Skip to content

Pompelmi

v1.18.0 Feature

This release adds 4 notable features for engineering teams evaluating rollout.

Published 26d Vulnerability Scanning
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

antivirus clamav clamscan docker express file-scanner
+8 more
malware nodejs npm security typescript upload-file virus virus-scan

Summary

AI summary

New official Docker image, security scorecard feature, VS Code extension scaffold, and quarantine mode for infected files.

Full changelog

What's New

Official Docker Image

pompelmi/scanner is now available on Docker Hub.
A self-contained image with ClamAV, clamd, and an HTTP scan API
built in — no configuration required.

docker pull pompelmi/scanner
docker run -p 8080:8080 pompelmi/scanner

# Scan a file via HTTP
curl -F "file=@./document.pdf" http://localhost:8080/scan
# {"verdict":"clean","file":"document.pdf","viruses":[]}

# Health check
curl http://localhost:8080/health
# {"status":"ok","clamd":"running"}

Security Scorecard

Grade your upload security configuration from A to F:

const { generateScorecard } = require('pompelmi')

const scorecard = await generateScorecard({
  scanEnabled: true,
  mimeTypeAllowlist: ['image/jpeg', 'image/png', 'application/pdf'],
  fileSizeLimit: 10 * 1024 * 1024,
  diskWriteBeforeScan: false,
  scanErrorBehavior: 'reject',
  clamdUnavailableBehavior: 'reject'
})

console.log(scorecard.grade)    // 'A'
console.log(scorecard.score)    // 95
console.log(scorecard.findings) // array of passed/failed checks

From the CLI:

npx pompelmi scorecard --config ./pompelmi.config.js

VS Code Extension

A VS Code extension scaffold is now available at packages/vscode/.
Right-click any file in the IDE and select "Scan with pompelmi".
Marketplace publishing coming in a future release.

Quarantine Mode

Automatically move infected files to a quarantine directory:

watch('/uploads', {
  host: 'localhost',
  port: 3310,
  quarantine: '/quarantine'
}, {
  onMalicious: 'quarantine'
})

npx pompelmi watch ./uploads --quarantine ./quarantine

Each quarantined file gets a sidecar JSON with original path,
virus name, timestamp, and SHA256 hash.

Changes

  • docker/ — Dockerfile, entrypoint.sh, HTTP scan API server
  • .github/workflows/docker.yml — automated Docker Hub publishing
  • src/Scorecard.js — A-F grading for upload security config
  • src/Watcher.js — quarantine mode support
  • packages/vscode/ — VS Code extension scaffold
  • bin/pompelmi.js — scorecard command and --quarantine flag
  • docs/docker-image.html — Docker Hub image guide
  • docs/scorecard.html — scorecard API and CLI reference
  • docs/vscode.html — VS Code extension guide
  • docs/*.html — navbar updated across all pages
  • README.md — Docker Hub badge, new features

Full Changelog

https://github.com/pompelmi/pompelmi/compare/v1.17.0...v1.18.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Pompelmi

Get notified when new releases ship.

Sign up free

About Pompelmi

Open-source file upload security for Node.js. Scan files before storage to detect malware, MIME spoofing, and risky archives.

All releases →

Related context

Beta — feedback welcome: [email protected]