Motivation: I wanted a practical “upload guard” that reduces common upload risks (ZIP bombs, traversal in archives, MIME spoofing, polyglots/macro hints) without sending files to a cloud AV service (privacy + latency + GDPR concerns).
Key points: - Runs in-process (no cloud calls); files never leave your infrastructure - Deep ZIP inspection with configurable limits (depth/entries/ratio) + nested archive scanning - Composable scanners (heuristics + optional signature engines like YARA), fail-closed policies - Drop-in adapters for popular frameworks (Express/Koa/Fastify/Next/Nuxt/Nest)
Try it in 2 minutes (Express example): 1) npm i pompelmi @pompelmi/express-middleware 2) Add createUploadGuard middleware (docs + examples in the repo)
It was recently covered by Help Net Security and previously mentioned in Risky Bulletin; also featured in Node Weekly / Detection Engineering Weekly / Bytes and daily.dev (links in the README).
I’d love feedback on: 1) What’s missing for production use in your upload pipeline? 2) Which integrations/templates would be most valuable next (e.g., SvelteKit/Remix/hapi)?