DEV Community

Cover image for I built a private file upload scanner for Node.js
Tommaso Bertocchi
Tommaso Bertocchi

Posted on

I built a private file upload scanner for Node.js

#showdev #webdev #opensource #private

Most apps treat file uploads like a boring feature.

A user picks a file, the backend saves it, and everyone moves on.

But uploads are part of your attack surface.

That’s why I built pompelmi: an open-source file upload scanner for Node.js that scans files before they touch disk, runs in-process, and keeps everything local.

pompelmi logo

GitHubDocs

pompelmi preview

Why I made it

A lot of upload pipelines still rely on very weak checks:

  • file extension
  • user-provided MIME type
  • maybe a size limit
  • maybe a scan later in the pipeline

The problem is simple:

by the time many systems inspect the file properly, it may already be saved, forwarded, or stored somewhere else.

I wanted the opposite approach.

I wanted scanning to happen early.

Not in some remote API.
Not in a separate daemon.
Not after the risky part.

Right where the upload enters the app.

SpongeBob serious typing GIF

What pompelmi is

pompelmi is a privacy-first file upload scanner for Node.js.

It is designed for developers who want a cleaner default:

  • scan locally
  • block early
  • keep file bytes inside their own infrastructure
  • integrate with modern JavaScript backends without weird setup

The project is built to feel like a normal developer tool, not a heavyweight security appliance.

That means:

  • no cloud scanning dependency
  • no separate daemon
  • no API keys
  • TypeScript-first developer experience
  • framework adapters for real apps

What it checks

The goal is not to be “magic”.

The goal is to build a solid first security layer around uploads.

pompelmi focuses on things like:

  • magic-byte MIME sniffing
  • extension allow-lists
  • file size limits
  • ZIP bomb guards
  • polyglot detection
  • optional YARA-based scanning
  • composable scanner logic

This matters because modern file threats do not always look suspicious from the filename alone.

This is fine GIF

The developer experience I wanted

A lot of security tools are technically correct but annoying to adopt.

That usually means they get postponed.

So one of my main goals with pompelmi was to make it feel natural inside modern Node.js workflows.

Instead of forcing developers to redesign everything, I wanted it to fit where uploads already happen.

Today the ecosystem around the project is aimed at stacks like:

  • Express
  • Koa
  • Next.js
  • NestJS
  • Nuxt / Nitro
  • Fastify
  • standalone Node.js usage
  • CI/CD workflows

That was important to me.

Because if security does not fit the way people already build software, most teams simply skip it.

A simple example

This is the kind of simplicity I wanted:

import { scanFile } from 'pompelmi';

const result = await scanFile('path/to/upload.pdf');

if (result.verdict !== 'clean') {
  throw new Error(`Blocked: ${result.verdict}${result.reasons}`);
}
Enter fullscreen mode Exit fullscreen mode

That’s the whole philosophy of the project:

minimal friction, early scanning, better defaults.

Demo

Here’s the project demo:

pompelmi demo

Homer backing into bushes GIF

Why I think this problem matters

There is a lot of attention on API security, auth, and infrastructure hardening.

That makes sense.

But uploads are still one of those areas where teams often assume:

“we’ll deal with it later”

The issue is that uploads are not just a product feature.

They are a trust boundary.

The moment your app accepts a file, it has to make a decision:

do we trust these bytes or not?

pompelmi exists to make that decision earlier and more safely.

Who this is for

I think pompelmi is especially useful for products that handle:

  • user uploads
  • document portals
  • internal tools
  • legal workflows
  • healthcare files
  • financial uploads
  • CI/CD artifact scanning
  • privacy-sensitive systems

Basically: any product where “just save the file and hope” is not a serious strategy.

What I like most about the project

The part I like most is the design constraint behind it:

keep scanning local.

That single decision shapes almost everything else:

  • privacy
  • simplicity
  • infrastructure cost
  • developer experience
  • adoption friction

It forces the tool to stay focused.

And I think that focus is what gives pompelmi its identity.

South Park and it's gone GIF

What’s next

There’s still a lot I want to improve.

Especially around:

  • better examples
  • stronger starter policies
  • detection packs
  • framework ergonomics
  • clearer result visibility
  • broader adoption in real-world upload flows

The long-term goal is simple:

make secure file uploads feel normal in modern Node.js apps.

Not enterprise-heavy.
Not painful.
Not bolted on at the end.

Just normal.

Project

If you want to check it out:

pompelmi preview

GitHub: https://github.com/pompelmi/pompelmi

If you’re building something with uploads, I’d love to know how you’d want a tool like this to fit into your stack.

Top comments (0)