged functional effect system with a rich standard library.

Effect consists of several packages that work together to help build robust TypeScript applications. The core package, effect, serves as the foundation of the framework, offering primitives for managing side effects, ensuring type safety, and supporting concurrency.

Monorepo Structure

The Effect monorepo is organized into multiple packages, each extending the core functionality. Below is an overview of the packages included:

Package	Description
`effect`	Core package	README
`@effect/ai`	AI utilities	README
`@effect/ai-openai`	OpenAI utilities	README
`@effect/ai-anthropic`	Anthropic utilities	README
`@effect/ai-amazon-bedrock`	Effect modules for working with Amazon Bedrock AI apis	README
`@effect/ai-google`	Effect modules for working with Google AI apis	README
`@effect/cli`	CLI utilities	README
`@effect/cluster`	Distributed computing tools	README
`@effect/experimental`	Experimental features and APIs	README
`@effect/opentelemetry`	OpenTelemetry integration

…

View on GitHub

7) pino — the logger that won't slow your server down

What it is: An extremely fast, JSON-native Node.js logger that uses worker threads for async serialization.

Why it matters in 2026: Synchronous logging blocks the event loop — at high request rates it becomes a measurable bottleneck. Pino moves serialization off the main thread, giving you structured JSON output compatible with Loki/Datadog/CloudWatch at negligible latency cost.

Best for: Production Node.js services, high-traffic APIs, apps sending logs to aggregation systems

Links: | Website

pinojs / pino

🌲 super fast, all natural json logger

pino

Very low overhead JavaScript logger.

Documentation

Runtimes

Node.js

Pino is built to run on Node.js.

Bare

Pino works on Bare with the pino-bare compatability module.

Pear

Pino works on Pear, which is built on Bare, with the pino-bare compatibility module.

Install

Using NPM:

$ npm install pino

Using YARN:

$ yarn add pino

If you would like to install pino v6, refer to https://github.com/pinojs/pino/tree/v6.x.

Usage

const logger = require('pino')()

logger.info('hello world')

const child = logger.child({ a: 'property' })
child.info('hello child!')

This produces:

{"level":30,"time":1531171074631,"msg":"hello world","pid":657,"hostname":"Davids-MBP-3.fritz.box"}
{"level":30,"time":1531171082399,"msg":"hello child!","pid":657,"hostname":"Davids-MBP-3.fritz.box","a":"property"}

For using Pino with…

View on GitHub

Watching your synchronous logger block the event loop at 10k req/s. Source: Giphy

8) pompelmi — file upload scanning that stays on your server

What it is: A minimal Node.js wrapper around ClamAV that scans any uploaded file and returns a typed verdict — Clean, Malicious, or ScanError. Zero runtime dependencies, no cloud, no daemon required.

Why it matters in 2026: File uploads are one of the most consistently overlooked attack surfaces in web applications. Most teams skip scanning or bolt on an expensive third-party API. pompelmi solves this locally — no data leaving your server, no subscription fee.

Best for: Express, Fastify, NestJS, Next.js, SvelteKit, any Node.js app that accepts user file uploads

Links: | Website

pompelmi / pompelmi

Minimal Node.js wrapper around ClamAV — scan any file and get Clean, Malicious, or ScanError. Handles installation and database updates automatically.

pompelmi

ClamAV for humans

A minimal Node.js wrapper around ClamAV that scans any file and returns a typed Verdict Symbol: Verdict.Clean, Verdict.Malicious, or Verdict.ScanError. No daemons. No cloud. No native bindings. Zero runtime dependencies.

Quickstart

npm install pompelmi

const { scan, Verdict } = require('pompelmi');

const result = await scan('/path/to/file.zip');

if (result === Verdict.Malicious) {
  throw new Error('File rejected: malware detected');
}

How it works

Validate — pompelmi checks that the argument is a string and that the file exists before spawning anything.
Scan — pompelmi spawns clamscan --no-summary <filePath> as a child process and reads the exit code.
Map — the exit…

View on GitHub

9) got — the HTTP client Node.js always needed

What it is: A feature-rich HTTP client for Node.js with hooks, retries, pagination, and streams built in.

Why it matters in 2026: Built-in fetch is fine for simple requests. Got is for production HTTP — configurable retries, timeout handling, automatic JSON parsing, caching plugins. It handles the edge cases that matter under real outbound traffic loads.

Best for: API clients, web scrapers, microservice communication, significant outbound HTTP workloads

Links:

sindresorhus / got

🌐 Human-friendly and powerful HTTP request library for Node.js

^{Sindre's open source work is supported by the community.
Special thanks to}

Fast remote container builds and GitHub Actions runners.

Human-friendly and powerful HTTP request library for Node.js

See how Got compares to other HTTP libraries

You probably want Ky instead, by the same people. It's smaller, works in the browser too, and is more stable since it's built on Fetch. Or fetch-extras for simple needs.

Support questions should be asked here.

Install

npm install got

Warning: This package is native ESM and no longer provides a CommonJS export. If your project uses CommonJS, you will have to convert to ESM. Please don't open issues for questions regarding CommonJS / ESM.

Got v11 is no longer maintained and we will not accept any backport requests.

Take a peek

A quick start guide is available.

JSON mode

Got has a dedicated option for handling JSON payload.
Furthermore, the…

View on GitHub

10) p-queue — concurrency control for async operations

What it is: A promise queue with configurable concurrency, priority support, and rate limiting for throttling async workloads.

Why it matters in 2026: Unconstrained parallelism causes incidents. Fire 500 database queries at once with Promise.all and you'll saturate your connection pool fast. p-queue gives you exact concurrency control with priority ordering and interval-based rate limiting.

Best for: Bulk API calls, image processing pipelines, database batch operations, any async workload needing throttling

Links:

sindresorhus / p-queue

Promise queue with concurrency control

p-queue

Promise queue with concurrency control

Useful for rate-limiting async (or sync) operations. For example, when interacting with a REST API or when doing CPU/memory intensive tasks.

For servers, you probably want a Redis-backed job queue instead.

Note that the project is feature complete. We are happy to review pull requests, but we don't plan any further development. We are also not answering email support questions.

^{Sindre's open source work is supported by the community
Special thanks to}

Scrape anything with FetchFox

^{FetchFox is an AI powered scraping tool that lets you scrape data from any website}

Install

npm install p-queue

Warning: This package is native ESM and no longer provides a CommonJS export. If your project uses CommonJS, you'll have to convert to ESM. Please don't open issues for questions regarding CommonJS / ESM.

Usage

Here we run only one promise at a time. For example, set concurrency…

View on GitHub

Final thoughts

These 10 packages are fast, typed, and solve problems you only recognize from production experience. Which ones are already in your stack?

Pompelmi — Add Antivirus Scanning to Your Node.js App in 5 Minutes

Tommaso Bertocchi — Tue, 21 Apr 2026 15:23:16 +0000

Pompelmi — Add Antivirus Scanning to Your Node.js App in 5 Minutes

Building a file upload feature? Then you've already asked yourself this question:

"Should I be scanning these files for malware?"

Yes. You should.

And the follow-up question is usually:

"How complicated is that going to be?"

With pompelmi, the answer is: barely at all.

🍊 What Is Pompelmi?

Pompelmi is a minimal Node.js wrapper around ClamAV — the open-source antivirus engine maintained by Cisco Talos. It scans any file and returns a typed Verdict Symbol:

Verdict	Meaning
`Verdict.Clean`	No threats found ✅
`Verdict.Malicious`	A known malware signature was matched 🚨
`Verdict.ScanError`	Scan failed — treat the file as untrusted ⚠️

No daemons to manage. No external API calls. No native bindings. Zero runtime dependencies.

🔧 Setup

1. Install ClamAV on the Host System

ClamAV must be present on the machine running your app. Pompelmi does not bundle or download it.

macOS:

brew install clamav && freshclam

Linux (Debian / Ubuntu):

sudo apt-get install -y clamav clamav-daemon && sudo freshclam

Windows (Chocolatey):

choco install clamav -y

freshclam downloads the virus signature database. This step is essential — without an up-to-date database, ClamAV won't recognize anything.

2. Install Pompelmi

npm install pompelmi

Done. Zero peer dependencies, zero surprises.

🚀 Quick Start

const { scan, Verdict } = require('pompelmi');

const result = await scan('/path/to/uploaded-file.zip');

if (result === Verdict.Malicious) {
  throw new Error('File rejected: malware detected');
}

console.log(result.description); // "Clean"

Three effective lines. That's all the complexity you need for the base case.

⚙️ How It Works Under the Hood

Pompelmi is deliberately transparent about what it does:

Validate — checks that the argument is a string and that the file exists before spawning anything
Scan — spawns clamscan --no-summary <filePath> as a child process and reads the exit code
Map — the exit code is converted to the corresponding Verdict. Unknown codes and spawn errors reject the Promise

No stdout parsing. No regex. No hidden magic.

🛡️ A Robust Production Pattern

In the real world you want to handle all three outcomes carefully:

const { scan, Verdict } = require('pompelmi');
const path = require('path');

async function scanUploadedFile(filePath) {
  try {
    const result = await scan(path.resolve(filePath));

    switch (result) {
      case Verdict.Clean:
        console.log(`✅ File is safe: ${filePath}`);
        return { safe: true };

      case Verdict.Malicious:
        console.warn(`🚨 Malware detected: ${filePath}`);
        return { safe: false, reason: 'malware_detected' };

      case Verdict.ScanError:
        // Incomplete scan = untrusted file
        console.warn(`⚠️ Scan failed, rejecting file: ${filePath}`);
        return { safe: false, reason: 'scan_error' };

      default:
        return { safe: false, reason: 'unknown' };
    }

  } catch (err) {
    console.error('Critical scan error:', err.message);
    return { safe: false, reason: 'exception' };
  }
}

💡 Golden rule: treat ScanError exactly like Malicious. When in doubt, reject. A false positive is far less damaging than letting malware through undetected.

🔍 Reading the Verdict as a String

Every Verdict Symbol exposes a .description property for logging and serialisation:

console.log(Verdict.Clean.description);     // "Clean"
console.log(Verdict.Malicious.description); // "Malicious"
console.log(Verdict.ScanError.description); // "ScanError"

This lets you save it to a database or send it over an API without comparing raw Symbols throughout your entire codebase.

🐳 Remote Scanning via clamd (Perfect for Docker)

If you're running ClamAV as a separate microservice — a very common pattern in containerised setups — pompelmi supports scanning via a TCP socket:

const result = await scan('/path/to/file.pdf', {
  host: '10.0.0.5',  // ClamAV container address
  port: 3310,
  timeout: 5000       // ms
});

A typical docker-compose.yml setup might look like this:

services:
  app:
    build: .
    environment:
      - CLAMAV_HOST=clamav
      - CLAMAV_PORT=3310
    depends_on:
      - clamav

  clamav:
    image: clamav/clamav:stable
    ports:
      - "3310:3310"

And in your application code:

const result = await scan(filePath, {
  host: process.env.CLAMAV_HOST,
  port: parseInt(process.env.CLAMAV_PORT),
});

Clean, scalable, and the signature database updates independently from your application.

