Fast file-upload malware scanning for Node.js. Optional YARA, ZIP deep-inspection, MIME/size guards. Express · Koa · Next.js. Pompelmi scans untrusted file uploads before they hit disk. A tiny, TypeScript-first toolkit for Node.js with composable scanners, deep ZIP inspection, and optional signature engines.

Private by design — no outbound calls; bytes never leave your process Composable scanners — mix heuristics + signatures; set stopOn and timeouts ZIP hardening — traversal/bomb guards, polyglot & macro hints Drop-in adapters — Express, Koa, Fastify, Next.js Typed & tiny — modern TS, minimal surface

Highlights:

Block risky uploads early — classify uploads as clean, suspicious, or malicious and stop them at the edge. Real guards — extension allow-list, server-side MIME sniff (magic bytes), per-file size caps, and deep ZIP traversal with anti-bomb limits. Built-in scanners — drop-in CommonHeuristicsScanner (PDF risky actions, Office macros, PE header) and Zip-bomb Guard; add your own or YARA via a tiny { scan(bytes) } contract. Compose scanning — run multiple scanners in parallel or sequentially with timeouts and short-circuiting via composeScanners(). Zero cloud — scans run in-process. Keep bytes private. DX first — TypeScript types, ESM/CJS builds, tiny API, adapters for popular web frameworks.