Most file upload flows are built for convenience first.
A user selects a file.
The backend checks the MIME type.
Maybe the extension too.
Then the file gets stored.
That sounds fine — until someone uploads something that only looks harmless.
A renamed executable.
A hostile archive.
A risky PDF.
A file that passes basic checks but becomes a problem later when another system stores, unpacks, parses, or serves it.
That is exactly the gap I wanted to reduce.
So I built Pompelmi — a free, open-source, local-first file upload scanner for Node.js.
It helps inspect untrusted files before they move deeper into your system.
What Pompelmi checks
Pompelmi is designed for upload endpoints that cannot trust:
- filenames
- extensions
- client-provided MIME types
It can help detect things like:
- MIME spoofing and magic-byte mismatches
- archive abuse such as ZIP bombs, traversal, and deep nesting
- polyglot files
- risky document structures
- optional YARA-based signature matches
The idea is simple:
inspect first, store later
Why I made it
A lot of developers already protect authentication, APIs, cookies, headers, and secrets.
But file uploads are often treated like plumbing.
In reality, they are part of the attack surface.
And if your product accepts uploads — resumes, PDFs, ZIPs, screenshots, attachments, documents, invoices, avatars, anything — then this matters.
I wanted something that felt:
- practical
- developer-friendly
- local-first
- easy to plug into real Node.js apps
Not a huge platform.
Not a SaaS dependency.
Just something you can use directly in your own stack.
Quick example
import { scanBytes } from 'pompelmi';
const report = await scanBytes(file.buffer, {
ctx: {
filename: file.originalname,
mimeType: file.mimetype,
size: file.size,
},
});
if (!report.ok) {
return res.status(422).json({
error: 'Upload blocked',
verdict: report.verdict,
reasons: report.reasons,
});
}
That is the kind of workflow I wanted:
- inspect the file
- get a verdict
- allow, reject, or quarantine it
Built for actual Node.js projects
Pompelmi is not just a single package.
The ecosystem includes integrations and related packages for different workflows, so it is easier to use inside real apps instead of forcing everyone into the exact same setup.
That was important to me.
Security tooling gets adopted more often when it fits the way developers already build.
Social proof matters, so here it is
One thing I learned from open source:
Even useful projects are easy to ignore if people do not trust them quickly.
So here is the short version:
- Pompelmi has been featured in places like Node Weekly
- it has also been mentioned by Help Net Security
- and covered by Stack Overflow / The Overflow
If you want to check the project directly, here it is:
GitHub: github.com/pompelmi/pompelmi
Who this is for
Pompelmi is especially relevant if you are building:
- SaaS products with attachments
- admin dashboards
- internal tools
- upload forms
- document workflows
- media ingestion pipelines
- any Node.js app that accepts untrusted files
If your backend accepts uploads, there is a good chance this belongs somewhere in your pipeline.
Why open source
I made it open source because I wanted it to be:
- inspectable
- usable without lock-in
- easy to test locally
- easy to improve over time
Also, security tools benefit from scrutiny.
If something is going to sit near an upload boundary, people should be able to inspect how it works.
If you want to try it
You can check out the repo here:
And if you think the project is useful, a GitHub star genuinely helps.
It helps more developers discover it, gives the project more credibility, and makes it easier for open-source security tooling like this to keep growing.
Final thought
A lot of apps spend time protecting what happens after login.
But sometimes the simpler question is:
What are you allowing into the system in the first place?
That is the problem Pompelmi is built for.
If that sounds useful for your stack, take a look here:
Top comments (0)