🧪 Testing

Pompelmi has a well-thought-out testing approach:

Unit tests (test/unit.test.js) — run with Node's built-in test runner. They mock nativeSpawn without requiring ClamAV to be installed.
Integration tests (test/scan.test.js) — spawn real clamscan processes against EICAR test files. They are skipped automatically if clamscan is not in the PATH.

You can use EICAR files to test your integration locally:

# Download the EICAR test file (the standard antivirus test signature)
curl -o test-eicar.txt https://secure.eicar.org/eicar.com.txt

const result = await scan('./test-eicar.txt');
console.log(result === Verdict.Malicious); // true

The EICAR file is not actually malicious — it's a standardised test string that every compliant antivirus engine recognises as a "safe" way to confirm detection is working.

🔄 Express.js Integration Example

Here's a complete, practical example integrating pompelmi into an Express upload endpoint using multer:

const express = require('express');
const multer = require('multer');
const { scan, Verdict } = require('pompelmi');
const path = require('path');
const fs = require('fs');

const app = express();
const upload = multer({ dest: '/tmp/uploads/' });

app.post('/upload', upload.single('file'), async (req, res) => {
  const filePath = req.file?.path;

  if (!filePath) {
    return res.status(400).json({ error: 'No file provided' });
  }

  try {
    const result = await scan(path.resolve(filePath));

    // Always clean up the temp file
    fs.unlinkSync(filePath);

    if (result === Verdict.Malicious) {
      return res.status(422).json({
        error: 'File rejected',
        reason: 'Malware detected'
      });
    }

    if (result === Verdict.ScanError) {
      return res.status(422).json({
        error: 'File rejected',
        reason: 'Scan could not complete — file treated as untrusted'
      });
    }

    // Verdict.Clean — proceed with your business logic
    return res.status(200).json({ message: 'File accepted and is clean' });

  } catch (err) {
    // Clean up on unexpected error
    if (fs.existsSync(filePath)) fs.unlinkSync(filePath);
    return res.status(500).json({ error: 'Internal scan error' });
  }
});

app.listen(3000, () => console.log('Server running on port 3000'));

📋 When to Use Pompelmi

✅ Great fit for:

File upload features in SaaS applications
Validating attachments before archiving or processing
CI/CD pipelines that analyse build artefacts
Environments where data must never leave your own infrastructure
Teams that want security without the overhead of a managed service

⚠️ Consider supplementing with additional tools if:

You need protection against zero-day threats (ClamAV is signature-based, not behavioural)
You're handling extremely high-risk files in critical security contexts
Your threat model includes sophisticated, targeted attacks

For the vast majority of web applications that accept user uploads, pompelmi offers exactly the right level of protection for the complexity it introduces — which is close to zero.

🗺️ Pompelmi vs. Alternatives

	pompelmi	clamscan (direct)	Managed API (e.g. VirusTotal)
Setup complexity	Very low	Medium	Low
Runtime dependencies	Zero	ClamAV	HTTP client
Data leaves server	❌ Never	❌ Never	✅ Yes
Zero-day detection	❌ No	❌ No	✅ Yes
Cost	Free	Free	Paid tiers
Node.js integration	Native	Manual	Manual
Remote/Docker support	✅ Yes	❌ No	✅ Yes

🔐 Security Considerations

A few things to keep in mind when running pompelmi in production:

Keep the signature database updated. ClamAV is only as good as its latest signatures. Run freshclam on a schedule (daily is typical).
Scan before storing. Always scan the file in a temporary location before moving it to permanent storage. Never store an unscanned file.
Don't rely on file extensions. A .txt file can contain a malicious payload. Always scan the actual binary content.
Limit file size upstream. Large files slow down scans significantly. Enforce size limits at the HTTP layer before the file reaches pompelmi.
Run ClamAV as a separate user. Avoid running it with root privileges. A dedicated clamav system user is the standard practice.

🔗 Resources

Wrapping Up

Security doesn't have to mean complexity. Pompelmi proves that a well-scoped, focused library can handle a serious problem — malware detection — with minimal friction for the developer.

If you're shipping a Node.js app that handles user files and you're not scanning them yet, there's no longer a good excuse not to. A single npm install and a handful of lines stands between you and a meaningful layer of protection.

Got questions or want to contribute? The project is open source and welcomes pull requests.

Found this useful? Drop a ❤️ and share it with a fellow developer building something users trust with their files.

Getting started with antivirus scanning in Node.js (5 minutes)

Tommaso Bertocchi — Tue, 21 Apr 2026 07:41:42 +0000

You've built a Node.js app that accepts file uploads. Great. Now how do you make sure those files don't contain viruses?

The answer is ClamAV — a free, open-source antivirus engine that has been around since 2001, is maintained by Cisco, and is used by thousands of applications worldwide. It runs entirely on your own machine. No subscription, no API key, no files leaving your server.

pompelmi is a tiny Node.js package that calls ClamAV for you and gives back a clean result you can act on in JavaScript. Let's set it up.

Step 1 — Install ClamAV

ClamAV is a system-level tool. Install it with your operating system's package manager, not via npm.

macOS — Homebrew

brew install clamav

Linux — Debian / Ubuntu

sudo apt-get update && sudo apt-get install -y clamav

Linux — RHEL / Fedora / CentOS

sudo dnf install -y clamav clamav-update

Windows — Chocolatey

choco install clamav -y

Verify the installation worked:

clamscan --version
# ClamAV 1.x.x/...

Now download the virus database. ClamAV ships without definitions — you need to fetch them before any scan can work:

macOS and Windows

freshclam

Linux

sudo freshclam

The first freshclam download takes a few minutes — the database is several hundred megabytes. Subsequent runs are incremental and fast.

Step 2 — Install pompelmi

In your Node.js project directory:

npm install pompelmi

pompelmi has zero runtime dependencies. It uses Node's built-in child_process module to call clamscan and nothing else. No transitive packages to audit or update.

Step 3 — Scan your first file

Create a file called scan.js:

const { scan, Verdict } = require('pompelmi');

async function main() {
  const filePath = process.argv[2];

  if (!filePath) {
    console.error('Usage: node scan.js <file>');
    process.exit(1);
  }

  console.log('Scanning:', filePath);

  const verdict = await scan(filePath);

  if (verdict === Verdict.Clean) {
    console.log('Result: Clean — no threats found.');
  } else if (verdict === Verdict.Malicious) {
    console.log('Result: Malicious — malware detected!');
    process.exit(1);
  } else if (verdict === Verdict.ScanError) {
    console.log('Result: ScanError — could not complete scan.');
    process.exit(2);
  }
}

main().catch(err => {
  console.error('Error:', err.message);
  process.exit(3);
});

Run it against any file:

node scan.js /etc/hosts
# Scanning: /etc/hosts
# Result: Clean — no threats found.

That's it. Three verdicts, one function, zero configuration.

Step 4 — Test malware detection with EICAR

How do you test that the malicious path actually works without using real malware? The EICAR test file is a harmless string that every antivirus engine is required to detect as "malicious" for exactly this purpose. It was invented in 1991 and contains no actual malicious code.

# Create the EICAR test file
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' \
  > /tmp/eicar.txt

# Scan it
node scan.js /tmp/eicar.txt
# Scanning: /tmp/eicar.txt
# Result: Malicious — malware detected!

If you see "Result: Malicious" on the EICAR file, your setup is working correctly. If you see "Clean", run freshclam again — the virus database may not have downloaded properly.

What's next?

You now have a working scanner. The next step is wiring it into your web framework so uploads are scanned automatically.

Originally published at pompelmi.app

10 Best Open Source Projects Every Developer Should Know (Including One You've Never Heard Of)

Tommaso Bertocchi — Mon, 20 Apr 2026 09:18:00 +0000

Most developers know the big names.

Docker. Postgres. VS Code.

But there is an entire layer of open-source tooling that most teams still rely on paid SaaS for — secrets management, background jobs, observability, document signing, malware scanning — where the open-source alternative is already better.

Here are 10 projects worth knowing in 2026.

One of them, you have almost certainly never heard of.

TL;DR: open-source has caught up in nearly every category. These 10 projects cover the gaps most teams still pay to fill.

That feeling when you realize the tool you've been paying for has had a better open-source version the whole time. Source: Giphy

Hoppscotch
Infisical
Coolify
Meilisearch
Trigger.dev
Zed
Plane
OpenObserve
Documenso
pompelmi

1) Hoppscotch — The API client that lives in your browser

What it is: A lightweight, open-source API testing platform. Think Postman, but faster to open, easier to share, and fully self-hostable.

Why it matters: API development involves a lot of repetition — building requests, testing auth flows, inspecting headers, sharing collections with teammates. Hoppscotch cuts the friction out of all of it. It runs in the browser with no install required, syncs collections, supports REST, GraphQL, and WebSocket, and the self-hosted version gives you full control over the data.

It is the kind of tool you try once and quietly stop reaching for Postman.

Links: GitHub

# Self-host with Docker
docker run -p 3000:3000 hoppscotch/hoppscotch

2) Infisical — Secrets management that does not make you choose between security and simplicity

What it is: An open-source secrets manager. Centralize environment variables, API keys, and credentials across every service, environment, and team member.

Why it matters: The way most teams handle secrets is quietly catastrophic. .env files checked into repos, credentials pasted in Slack, "just hardcode it for now" becoming permanent. Infisical replaces that entire pattern with a proper secrets platform — audit logs, access controls, secret versioning, native CI/CD integrations, and a self-hosted option if you cannot send credentials to a third party.

The SDK integrates in three lines. The audit trail alone is worth it.

Links: GitHub

import { InfisicalClient } from '@infisical/sdk';

const client = new InfisicalClient({ accessToken: process.env.INFISICAL_TOKEN });
const secret = await client.getSecret({ secretName: 'DATABASE_URL', environment: 'prod', projectId: '...' });

3) Coolify — Self-hosted Heroku that actually works

What it is: An open-source, self-hosted platform for deploying apps, databases, and services on your own infrastructure. It manages SSL, reverse proxying, deployments, and backups without you touching Nginx config files at 2am.

Why it matters: Heroku was the best PaaS experience for years. Then the free tier disappeared and the pricing got serious. Coolify gives you most of that experience on a $6/month VPS. Git push deployments, preview environments, one-click database provisioning, and a clean UI that makes self-hosting feel less like a punishment.

If you have been avoiding self-hosting because it seems too complex, Coolify is the tool that changes that calculation.

