Skip to content

Pompelmi

v1.19.0 Feature

This release adds 4 notable features for engineering teams evaluating rollout.

Published 22d Vulnerability Scanning
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

antivirus clamav clamscan docker express file-scanner
+8 more
malware nodejs npm security typescript upload-file virus virus-scan

ReleasePort's take

Light signal
editorial:auto 13d

ReleasePort v1.19.0 adds SHA256 scan caching, unified upload policies, multi‑engine scanning with consensus, and directory streaming with progress events.

Why it matters: Plan to evaluate these new features in development; no immediate migration or patching required.

Summary

AI summary

Introduces SHA256 scan cache, unified upload security policies, multi‑engine scanning with consensus modes, and directory streaming with progress events.

Changes in this release

Feature Medium

SHA256 scan cache with TTL, LRU, memory and file storage

SHA256 scan cache with TTL, LRU, memory and file storage

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Unified upload security policy for size, MIME type, extension, virus scanning

Unified upload security policy for size, MIME type, extension, virus scanning

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Multi-engine scanning combining ClamAV with VirusTotal with consensus modes

Multi-engine scanning combining ClamAV with VirusTotal with consensus modes

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Directory streaming with async iteration and real-time progress events

Directory streaming with async iteration and real-time progress events

Source: llm_adapter@2026-05-21

Confidence: high
Full changelog

Title:

v1.19.0 — Scan Cache, Policies, Multi-Engine, Directory Streaming

Body:

## What's New

### SHA256 Scan Cache
Skip rescanning files that have already been verified.
Cache results in memory or on disk with configurable TTL and LRU eviction.

```js
const { createCache } = require('pompelmi')

const cache = createCache({ ttl: 3600000, maxSize: 1000 })

const result = await cache.scan(filePath, options)
// Second call with same file content: instant, no clamd roundtrip

cache.stats()
// { hits: 42, misses: 8, size: 50, hitRate: 0.84 }

File-based persistence across restarts:

const cache = createCache({
  storage: 'file',
  filePath: './.pompelmi-cache.json',
  ttl: 86400000
})

Scan Policies

Define all upload security rules in one place — size, MIME type,
extension, and virus scanning — and apply them with a single call.

const { createPolicy } = require('pompelmi')

const policy = createPolicy({
  scan: { host: 'localhost', port: 3310 },
  maxSize: 10 * 1024 * 1024,
  allowedMimeTypes: ['image/jpeg', 'image/png', 'application/pdf'],
  allowedExtensions: ['.jpg', '.jpeg', '.png', '.pdf'],
  rejectEncrypted: true,
  onScannerUnavailable: 'reject'
})

const result = await policy.check(buffer, {
  filename: 'upload.pdf',
  mimeType: 'application/pdf',
  size: buffer.length
})
// { allowed: true, reason: null, verdict: Verdict.Clean }

// Express middleware
app.post('/upload', upload.single('file'), policy.middleware(), handler)

Multi-Engine Scanning

Combine ClamAV with VirusTotal for higher confidence results.

const { createMultiEngine } = require('pompelmi')

const scanner = createMultiEngine({
  engines: [
    { type: 'clamav', host: 'localhost', port: 3310 },
    { type: 'virustotal', apiKey: process.env.VIRUSTOTAL_API_KEY }
  ],
  consensus: 'any'
})

const result = await scanner.scanBuffer(buffer)
// {
//   verdict: Verdict.Malicious,
//   engines: [
//     { name: 'clamav', verdict: Verdict.Malicious, virus: 'Win.Malware.Agent' },
//     { name: 'virustotal', verdict: Verdict.Clean, detections: 0 }
//   ]
// }

Consensus modes: any (strict) · all (lenient) · majority

Directory Streaming with Progress Events

Scan large directories with real-time progress via async iteration:

for await (const event of scanDirectory.stream('/uploads', options)) {
  if (event.type === 'progress') {
    console.log(`${event.scanned}/${event.total} — ${event.file}`)
  }
  if (event.type === 'result') {
    console.log(event.file, event.verdict)
  }
  if (event.type === 'complete') {
    console.log('Done:', event.summary)
  }
}

Changes

  • src/ScanCache.js — SHA256 cache with TTL, LRU, memory and file storage
  • src/Policy.js — unified upload security policy
  • src/MultiEngine.js — multi-engine scanning with consensus modes
  • src/DirectoryScanner.js — streaming async iterator with progress events
  • src/index.js — exports createCache, createPolicy, createMultiEngine
  • types/index.d.ts — full type declarations for all new exports
  • docs/cache.html — cache API reference
  • docs/policy.html — policy API reference
  • docs/multi-engine.html — multi-engine guide
  • docs/*.html — navbar updated

Full Changelog

https://github.com/pompelmi/pompelmi/compare/v1.18.0...v1.19.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Pompelmi

Get notified when new releases ship.

Sign up free

About Pompelmi

Open-source file upload security for Node.js. Scan files before storage to detect malware, MIME spoofing, and risky archives.

All releases →

Related context

Beta — feedback welcome: [email protected]