Links: GitHub

Waiting on a Heroku dyno to wake up vs watching Coolify deploy in seconds on your own server. Source: Giphy

4) Meilisearch — Search that your users will actually compliment

What it is: A fast, typo-tolerant, open-source search engine built for developer integration. Sub-50ms responses at most scales, with a clean REST API.

Why it matters: Most teams bolt on search as an afterthought, usually with a basic SQL LIKE query that barely works. Meilisearch makes real search — typo correction, faceting, custom ranking, instant results — accessible to a project of any size without standing up a full Elasticsearch cluster.

It installs in minutes, indexes in seconds, and the default ranking is good enough that most projects ship it without tuning.

Links: GitHub

import { MeiliSearch } from 'meilisearch';

const client = new MeiliSearch({ host: 'http://localhost:7700' });
const results = await client.index('products').search('coffe maker', { limit: 10 });
// typo-tolerant — returns "coffee maker" results

5) Trigger.dev — Background jobs without the boilerplate

What it is: An open-source platform for writing and running background jobs, scheduled tasks, and long-running workflows directly in your codebase. It handles retries, delays, fan-out, and observability.

Why it matters: Background job infrastructure is one of those things teams keep rebuilding from scratch — queue setup, worker processes, retry logic, dead-letter handling, monitoring. Trigger.dev wraps all of it in a clean TypeScript API. You write the job like a function, it handles the rest.

The real value is the observability layer. Every run is inspectable, every step is logged, and failures are debuggable without digging through CloudWatch.

Links: GitHub

import { task } from '@trigger.dev/sdk/v3';

export const processUpload = task({
  id: 'process-upload',
  retry: { maxAttempts: 3, minTimeoutInMs: 1000 },
  run: async (payload: { fileUrl: string; userId: string }) => {
    // long-running logic — no timeout worries
    const result = await heavyProcessing(payload.fileUrl);
    await notifyUser(payload.userId, result);
  },
});

6) Zed — The code editor built for people who care about speed

What it is: A high-performance, open-source code editor built in Rust. Collaborative editing built in. GPU-accelerated rendering. LSP support. Extensions.

Why it matters: VS Code is the default, and it is fine. Zed is for developers who have started to notice that "fine" has a hidden cost in startup time, memory, and UI lag. It opens instantly, feels native on macOS and Linux, and has multi-player editing built into the core rather than bolted on as an extension.

If you have been using VS Code and occasionally wondering why your editor uses more memory than your database, Zed is worth a day.

Links: GitHub

7) Plane — Project management without the enterprise bloat

What it is: An open-source alternative to Jira and Linear. Issues, cycles, modules, analytics, and custom workflows — fully self-hostable.

Why it matters: Jira is powerful but notoriously slow and overengineered for most teams. Linear fixed the UX but the pricing adds up at scale and you do not own the data. Plane gives you the clean, fast project management experience without the SaaS lock-in. The UI is clean, it imports from Jira and GitHub, and the self-hosted path is well-documented.

For teams that want control over their project data, this is the clearest alternative.

Links: GitHub

8) OpenObserve — Observability at a fraction of the cost

What it is: An open-source observability platform for logs, metrics, and traces. Built in Rust. Claims up to 140x lower storage costs than Elasticsearch.

Why it matters: The observability stack is one of the biggest hidden costs in modern infrastructure. Datadog, New Relic, and Splunk are priced for enterprises with enterprise budgets. OpenObserve is a single binary that ingests logs, metrics, and traces with a Kibana-like UI, SQL querying, and built-in alerting. The storage efficiency claim is not marketing — it uses columnar storage via Parquet under the hood.

For teams running their own infrastructure, this changes the cost equation significantly.

Links: GitHub

Reading logs through a proper observability UI versus grepping through raw files at 3am. Source: Giphy

9) Documenso — Document signing you actually own

What it is: An open-source DocuSign alternative. Request signatures, build signing flows, manage templates, and keep the audit trail on your own infrastructure.

Why it matters: Document signing touches legal agreements, employment contracts, NDAs, and client approvals. Sending those through a third-party SaaS means someone else's infrastructure holds your signed documents indefinitely. Documenso gives you the same core experience — email delivery, multi-party signing, completed PDF download, audit log — with full data ownership.

It is one of those tools that compliance teams will push for before developers think to ask.

Links: GitHub

10) pompelmi — The one you have never heard of

What it is: A minimal Node.js wrapper around ClamAV that scans any file for malware and returns a typed Verdict — Verdict.Clean, Verdict.Malicious, or Verdict.ScanError. No daemons. No cloud. No native bindings. Zero runtime dependencies.

Why it matters: Upload handling is one of the most consistently underestimated attack surfaces in web apps. File extensions lie. MIME types can be spoofed. Archives can contain nested payloads. Most teams validate file type on the frontend, accept the file, and move on — which is not a security decision, it is wishful thinking.

pompelmi wraps ClamAV's real signature-based scanning in an API clean enough that there is no excuse to skip it. You get a typed result you can branch on, not a regex over stdout.

The design is intentional. No cloud calls. No process you have to manage. Just spawn clamscan, read the exit code, and get a symbol back. If the scan cannot complete, you get Verdict.ScanError — and the library treats that as untrusted by default.

Links: GitHub

npm install pompelmi

const { scan, Verdict } = require('pompelmi');

const result = await scan('/path/to/upload.zip');

if (result === Verdict.Malicious) {
  throw new Error('File rejected: malware detected');
}

if (result === Verdict.ScanError) {
  // scan could not complete — treat as untrusted
  console.warn('Scan incomplete, rejecting file as precaution');
  return;
}

If you accept user uploads in a Node.js app, this is the layer that turns "we trust the file" into "we verified the file." It also supports scanning via a remote clamd instance over TCP, which means the same API works whether ClamAV runs locally or in a container:

const result = await scan('/path/to/upload.zip', {
  host: '127.0.0.1',
  port: 3310,
});

This is the project on the list most likely to quietly become a dependency you cannot imagine shipping without.

Final thoughts

These tools cover real gaps that most teams still fill with paid SaaS, manual process, or nothing at all.

Some of them — like Infisical and Coolify — are already mature enough to use without caveats.

Some — like Trigger.dev and OpenObserve — are moving fast and worth watching closely.

And pompelmi is exactly the kind of tool that makes you wonder why upload security was ever treated as optional in the first place.

Which one are you adding to your stack first?

10 Best Cybersecurity Tools Every Developer Should Know (Including One You've Never Heard Of)

Tommaso Bertocchi — Fri, 17 Apr 2026 09:50:05 +0000

Cybersecurity isn't just for ops teams anymore. As developers, we ship code that handles user data, processes file uploads, and talks to external services. The tools below will help you build safer applications — from scanning malware in uploaded files to auditing your dependencies.

1. 🍋 pompelmi — Antivirus Scanning for Node.js

Website: pompelmi.app | npm: pompelmi | License: ISC

If your Node.js application accepts file uploads, pompelmi is the tool you didn't know you needed.

It's a minimal, zero-dependency wrapper around ClamAV that lets you scan any file path and get back a clean, typed result — no daemons, no cloud calls, no native bindings.

const { scan, Verdict } = require('pompelmi');

async function scanUpload(filePath) {
  const result = await scan(filePath);

  if (result === Verdict.Malicious) {
    throw new Error('Upload rejected: malware detected');
  }

  return result; // Verdict.Clean | Verdict.Malicious | Verdict.ScanError
}

What makes it special:

One function — just call scan(path) and await a typed Verdict Symbol
Zero runtime dependencies — uses Node's built-in child_process
Cross-platform — works on macOS, Linux, and Windows
No daemon required — invokes clamscan directly, no background process to manage
Exit-code mapped — no stdout parsing, no brittle regex

Install it in seconds:

npm install pompelmi
# macOS
brew install clamav && freshclam
# Linux
sudo apt-get install -y clamav clamav-daemon && sudo freshclam

If you're building an API that accepts PDFs, images, or documents from untrusted users, pompelmi is a one-liner that can save you from a catastrophic malware incident.

🔗 Full docs, Docker guide, and API reference at pompelmi.app

2. 🔍 Snyk — Find and Fix Vulnerabilities in Your Code

Website: snyk.io | Free tier: Yes

Snyk is one of the most developer-friendly security tools available. It scans your project's dependencies (npm, pip, Maven, etc.), your container images, and even your Infrastructure-as-Code files for known vulnerabilities.

What stands out is the fix PRs feature — Snyk can automatically open a pull request to upgrade a vulnerable dependency. It integrates directly into GitHub, GitLab, and VS Code.

npm install -g snyk
snyk auth
snyk test

Best for: Continuous dependency vulnerability scanning in CI/CD pipelines.

3. 🛡️ OWASP ZAP — The Classic Web App Scanner

Website: zaproxy.org | License: Apache 2.0

The OWASP Zed Attack Proxy (ZAP) is a battle-tested, open-source web application security scanner maintained by OWASP. It can find XSS, SQL injection, CSRF, and dozens of other vulnerabilities by actively probing your running app.

It comes with both a GUI and a headless/CLI mode, making it easy to embed into your CI pipeline.

Best for: Integration and regression security testing of web apps before deployment.

4. 🔐 Vault by HashiCorp — Secrets Management

Website: vaultproject.io | License: BSL 1.1 / open-source editions available

Hardcoded secrets in your codebase are a ticking time bomb. HashiCorp Vault gives you a centralized, auditable secrets store with fine-grained access control.

It supports dynamic secrets (credentials that are generated on demand and auto-expire), encryption as a service, and integrations with AWS, Kubernetes, and more.

vault kv put secret/myapp db_password="supersecret"
vault kv get secret/myapp

Best for: Teams managing API keys, database credentials, and certificates across multiple services.

5. 🧱 Helmet.js — HTTP Security Headers for Express

Website: helmetjs.github.io | npm: helmet

A surprising number of web vulnerabilities are mitigated simply by setting the right HTTP response headers. Helmet is a tiny Express middleware that sets headers like Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and more.

const express = require('express');
const helmet = require('helmet');

const app = express();
app.use(helmet());

One line of code. Massive security improvement. No excuses.

Best for: Any Node.js/Express application serving a frontend.

6. 🕵️ Trivy — Container & IaC Vulnerability Scanner

Website: trivy.dev | License: Apache 2.0

If you ship Docker containers, Trivy by Aqua Security is the go-to scanner. It checks OS packages, language-specific packages, IaC misconfigurations, and even secrets accidentally baked into your image layers.

trivy image node:18-alpine
trivy fs ./myproject

It's fast, has zero configuration for basic use, and integrates cleanly with GitHub Actions and other CI systems.

Best for: Scanning container images and repositories before pushing to production.

7. 🔎 Semgrep — Static Analysis That Doesn't Suck

Website: semgrep.dev | Free tier: Yes

Semgrep is a fast, lightweight static analysis tool that lets you write rules in a syntax that closely mirrors the code you're analyzing. It supports 30+ languages and comes with thousands of community rules for catching common security bugs.

semgrep --config=p/security-audit ./src

Unlike traditional SAST tools, Semgrep rules are readable and easy to customize — you can write your own rule in minutes to enforce team-specific security patterns.

Best for: Catching security bugs and anti-patterns during code review and CI.

8. 🌐 Burp Suite Community Edition — Manual Pen Testing

Website: portswigger.net/burp | Free tier: Community Edition

Burp Suite is the industry standard for manual web application penetration testing. It acts as a proxy between your browser and the server, letting you intercept, inspect, and modify HTTP/S requests in real time.

The Community Edition is free and includes the intercepting proxy, repeater, decoder, and intruder tools — everything you need to manually probe your own app for logic flaws and injection points.

Best for: Deep-dive manual security testing and bug bounty research.

9. 🔑 age — Modern File Encryption

Website: age-encryption.org | License: BSD 3-Clause

age (pronounced like the word) is a modern, simple file encryption tool and Go library. It's designed as a safer replacement for GPG, with a much simpler interface and no key management footguns.

# Encrypt a file
age -r $RECIPIENT_PUBLIC_KEY secret.txt > secret.txt.age

# Decrypt it
age -d -i ~/.ssh/id_ed25519 secret.txt.age > secret.txt

Best for: Encrypting secrets files, backups, and config files before storing or transmitting them.

10. 📋 npm audit — The One You're Already Ignoring

Built into npm | Free

Okay, this one's a reminder, not a discovery. npm audit is built into every npm installation and checks your dependency tree against the GitHub Advisory Database for known CVEs.

npm audit
npm audit fix
npm audit fix --force  # upgrades breaking changes too

The dirty secret is that most developers run it once and then ignore the warnings. Make it part of your CI pipeline with npm audit --audit-level=high to fail builds on high-severity issues. No excuses — it's already installed.

Best for: Every single Node.js project, every single time.

Summary Table

Tool	Category	Language/Platform	Free?
pompelmi	Malware scanning	Node.js	✅
Snyk	Dependency scanning	Polyglot	✅ (tier)
OWASP ZAP	Web app scanning	Any	✅
HashiCorp Vault	Secrets management	Any	✅ (OSS)
Helmet.js	HTTP headers	Node.js/Express	✅
Trivy	Container scanning	Docker/IaC	✅
Semgrep	Static analysis	30+ languages	✅ (tier)
Burp Suite	Pen testing	Web	✅ (CE)
age	File encryption	Any	✅
npm audit	Dependency audit	Node.js	✅

Final Thoughts

Security doesn't have to be overwhelming. These ten tools cover the most common attack surfaces a typical application exposes: vulnerable dependencies, insecure headers, unscanned uploads, leaked secrets, and misconfigured containers.

Start with the ones closest to your stack. If you're building a Node.js API that accepts file uploads, pompelmi is the first tool you should add today — it's a npm install away and could be the difference between a safe app and a headline.

Found this useful? Drop a ❤️ and share it with your team. Security is everyone's job.

10 npm packages you will use in 2026

Tommaso Bertocchi — Thu, 16 Apr 2026 06:59:58 +0000

The npm ecosystem moves fast.

Libraries you'd never heard of six months ago are now in half the starters on GitHub.
Some are genuinely better. Some are hype.

Here are 10 that I think are actually worth your time in 2026.

TL;DR: Hono, Drizzle, Zod, Vitest, Effect, pompelmi, ofetch, unstorage, tsx, and oslo — one for almost every layer of your stack.

1. Hono — the web framework that actually stays out of your way

What it is:
A ultrafast, edge-first web framework. Runs on Cloudflare Workers, Deno, Bun, Node.js — all with the same API.

Why it matters:
Express is still fine, but it was designed before edge runtimes existed. Hono was built for the current landscape. The router is faster than Express in every benchmark I've seen, and the middleware system is dead simple.

import { Hono } from 'hono';

const app = new Hono();
app.get('/hello', (c) => c.json({ message: 'works everywhere' }));

export default app;

Links:
npm install hono — honojs.dev

2. Drizzle ORM — SQL without losing your mind

What it is:
A TypeScript ORM that writes SQL you'd actually recognize. Schema defined in TypeScript, queries look like SQL, types flow through automatically.

Why it matters:
Prisma is great but generates types at build time via a separate CLI step. Drizzle infers everything from your schema file at the TypeScript level — no codegen, no extra process, faster feedback loop.

const result = await db
  .select()
  .from(users)
  .where(eq(users.role, 'admin'))
  .limit(10);

Links:
npm install drizzle-orm — orm.drizzle.team

3. Zod — runtime validation that TypeScript actually trusts

What it is:
Schema declaration and validation library. Define a shape once, get both a TypeScript type and a runtime validator.

Why it matters:
TypeScript only protects you at compile time. The moment data comes from a form, an API, or a query string — you're on your own. Zod bridges that gap cleanly.

import { z } from 'zod';

const UserSchema = z.object({
  email: z.string().email(),
  age: z.number().min(18),
});

const user = UserSchema.parse(req.body); // throws if invalid

If you're building APIs in 2026 without Zod (or something like it), you're writing validation by hand and lying to yourself about it.

Links:
npm install zod — zod.dev

4. Vitest — tests that don't slow you down

What it is:
A Vite-native test runner. Jest-compatible API, but with native ESM support, instant watch mode, and built-in TypeScript support.

Why it matters:
Jest's startup time is noticeable. Vitest starts in under a second. If you're using Vite already (and you probably are), switching costs almost nothing.

import { describe, it, expect } from 'vitest';

describe('add', () => {
  it('returns correct sum', () => {
    expect(1 + 1).toBe(2);
  });
});

Links:
npm install -D vitest — vitest.dev

5. Effect — error handling the way it should work

What it is:
A TypeScript library for writing reliable, type-safe, composable programs. Errors, async, dependencies — all tracked in the type system.

Why it matters:
try/catch doesn't tell you what can fail or why. Effect makes errors first-class citizens. Every function signature tells you exactly what it can return and what it can fail with.

import { Effect } from 'effect';

const program = Effect.tryPromise({
  try: () => fetch('/api/data').then(r => r.json()),
  catch: (e) => new NetworkError(String(e)),
});

Steep learning curve. Worth it for anything production-critical.

Links:
npm install effect — effect.website

6. pompelmi — antivirus scanning for Node.js that actually works

What it is:
A minimal, zero-dependency wrapper around ClamAV. Scans any file and returns a typed Verdict symbol — Verdict.Clean, Verdict.Malicious, or Verdict.ScanError.

Why it matters:
Most Node.js file upload handlers have no malware scanning at all.
The ones that do usually rely on fragile stdout parsing with regex.
pompelmi maps ClamAV exit codes directly — the stable interface — so it can't silently break between ClamAV versions.

const { scan, Verdict } = require('pompelmi');

const result = await scan(req.file.path);

if (result === Verdict.Malicious) {
  return res.status(400).json({ error: 'File rejected.' });
}

No daemon needed by default. No runtime dependencies. No regex. Cross-platform.
If ClamAV runs in a container, pass host and port and the API stays identical.

pompelmi / pompelmi

Minimal Node.js wrapper around ClamAV — scan any file and get Clean, Malicious, or ScanError. Handles installation and database updates automatically.

pompelmi

ClamAV for humans

Quickstart

npm install pompelmi

const { scan, Verdict } = require('pompelmi');

const result = await scan('/path/to/file.zip');

if (result === Verdict.Malicious) {
  throw new Error('File rejected: malware detected');
}

How it works

Validate — pompelmi checks that the argument is a string and that the file exists before spawning anything.
Scan — pompelmi spawns clamscan --no-summary <filePath> as a child process and reads the exit code.
Map — the exit code…

View on GitHub

Links:
npm install pompelmi — pompelmi.app

7. ofetch — fetch that behaves like you expect

What it is:
A better fetch wrapper from the UnJS team. Auto-parses JSON, smart retries, proper error throwing, and works in Node, browsers, and edge runtimes.

Why it matters:
Native fetch is fine until you need error handling, and then you realize you have to check res.ok yourself every single time. ofetch throws on non-2xx responses by default, handles JSON automatically, and adds retry logic with a single option.

import { ofetch } from 'ofetch';

const data = await ofetch('/api/users', {
  method: 'POST',
  body: { name: 'Tommy' },
  retry: 3,
});

Links:
npm install ofetch — github.com/unjs/ofetch

8. unstorage — one API for every storage backend

What it is:
A universal key-value storage layer. Same API whether you're writing to memory, Redis, Cloudflare KV, localStorage, the filesystem, or a database.

Why it matters:
You want to swap Redis for Cloudflare KV when you move to the edge — you shouldn't have to rewrite your caching layer. unstorage makes that a config change, not a refactor.

import { createStorage } from 'unstorage';
import redisDriver from 'unstorage/drivers/redis';

const storage = createStorage({
  driver: redisDriver({ url: process.env.REDIS_URL }),
});

await storage.setItem('session:abc', { userId: 42 });
const session = await storage.getItem('session:abc');

Links:
npm install unstorage — unstorage.unjs.io

9. tsx — run TypeScript without a build step

What it is:
A CLI tool that runs .ts files directly in Node.js. Drop-in replacement for node, powered by esbuild.

Why it matters:
ts-node is slow. tsx is fast. Starts instantly, handles modern ESM TypeScript, and requires zero configuration.

npx tsx src/index.ts
# or
tsx watch src/index.ts

Replace this in your package.json:

"scripts": {
  "dev": "tsx watch src/index.ts"
}

Links:
npm install -D tsx — tsx.is

10. oslo — auth primitives without the framework lock-in

What it is:
A collection of small, focused auth utilities: CSRF tokens, OTP generation, cookie handling, encoding, timing-safe comparison. From the Lucia auth team.

Why it matters:
Full auth libraries (NextAuth, Lucia) make assumptions about your framework and database. oslo gives you the low-level primitives — the pieces auth is built from — so you can compose exactly what you need.

import { generateRandomString, alphabet } from 'oslo/crypto';
import { TOTP } from 'oslo/otp';

const code = generateRandomString(8, alphabet('0-9'));
const totp = new TOTP('SHA-1', 6, 30);
const isValid = await totp.verify(userInput, secret);

Links:
npm install oslo — oslo.js.org

The list at a glance

Package	Category	One-liner
`hono`	Framework	Edge-native, framework-agnostic web server
`drizzle-orm`	Database	Type-safe ORM, no codegen
`zod`	Validation	Schema → TypeScript type + runtime validation
`vitest`	Testing	Fast Jest-compatible test runner
`effect`	Reliability	Type-safe errors and async composition
`pompelmi`	Security	File antivirus scanning via ClamAV
`ofetch`	HTTP	fetch that handles errors and JSON automatically
`unstorage`	Storage	Universal key-value storage across backends
`tsx`	DX	Run TypeScript files instantly, no config
`oslo`	Auth	Low-level auth primitives, no framework assumptions

Which of these are already in your stack — and which ones are you trying next?

I'm especially curious if anyone has a better alternative to effect for typed error handling without the learning curve.

I tried every Node.js antivirus library. Here's what I found.

Tommaso Bertocchi — Wed, 15 Apr 2026 17:58:49 +0000

Most Node.js file upload handlers look something like this:

app.post('/upload', upload.single('file'), (req, res) => {
  res.json({ ok: true });
});

No scan. No check. Just trust.

That's fine until someone uploads a malware-laced PDF to your SaaS and your enterprise customer's IT team starts asking questions.

I went looking for a proper antivirus solution for Node.js. Here's everything I found — and why most of it is worse than it looks.

TL;DR: Most Node.js antivirus libraries are either abandoned, overly complex, or rely on fragile stdout parsing. pompelmi is the one that actually does it right — zero dependencies, typed verdicts, and direct ClamAV exit code mapping with no regex.

What I was actually looking for

Before I started, I wrote down my requirements:

Works in a real production Node.js app (not a script)
Doesn't require me to run a background daemon 24/7 for single-scan use cases
Returns typed results I can actually switch on
Actively maintained
Zero or minimal runtime dependencies

Spoiler: most libraries fail at least two of these.

The landscape (as of 2025)

1. `clamscan` (npm)

The oldest and most-starred option. Wraps ClamAV and has been around since 2014.

What it does: Spawns clamscan or connects to clamd daemon. Returns a result object.

The problem: It parses stdout with regex patterns. That's a brittle contract — ClamAV output format changes between versions, and your regex silently breaks. I've been burned by this in production. The library also has a handful of long-standing open issues around false negatives on certain output formats.

It works. But you're trusting regex to stand between you and malware.

2. `clamdjs`

Connects to a running clamd daemon via TCP.

The problem: You have to run a daemon. For many setups — serverless functions, ephemeral containers, low-traffic apps — spinning up a persistent background service just to occasionally scan a file is overkill. Also, clamdjs hasn't seen meaningful updates in years.

3. Random VirusTotal API wrappers

These exist. They send your files to VirusTotal's API and return scan results.

The problem: You're uploading potentially sensitive user files to a third-party service. For anything with PII, healthcare data, or enterprise contracts, that's a non-starter. Also rate limits, latency, and cost.

4. Cloud-native options (AWS Malware Protection, GCP Security Command Center)

If you're already deep in AWS or GCP, these exist and work well.

The problem: Vendor lock-in, cost, and setup complexity. Sometimes you just want to await scan(file) and move on.

pompelmi: the one I actually kept

pompelmi / pompelmi

Minimal Node.js wrapper around ClamAV — scan any file and get Clean, Malicious, or ScanError. Handles installation and database updates automatically.

pompelmi

ClamAV for humans

Quickstart

npm install pompelmi

const { scan, Verdict } = require('pompelmi');

const result = await scan('/path/to/file.zip');

if (result === Verdict.Malicious) {
  throw new Error('File rejected: malware detected');
}

How it works

Validate — pompelmi checks that the argument is a string and that the file exists before spawning anything.
Scan — pompelmi spawns clamscan --no-summary <filePath> as a child process and reads the exit code.
Map — the exit code…

View on GitHub

pompelmi is a Node.js antivirus library built around one idea: don't parse stdout, map exit codes directly.

ClamAV already communicates via exit codes. 0 = clean. 1 = malware found. 2 = error. pompelmi maps these directly to typed verdict symbols. No regex. No stdout parsing. No silent failures.

Install

npm install @pompelmi/probe

ClamAV needs to be present on the host (one-time setup):

# macOS
brew install clamav && freshclam

# Ubuntu/Debian
sudo apt-get install -y clamav && sudo freshclam

# Windows
choco install clamav -y

pompelmi automatically detects whether your virus definitions are up-to-date and skips freshclam if they already are. No redundant downloads.

Usage

import { scan, Verdict } from '@pompelmi/probe';

const result = await scan('/path/to/uploaded-file.pdf');

switch (result) {
  case Verdict.Clean:
    // Safe to process
    break;
  case Verdict.Malicious:
    // Reject and alert
    break;
  case Verdict.ScanError:
    // Handle gracefully
    break;
}

That's it. Typed. Exhaustive. No strings to compare, no regex, no result.isInfected booleans with unclear semantics.

What makes it different

No stdout parsing.
Every other library I tested parses ClamAV's human-readable output. pompelmi uses exit codes exclusively — the stable, documented interface ClamAV actually exposes.

No daemon required.
pompelmi calls clamscan directly via Node's built-in child_process. No background process to manage. Works in Lambda, in Docker, in a plain old Express app.

Zero runtime dependencies.
The entire library relies on Node.js built-ins. Nothing to audit, nothing to patch, nothing that breaks on a minor version bump.

Cross-platform.
macOS, Linux, and Windows all work with the same code. The ClamAV install step varies per OS; the Node.js API doesn't.

Typed verdicts.
Verdict.Clean, Verdict.Malicious, Verdict.ScanError — symbols, not strings. TypeScript narrows correctly. You can't typo "malicous" at 2am and ship a broken check.

A realistic Express upload handler

import express from 'express';
import multer from 'multer';
import { scan, Verdict } from '@pompelmi/probe';
import path from 'path';
import fs from 'fs/promises';

const app = express();
const upload = multer({ dest: '/tmp/uploads' });

app.post('/upload', upload.single('file'), async (req, res) => {
  const filePath = req.file.path;

  try {
    const result = await scan(filePath);

    if (result === Verdict.Malicious) {
      await fs.unlink(filePath);
      return res.status(400).json({ error: 'File rejected: malware detected.' });
    }

    if (result === Verdict.ScanError) {
      await fs.unlink(filePath);
      return res.status(500).json({ error: 'Scan failed. Please retry.' });
    }

    // Verdict.Clean — proceed with processing
    const dest = path.join('/var/uploads', req.file.originalname);
    await fs.rename(filePath, dest);
    res.json({ ok: true, path: dest });

  } catch (err) {
    await fs.unlink(filePath).catch(() => {});
    res.status(500).json({ error: 'Unexpected error.' });
  }
});

Clean, safe, and explicit about every possible outcome.

The verdict (pun intended)

Library	Maintained	No daemon needed	Typed results	No stdout parsing	Zero deps
`clamscan`	Partially	Yes	No	No	No
`clamdjs`	No	No	No	No	No
VirusTotal wrappers	Varies	Yes	Varies	N/A	No
pompelmi	Yes	Yes	Yes	Yes	Yes

If you're building a Node.js app that handles file uploads in 2025, you should be scanning them.

pompelmi makes it as easy as it should be.

Are you scanning user uploads in your app? What's your current setup — and what's the biggest friction point you've hit?

Drop it in the comments. I'm curious whether anyone has a pattern I haven't seen.

it will be for all 2026

Tommaso Bertocchi — Sun, 12 Apr 2026 17:35:58 +0000

Tommaso Bertocchi

Mar 14

10 Open-Source Projects You’ll Actually Use in 2026

#ai #webdev #programming #opensource

Comments 1

7 min read

read this

Tommaso Bertocchi — Sun, 12 Apr 2026 17:27:09 +0000

Tommaso Bertocchi

Apr 12

I Spent 3 Hours Adding Antivirus to My Express App. Then I Reduced It to 3 Lines.

#javascript #node #security #beginners

Comments 2

3 min read

I Spent 3 Hours Adding Antivirus to My Express App. Then I Reduced It to 3 Lines.

Tommaso Bertocchi — Sun, 12 Apr 2026 09:51:23 +0000

Two years ago, I shipped my first production app with file uploads. A week later, my mentor asked: "Are you scanning those files for malware?"

I wasn't.

The Google Rabbit Hole

Like any developer, I Googled "node js antivirus file upload." Here's what I found:

ClamAV — the open-source standard. Great! Let's use it.
clamscan npm package — 47 configuration options.
clamav.js — requires running clamd daemon.
Various tutorials — "First, configure your socket connection..."

I just wanted to scan a file. Why did I need to understand Unix sockets?

My First Attempt

After an hour of reading docs, I had something like this:

const NodeClam = require('clamscan');

const clamscan = new NodeClam().init({
  removeInfected: false,
  quarantineInfected: false,
  scanLog: null,
  debugMode: false,
  fileList: null,
  scanRecursively: true,
  clamscan: {
    path: '/usr/bin/clamscan',
    db: null,
    scanArchives: true,
    active: true
  },
  clamdscan: {
    socket: '/var/run/clamav/clamd.ctl',
    host: false,
    port: false,
    timeout: 60000,
    localFallback: true,
    path: '/usr/bin/clamdscan',
    configFile: null,
    multiscan: true,
    reloadDb: false,
    active: true,
    bypassTest: false,
  },
  preference: 'clamdscan'
});

// ... 30 more lines to actually scan a file

It didn't work. The socket path was wrong on my Mac. I spent another hour debugging.

The Daemon Problem

Most ClamAV wrappers assume you're running clamd — a background daemon that keeps virus definitions in memory for faster scanning.

This makes sense for high-throughput enterprise systems. But I was building a side project. I didn't want to manage a daemon. I didn't want to configure systemd. I didn't want to think about socket permissions.

I just wanted to answer one question: is this file safe?

What I Actually Needed

After three hours of frustration, I wrote down what I actually wanted:

const { scan, Verdict } = require('pompelmi');

const result = await scan('/path/to/upload.zip');
// Verdict.Clean | Verdict.Malicious | Verdict.ScanError — that's it

No daemon. No configuration object. No socket paths. Just a function that takes a file and returns an answer.

So I built it.

pompelmi: ClamAV for Humans

const { scan, Verdict } = require('pompelmi');

const result = await pompelmi.scan('/path/to/file.zip');

if (result === Verdict.Malicious) {
  throw new Error('File rejected: malware detected');
}

That's the entire API. One function. Three possible results — typed as Symbols, so no typos, no accidental string mismatches.

Here's the same Express middleware, before and after:

Before (47 lines)

const NodeClam = require('clamscan');
const multer = require('multer');

// ... 35 lines of configuration ...

app.post('/upload', upload.single('file'), async (req, res) => {
  try {
    const clam = await clamscan;
    const {isInfected, viruses} = await clam.isInfected(req.file.path);
    if (isInfected) {
      fs.unlinkSync(req.file.path);
      return res.status(400).json({ error: 'Malware detected', viruses });
    }
    res.json({ success: true });
  } catch (err) {
    // Is this a scan error or a config error? Who knows!
    res.status(500).json({ error: 'Scan failed' });
  }
});

After (12 lines)

const { scan, Verdict } = require('pompelmi');
const multer = require('multer');

app.post('/upload', upload.single('file'), async (req, res) => {
  const result = await scan(req.file.path);

  if (result === Verdict.Malicious) {
    fs.unlinkSync(req.file.path);
    return res.status(400).json({ error: 'Malware detected' });
  }

  if (result === Verdict.ScanError) {
    // Scan couldn't complete — treat as untrusted
    fs.unlinkSync(req.file.path);
    return res.status(400).json({ error: 'File rejected' });
  }

  res.json({ success: true });
});

How It Works (The Boring Way)

pompelmi doesn't do anything clever:

Check that the file exists
Spawn clamscan --no-summary <path> using Node's native child_process
Read the exit code
Map it to a Symbol

No stdout parsing. No regex. No daemon. No socket. No third-party spawn library. Just a child process and an exit code.

Exit 0 → Verdict.Clean
Exit 1 → Verdict.Malicious
Exit 2 → Verdict.ScanError

ClamAV has been doing this reliably for 20 years. I just wrapped it in a function.

Why Symbols, Not Strings?

Since v1.2.0, scan results are Symbols, not plain strings. This means:

// ✅ This works
if (result === Verdict.Malicious) { ... }

// ❌ This will never match — intentionally
if (result === 'Malicious') { ... }

It prevents a whole class of bugs where you typo a string comparison ('malicious' vs 'Malicious') and your security check silently does nothing. The compiler catches it for you.

If you need the verdict as a string for logging, each Symbol has a .description property:

console.log(result.description); // "Clean", "Malicious", or "ScanError"

Upgrading from v1.1.x? Replace any result === 'Clean' checks with result === Verdict.Clean (and same for Malicious and ScanError). Don't forget to import Verdict alongside scan.

"But What About Performance?"

Yes, spawning clamscan for every file is slower than using the daemon. Each scan loads the virus database from disk (~300MB).

For a side project handling 100 uploads/day? Doesn't matter.

For a startup processing 10,000 files/hour? You probably have a dedicated security engineer who knows how to configure clamd.

pompelmi is for the 99% of developers who just need something — and "slow but working" beats "fast but misconfigured."

The Point

Developer tools should meet you where you are.

When I was a junior developer, I didn't need 47 configuration options. I needed one function that worked. I needed to ship something on Friday and not think about Unix sockets.

If you're building something bigger, you'll outgrow pompelmi. That's fine. By then, you'll understand why you need the daemon, and configuring it won't feel like dark magic.

But if you're building your first app with file uploads, and you just want to scan for malware without a 3-hour detour — npm install pompelmi.

npm install pompelmi

GitHub · npm

pompelmi is Italian for "grapefruits." I named it that because I was eating one when I finally got the code working at 2am. Sometimes that's all the reason you need.

10 Tools That Will Instantly Make Your Coding Projects Better

Tommaso Bertocchi — Fri, 03 Apr 2026 09:03:50 +0000

Most coding projects do not fail because the idea was bad.

They fail because everything around the code is weak.

The deploy process is manual.

The API contract lives in someone's head.

Errors show up first in production.

Dependencies age quietly until they become a problem.

Uploads get trusted way too easily.

Nobody has a clean picture of how the system actually works.

That is the part a lot of teams underestimate.

Good projects are not just built with good code.

They are built with good systems around the code.

So this is not a random list of apps.

These are 10 tools that make coding projects feel more professional, more reliable, more secure, and much easier to ship.

TL;DR: Better projects usually come from stronger workflow, testing, observability, documentation, dependency hygiene, and security, not just smarter features.

The moment you realize the feature works, but the project still feels one bad deploy away from chaos. Source: South Park on Giphy

GitHub Actions
Postman
Docker
Sentry
Playwright
Swagger / OpenAPI
pompelmi
Dependabot
Excalidraw
Raycast

1) GitHub Actions — Stop shipping manually

What it is: GitHub's built-in automation layer for CI, CD, releases, scheduled jobs, and repo workflows.

Why it improves your project: It turns quality checks from a vague team habit into a repeatable system. Linting, tests, builds, previews, and deploy gates stop depending on who remembered what.

Best for: pull request checks, automated releases, scheduled maintenance jobs, deployment pipelines, repo housekeeping.

The fastest way to make a repo feel serious is to make every change prove itself before it lands. Even a small workflow that runs install, lint, test, and build on every PR removes a huge amount of avoidable drama.

Links: Official · Representative repo

actions / starter-workflows

Accelerating new GitHub Actions workflows

Starter Workflows

These are the workflow files for helping people get started with GitHub Actions. They're presented whenever you start to create a new GitHub Actions workflow.

If you want to get started with GitHub Actions, you can use these starter workflows by clicking the "Actions" tab in the repository where you want to create a workflow.

Note

Thank you for your interest in this GitHub repo, however, right now we are not taking contributions.

We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features we’re working on and what stage they’re in.

We…

View on GitHub

name: ci

on:
  pull_request:
  push:
    branches: [main]

jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - run: npm run lint
      - run: npm test
      - run: npm run build

When the team discovers that "our deploy checklist" was actually just one person's memory. Source: Family Guy on Giphy

2) Postman — Make your API usable by more than its author

What it is: An API platform for sending requests, organizing collections, sharing environments, and testing real responses.

Why it improves your project: Good APIs are not just endpoints that return JSON. They are endpoints people can inspect, replay, debug, and hand to teammates without a 20-minute Slack explanation.

Best for: backend teams, QA workflows, auth-heavy APIs, onboarding, partner integrations, manual verification.

Postman is useful because it turns one person's debugging setup into shared project knowledge. The moment auth headers, refresh flows, sample payloads, and odd edge-case requests are saved in a collection, your API stops feeling mysterious. And once those collections become something your team can rerun and share consistently, the project gets easier to trust.

Links: Official · Representative repo

postmanlabs / newman

Newman is a command-line collection runner for Postman

Manage all of your organization's APIs in Postman, with the industry's most complete API development environment.

newman the cli companion for postman

Newman is a command-line collection runner for Postman. It allows you to effortlessly run and test a Postman collection directly from the command-line. It is built with extensibility in mind so that you can easily integrate it with your continuous integration servers and build systems.

Getting started

…

View on GitHub

3) Docker — Kill environment roulette

What it is: A container platform for packaging your app and its dependencies into reproducible environments.

Why it improves your project: It reduces the classic "works on my machine" tax by making local, CI, staging, and production setups much more predictable.

Best for: apps with multiple services, onboarding, backend systems, consistent local environments, reproducible deployments.

Docker will not magically fix bad architecture, but it will stop the weekly ritual where one machine has the right runtime, another machine has the wrong system packages, and production is somehow "close enough." That alone makes a project calmer to ship.

Links: Official · Representative repo

docker / compose

Define and run multi-container applications with Docker

Docker Compose

Docker Compose is a tool for running multi-container applications on Docker defined using the Compose file format A Compose file is used to define how one or more containers that make up your application are configured. Once you have a Compose file, you can create and start your application with a single command: docker compose up.

Note: About Docker Swarm Docker Swarm used to rely on the legacy compose file format but did not adopt the compose specification so is missing some of the recent enhancements in the compose syntax. After acquisition by Mirantis swarm isn't maintained by Docker Inc, and as such some Docker Compose features aren't accessible to swarm users.

Where to get Docker Compose

Windows and macOS

Docker Compose is included in Docker Desktop…

View on GitHub

services:
  app:
    build: .
    ports:
      - "3000:3000"
    environment:
      NODE_ENV: production
    depends_on:
      - postgres

  postgres:
    image: postgres:16
    environment:
      POSTGRES_PASSWORD: postgres

Trying to explain why local, staging, and production are "basically the same" when they absolutely are not. Source: The Simpsons on Giphy

4) Sentry — Catch the breakage before users do

What it is: Error tracking and performance monitoring for apps, APIs, and background jobs.

Why it improves your project: It gives failures context instead of vibes. You get stack traces, release correlation, breadcrumbs, request metadata, and performance signals that help you fix the right thing faster.

Best for: production apps, APIs, workers, frontend error tracking, release monitoring, performance debugging.

Projects get better the minute production stops feeling like a blindfold. Sentry shortens the distance between "something is broken" and "here is the exact release, route, and error path that caused it."

Links: Official · GitHub

getsentry / sentry

Developer-first error tracking and performance monitoring

Users and logs provide clues. Sentry provides answers.

What's Sentry?

Sentry is the debugging platform that helps every developer detect, trace, and fix issues. Code breaks, fix it faster.

Official Sentry SDKs

Resources

Documentation
Discussions (Bugs, feature requests, general questions)
Discord
Contributing
Bug Tracker
Code
Transifex (Translate Sentry!)

View on GitHub

import * as Sentry from '@sentry/node';

Sentry.init({
  dsn: process.env.SENTRY_DSN,
  environment: process.env.NODE_ENV,
  tracesSampleRate: 0.2,
});

5) Playwright — Test the flows that actually make or break products

What it is: A browser automation and end-to-end testing framework for real user journeys.

Why it improves your project: Unit tests are great for logic. Playwright is how you protect the stuff people actually click, type, submit, and depend on.

Best for: login flows, checkout paths, onboarding, regression prevention, cross-browser testing, critical UI journeys.

A lot of products feel stable right up until somebody runs the real flow. One solid Playwright test for auth, payments, or signup often prevents the kind of regression that makes a team lose confidence in every release.

Links: Official · GitHub

microsoft / playwright

Playwright is a framework for Web Testing and Automation. It allows testing Chromium, Firefox and WebKit with a single API.

🎭 Playwright

Documentation | API reference

Playwright is a framework for web automation and testing. It drives Chromium, Firefox, and WebKit with a single API — in your tests, in your scripts, and as a tool for AI agents.

Get Started

Choose the path that fits your workflow:

Best for	Install
Playwright Test	End-to-end testing	`npm init playwright@latest`
Playwright CLI	Coding agents (Claude Code, Copilot)	`npm i -g @playwright/cli@latest`
Playwright MCP	AI agents and LLM-driven automation	`npx @playwright/mcp@latest`
Playwright Library	Browser automation scripts	`npm i playwright`
VS Code Extension	Test authoring and debugging in VS Code	Install from Marketplace

Playwright Test

Playwright Test is a full-featured test runner built for end-to-end testing. It runs tests across Chromium, Firefox, and WebKit with full browser isolation, auto-waiting, and web-first assertions.

Install

npm init playwright@latest

Or add manually:

npm i -D @playwright/test
npx playwright install

Write a test

import { test, expect

…

View on GitHub

import { test, expect } from '@playwright/test';

test('checkout completes successfully', async ({ page }) => {
  await page.goto('/checkout');
  await page.getByLabel('Email').fill('dev@example.com');
  await page.getByRole('button', { name: 'Pay now' }).click();
  await expect(page.getByText('Payment confirmed')).toBeVisible();
});

The exact moment your one "probably fine" user flow turns out to be the one thing that definitely needed an end-to-end test. Source: South Park on Giphy

6) Swagger / OpenAPI — Turn your API into a real contract

What it is: A specification-driven way to describe routes, payloads, auth requirements, and responses.

Why it improves your project: It makes your API explicit. That means better docs, fewer frontend/backend misunderstandings, easier integrations, and less behavior hidden in memory or tribal knowledge.

Best for: internal APIs, public APIs, SDK generation, backend teams, frontend handoff, partner integrations.

When the contract is written down, fewer things depend on guessing. That helps new teammates onboard faster, frontend work unblock earlier, and backend changes stop surprising everybody else.

Links: Official spec · Swagger UI · Representative repo

swagger-api / swagger-ui

Swagger UI is a collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API.

Introduction

Swagger UI allows anyone — be it your development team or your end consumers — to visualize and interact with the API’s resources without having any of the implementation logic in place. It’s automatically generated from your OpenAPI (formerly known as Swagger) Specification, with the visual documentation making it easy for back end implementation and client side consumption.

General

👉🏼 Want to score an easy open-source contribution? Check out our Good first issue label.

🕰️ Looking for the older version of Swagger UI? Refer to the 2.x branch.

This repository publishes three different NPM modules:

swagger-ui is a traditional npm module intended for use in single-page applications that are capable of resolving dependencies (via Webpack, Browserify, etc.).
swagger-ui-dist is a dependency-free module that includes everything you need to serve Swagger UI in a server-side project, or a single-page application that can't resolve npm module dependencies.
swagger-ui-react is Swagger…

View on GitHub

openapi: 3.1.0
info:
  title: "Example API"
  version: 1.0.0
paths:
  /users/{id}:
    get:
      summary: Fetch a user
      parameters:
        - in: path
          name: id
          required: true
          schema:
            type: string
      responses:
        "200":
          description: "User returned successfully"

Frontend, backend, and QA when the API shape is finally written down in one place instead of floating around in chat history. Source: The Simpsons on Giphy

7) pompelmi — Secure the upload edge before it bites you

What it is: A Node.js file upload security tool that scans uploads in-process before you accept them.

Why it improves your project: Upload handling is one of the most underestimated attack surfaces in web apps. Extensions lie, MIME types can be spoofed, archives can be risky, and "we'll validate later" is how tiny assumptions become expensive incidents.

Best for: Express, Fastify, Koa, NestJS, Next.js, privacy-sensitive products, public upload flows, moderation-heavy apps.

Most teams spend more time styling the upload button than defending the upload pipeline. That is backwards. A tool like pompelmi helps you make verdict-based decisions before a file becomes your problem, which is exactly the kind of boring guardrail mature projects quietly rely on.

Repo: GitHub

Site: Project site

Demo: Live demo

import { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';

const report = await scanBytes(file.buffer, {
  filename: file.originalname,
  mimeType: file.mimetype,
  policy: STRICT_PUBLIC_UPLOAD,
  failClosed: true,
});

if (report.verdict !== 'clean') {
  return res.status(422).json({
    error: 'Upload blocked',
    verdict: report.verdict,
    reasons: report.reasons,
  });
}

If you handle user uploads in Node.js, this is the kind of layer that makes your project feel much more intentional. It is not just about malware. It is about treating MIME spoofing, risky archives, and uncertain files as security decisions instead of wishful thinking.

Repository preview

pompelmi / pompelmi

Open-source file upload security for Node.js. Scan files before storage to detect malware, MIME spoofing, and risky archives.

Pompelmi

In-process file upload security for Node.js. Inspect untrusted files before storage so your application can reject, quarantine, or accept with context.

Pompelmi helps reduce:

MIME / extension spoofing and magic-byte mismatches
risky archive structures such as ZIP bombs, traversal, and deep nesting
risky document and binary patterns such as PDF actions, Office macro hints, PE signatures, and polyglot files
store-first upload flows that need a clean / suspicious / malicious verdict before persistence
known malicious matches when you plug in YARA or another scanner

Install: npm install pompelmi

Quick Start

import { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';
const report = await scanBytes(file.buffer, {
  filename: file.originalname,
  mimeType: file.mimetype,
  policy: STRICT_PUBLIC_UPLOAD,
  failClosed: true,
});

if (report.verdict !== 'clean') {
  return res.status(422)

…

View on GitHub

Upload security usually feels optional right until it really, really is not.

8) Dependabot — Keep dependency drift from turning into real risk

What it is: GitHub's automated dependency update system for packages, containers, and workflow versions.

Why it improves your project: It keeps security and maintenance work moving in small increments instead of one painful cleanup sprint after months of neglect.

Best for: npm repos, Docker images, GitHub Actions workflows, libraries, apps with busy dependency trees.

Most dependency risk is boring right until it is suddenly not. Dependabot makes updates reviewable, visible, and routine, which is much better than discovering six months of drift during an incident or release crunch.

Links: Docs · GitHub

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.

Welcome to the public home of Dependabot .

What is Dependabot-Core?

Dependabot-Core is the library at the heart of Dependabot security / version updates.

Use it to generate automated pull requests updating dependencies for projects written in Ruby, JavaScript, Python, PHP, Dart, Elixir, Elm, Go, Rust, Java, Julia, and .NET. It can also update git submodules, Docker files, Opentofu, Terraform files and Pre-Commit hooks. Features include:

Check for the latest version of a dependency that's resolvable given a project's other dependencies
Generate updated manifest and lockfiles for a new dependency version
Generate PR descriptions that include the updated dependency's changelogs, release notes, and commits

How to

…

View on GitHub

version: 2
updates:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: weekly
    open-pull-requests-limit: 5
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly

The face you make when a stale dependency turns into tonight's emergency patch window. Source: Family Guy on Giphy

9) Excalidraw — Think clearly before you build expensively

What it is: A fast, low-friction whiteboard for architecture sketches, flows, states, and system diagrams.

Why it improves your project: It helps teams see the system before they commit to the system. That reduces misalignment, hand-wavy assumptions, and long explanations nobody remembers later.

Best for: architecture reviews, sequence diagrams, onboarding docs, RFCs, async collaboration, state-flow discussions.

A five-minute sketch can save hours of wrong implementation. Excalidraw is especially good when a project keeps getting explained verbally but never gets turned into something the whole team can point at and improve together.

Links: Official · GitHub

excalidraw / excalidraw

Virtual whiteboard for sketching hand-drawn like diagrams

Excalidraw Editor | Blog | Documentation | Excalidraw+

An open source virtual hand-drawn style whiteboard.
Collaborative and end-to-end encrypted.

Create beautiful hand-drawn like diagrams, wireframes, or whatever you like.

Features

The Excalidraw editor (npm package) supports:

💯 Free & open-source.
🎨 Infinite, canvas-based whiteboard.
✍️ Hand-drawn like style.
🌓 Dark mode.
🏗️ Customizable.
📷 Image support.
😀 Shape libraries support.
🌐 Localization (i18n) support.
🖼️ Export to PNG, SVG & clipboard.
💾 Open format - export drawings as an .excalidraw json file.
⚒️ Wide range of tools - rectangle, circle, diamond, arrow, line, free-draw, eraser...
➡️ Arrow-binding & labeled arrows.
🔙 Undo / Redo.
🔍 Zoom and panning support.

Excalidraw.com

The app hosted at excalidraw.com is a minimal showcase of what you can build with Excalidraw. Its source code is part of this repository as well, and the app features:

📡 PWA support (works offline).
🤼 Real-time collaboration.
🔒 End-to-end…

View on GitHub

10) Raycast — Remove friction from the machine itself

What it is: A keyboard-first launcher and automation layer for local developer workflows.

Why it improves your project: Not every project improvement lives in the repo. Faster local execution means less context-switching, fewer tiny interruptions, and more energy left for the work that actually matters.

Best for: macOS-based developers, snippets, quick scripts, search, clipboard workflows, window control, micro-automation.

Raycast is one of those tools that quietly improves everything around your coding day. Opening the right folders, jumping to tickets, searching docs, running snippets, and triggering scripts faster sounds small until you notice how much time you stop wasting.

Links: Official · GitHub

raycast / extensions

Everything you need to extend Raycast.

Raycast Extensions

Raycast lets you control your tools with a few keystrokes. This repository contains all extensions that are available in the Raycast Store. It also includes documentation and examples of how to extend Raycast using React.

Getting Started

Visit https://developers.raycast.com to get started with our API. If you want to discover and install extensions, check out our Store.

Be sure to read and follow our Community and Extension guidelines and Acceptable Use Policy when submitting your extension and interacting with other folks in this repository.

Feedback

Raycast wouldn't be where it is without the feedback from our community, so we would be happy to hear what you think of the API / DevX and how we can improve. Please use GitHub issues for everything API related (bugs, improvements suggestions, developer experience, docs, etc). We have a few templates that should help you get started.

Community

Join our…

View on GitHub

What your laptop sees after you finally replace ten tiny daily interruptions with one keyboard-first workflow. Source: South Park on Giphy

Final thoughts

The projects people trust are rarely the ones with the flashiest feature list.

They are the ones where:

deploys are repeatable
APIs are easy to test
user flows are protected
production failures are visible
docs are explicit
uploads are treated like a real security boundary
dependencies do not rot quietly
ideas are clarified before code gets expensive

That is why good tooling matters so much.

It does not just make developers faster.
It makes projects better.

If you could add only one of these to your stack this week, which one would make the biggest difference?

7 Real Workflows That Actually Save Developers Hours

Tommaso Bertocchi — Thu, 02 Apr 2026 13:50:09 +0000

Most developers are still using AI like a novelty keyboard shortcut.

They ask it for regexes, toy apps, or random refactors, then wonder why the payoff feels small.

That is the wrong mental model.

The real value is not "write code for me." The real value is "remove the friction around engineering work."

GIF source: Salesforce on Giphy

The code itself is often not the slow part. The slow part is turning messy human input into something the codebase can actually absorb.

Bug reports are vague. Product requests are fuzzy. PRs hide edge cases. Logs are noisy. Meetings are chaos. Docs get written last. Migrations start with "should be fine" and end with regret.

That is where AI earns its keep.

TL;DR

Stop using AI for one-off tricks and start using it for repeatable engineering workflows.
The best workflows sit before coding or after coding, not just inside the editor.
AI is great at turning messy input into structured output.
Good outputs include test cases, checklists, review notes, implementation plans, and docs.
You still own the judgment.
You let the model handle the formatting, sorting, summarizing, and first-pass synthesis.
AI stops feeling like a toy when it becomes part of your process.

AI stops being impressive when you demo it.

It starts being useful when it handles the annoying parts of engineering.

1. Turn rough bug reports into reproducible test cases

The problem: most bug reports are written like crime scene poetry.

"Checkout is broken on mobile sometimes" is not a useful input. Neither is "I clicked around and it failed."

How AI helps: give it the report, any stack trace, and a bit of context. Ask it to turn that mess into a reproducible path, a test matrix, and candidate assertions.

Practical example: a PM drops this into Slack:

User says password reset fails after they open the email on iPhone and go back to the app.

That is not ready for engineering. AI can turn it into:

likely repro conditions
assumptions to verify
exact steps to test
likely layers involved
candidate integration or E2E test cases

Turn this bug report into a reproducible test plan.

Output:
- assumptions
- exact repro steps
- likely affected layers
- edge cases to test
- one candidate automated test

Bug report:
"User says password reset fails after they open the email on iPhone and go back to the app."

Why it saves time: you stop spending the first 30 minutes translating vague human language into engineer language.

2. Generate first-draft docs right after shipping a feature

The problem: docs are always "we'll do it after this PR lands." Then nobody does it.

How AI helps: after the feature ships, feed it the PR description, commit summary, config changes, and a couple of examples. Let it draft internal docs, release notes, or onboarding notes while the context is still fresh.

Practical example: you shipped a webhook retry system. You already have the raw ingredients:

PR summary
env vars added
retry rules
failure behavior
sample payloads

Turn that into a first draft immediately.

Turn these shipping notes into internal docs.

Output:
- what changed
- why it exists
- new config or env vars
- failure behavior
- examples
- what support/devs should know

Notes:
[paste PR description, commit summary, examples]

Why it saves time: blank-page writing is slow. Editing a decent first draft is fast.

3. Turn giant log dumps into structured debugging notes

The problem: logs are full of repetition, noise, and timing confusion. You end up scrolling forever and still do not have a clean theory.

How AI helps: ask it to cluster repeated errors, reconstruct the timeline, and separate symptoms from likely root causes.

Practical example: you paste in request logs, app errors, and one queue worker trace. Instead of "look through this," you ask for structure:

Analyze these logs and turn them into debugging notes.

Output:
- timeline of events
- repeated errors grouped together
- likely root causes
- signals that may be red herrings
- next 5 checks to run

Logs:
[paste logs]

Why it saves time: the model is doing triage, not fixing production. That is exactly where it is useful.

Optional deeper example
Instead of rereading 400 lines of logs, ask for output in this shape:

Timeline: request received, cache miss, DB timeout, retry, downstream 502
Recurring patterns: same tenant, same endpoint, same timeout window
Most likely causes: connection pool exhaustion, retry storm, slow downstream dependency
Checks to run now: inspect pool metrics, compare healthy tenant timings, sample failed request IDs, verify retry backoff, look for deploy correlation

That gives you a debugging worksheet instead of a wall of text.

4. Extract action items from messy meetings or issue threads

The problem: a single GitHub issue or Slack thread can contain decisions, half-decisions, contradictions, and silent assumptions.

How AI helps: make it extract owners, blockers, decisions, and unanswered questions in a format your team can actually act on.

Practical example: after a product meeting, you have rough notes plus a noisy thread with frontend, backend, and design comments mixed together. Ask AI to convert it into a clean action list.

Read this meeting transcript and issue thread.

Extract:
- decisions made
- open questions
- blockers
- owners if identifiable
- next actions

Format it as a concise engineering handoff.

Why it saves time: you stop rewriting the same conversation into tickets by hand.

5. Create migration checklists before touching code

The problem: upgrades fail because teams start with code changes instead of scope control.

How AI helps: before you touch the repo, use AI to generate a migration checklist that covers dependency risks, config changes, affected app areas, test plan, rollout risks, and rollback points.

GIF source: Microsoft Cloud on Giphy

Practical example: you need to upgrade a framework, SDK, or ORM. Do not begin with "let's bump the version and see what breaks."

Start here:

Create a migration checklist for this upgrade.

Context:
- current version: X
- target version: Y
- package list
- build/test scripts
- app patterns in use

Output:
- risky areas
- code patterns to audit
- config changes
- test plan
- rollout plan
- rollback plan

Why it saves time: migrations get expensive when you discover risk too late. A checklist is cheaper than a surprise.

6. Review PRs for edge cases and missing tests

The problem: most AI PR reviews are too polite and too shallow. "Looks good" is useless.

How AI helps: give it a diff and ask it to act like a skeptical reviewer. Not a cheerleader. Not a linter. A reviewer looking for behavioral gaps.

Practical example: a PR claims to "fix duplicate invoice sending." AI can inspect the patch and ask the questions a rushed human reviewer might miss:

what happens on retries?
what if the process crashes after write but before send?
what if two workers race?
where is the regression test?

Review this PR diff like a skeptical staff engineer.

Focus on:
- edge cases
- behavior changes not mentioned in the title
- missing tests
- rollback risk
- race conditions
- failure states

Diff:
[paste diff or summary]

Why it saves time: it gives you a second set of eyes on the logic, not just the syntax.

7. Turn vague product requests into implementation plans

The problem: product asks are often written at the wrong altitude. Too vague to estimate. Too specific to question. Dangerous combination.

How AI helps: use it to turn the request into an engineering plan with assumptions, scope boundaries, data changes, states, risks, and open questions.

Practical example: "We need users to pause subscriptions temporarily."

That sounds simple until you ask the obvious follow-ups:

billing implications?
proration?
expiration?
admin override?
analytics?
email flows?
API contract?
mobile states?
edge case when payment fails during resume?

Turn this product request into an implementation plan.

Output:
- assumptions
- open questions
- API/data model changes
- frontend states
- edge cases
- telemetry
- smallest shippable version
- risks

Request:
"We need users to pause subscriptions temporarily."

Why it saves time: you walk into planning with something sharper than vibes.

Toy Use vs Real Workflow

Toy use	Real workflow	Why the workflow wins
"Build me a Snake game"	Turn a product request into an implementation plan	It reduces ambiguity before code starts
"Write a regex for me"	Turn a vague bug report into a test case plan	It helps you reproduce and verify real bugs
"Summarize this file"	Review a PR for missing tests and edge cases	It finds risk, not just words
"Explain Docker like I'm five"	Create a migration checklist before an upgrade	It prevents expensive mistakes
"What does this stack trace mean?"	Convert logs into structured debugging notes	It gives you a path to investigate
"Write release notes"	Generate docs right after shipping from real changes	It captures context before it disappears
"Brainstorm app ideas"	Extract action items from meetings and issue threads	It turns conversation into execution

What Changed for Me

I stopped asking AI for brilliance.

I started asking it for leverage.

That changed everything.

I use it less like a genius intern and more like a formatting engine for engineering work. It is great at turning messy input into clean output:

vague report into test plan
raw logs into debugging notes
shipped code into docs
discussion into actions
request into scope

That is the pattern.

AI is not most useful in the middle of coding. It is often most useful at the handoff points around coding.

FAQ

Is this just ChatGPT with better prompts?

Not really. The important part is not the prompt text. It is the workflow shape. You are feeding AI messy inputs that already exist in your day and asking for structured outputs you actually use.

Should AI write production code too?

Sometimes, yes. But that is not the biggest unlocked value for most teams. Code generation gets attention. Workflow acceleration saves time more reliably.

What about privacy and security?

Use your brain. Do not paste secrets, private customer data, or sensitive production material into tools that are not approved for it. Redact first. Use the right environment. Treat AI like any other external system.

Won't this create more cleanup work?

Only if you ask for finished answers when you really need first drafts. The trick is to use AI for scaffolding, synthesis, and structure. You do the final judgment.

Conclusion

A lot of developers are disappointed by AI because they are using it for low-stakes parlor tricks.

The better use is boring on purpose.

It helps with the stuff that slows real work down: clarifying, organizing, checking, summarizing, planning, and documenting.

That is how it stops being a toy.

What workflow saves you the most time? Share it in the comments.

If you already have a workflow like this, I want to hear it. And if you think one of these is overrated, even better. Those are usually the best comment sections.

DEV Community: Tommaso Bertocchi

10 npm Packages You'll Actually Use in 2026

Table of Contents

1) zod — runtime validation your TypeScript types can't provide

colinhacks / zod

TypeScript-first schema validation with static type inference

Zod

Featured sponsor: Jazz

Read the docs →

What is Zod?

Features

2) tsx — run TypeScript without the setup tax

privatenumber / tsx

⚡️ TypeScript Execute | The easiest way to run TypeScript in Node.js

Sponsors

3) hono — the web framework built for the edge

honojs / hono

Web framework built on Web Standards

Quick Start

Features

4) drizzle-orm — the ORM that doesn't hide SQL from you

drizzle-team / drizzle-orm

ORM

Headless ORM for NodeJS, TypeScript and JavaScript 🚀

What's Drizzle?

5) superjson — serialize what JSON.stringify silently mangles

flightcontrolhq / superjson

Safely serialize JavaScript expressions to a superset of JSON, which includes Dates, BigInts, and more.

Key features

Backstory

Sponsors

Getting started

Basic Usage

6) effect — structured concurrency for when async/await breaks down

Effect-TS / effect

Build production-ready applications in TypeScript

Effect Monorepo

Introduction

Monorepo Structure

7) pino — the logger that won't slow your server down

pinojs / pino

🌲 super fast, all natural json logger

pino

Documentation

Runtimes

Node.js

Bare

Pear

Install

Usage

8) pompelmi — file upload scanning that stays on your server

pompelmi / pompelmi

Minimal Node.js wrapper around ClamAV — scan any file and get Clean, Malicious, or ScanError. Handles installation and database updates automatically.

pompelmi

Table of contents

Quickstart

How it works

9) got — the HTTP client Node.js always needed

sindresorhus / got

🌐 Human-friendly and powerful HTTP request library for Node.js

Install

Take a peek

JSON mode

10) p-queue — concurrency control for async operations

sindresorhus / p-queue

Promise queue with concurrency control

p-queue

Install

Usage

Final thoughts

Pompelmi — Add Antivirus Scanning to Your Node.js App in 5 Minutes

Pompelmi — Add Antivirus Scanning to Your Node.js App in 5 Minutes

🍊 What Is Pompelmi?

🔧 Setup

1. Install ClamAV on the Host System

2. Install Pompelmi

🚀 Quick Start

⚙️ How It Works Under the Hood

🛡️ A Robust Production Pattern

🔍 Reading the Verdict as a String

1. `clamscan` (npm)

2. `clamdjs`