Pompelmi

Vulnerability Scanning

Node.js wrapper providing simple, typed ClamAV antivirus scanning with zero dependencies

Track releases GitHub Website

JavaScript Latest v1.20.0 · 19d ago Security brief →

Features

Exposes a single async `scan()` function for file or directory scanning
Zero‑dependency, fully typed TypeScript integration
Supports JSON output and recursive directory scans
Provides Docker sidecar and GitHub Action integrations

Recent releases

View all 45 releases →

No immediate action

v1.20.0 New feature 19d

Star prompt + post‑install nudge

Open

No immediate action

v1.19.0 New feature 22d

Scan cache + policy + multi‑engine + dir streaming

Open

v1.18.0 New feature 26d

Notable features

Official Docker image `pompelmi/scanner` with built‑in ClamAV, clamd and HTTP scan API
Security Scorecard API (A‑F grading) and CLI command for upload configuration assessment
VS Code extension scaffold enabling "Scan with pompelmi" context action

Full changelog

What's New

Official Docker Image

pompelmi/scanner is now available on Docker Hub.
A self-contained image with ClamAV, clamd, and an HTTP scan API
built in — no configuration required.

docker pull pompelmi/scanner
docker run -p 8080:8080 pompelmi/scanner

# Scan a file via HTTP
curl -F "file=@./document.pdf" http://localhost:8080/scan
# {"verdict":"clean","file":"document.pdf","viruses":[]}

# Health check
curl http://localhost:8080/health
# {"status":"ok","clamd":"running"}

Security Scorecard

Grade your upload security configuration from A to F:

const { generateScorecard } = require('pompelmi')

const scorecard = await generateScorecard({
  scanEnabled: true,
  mimeTypeAllowlist: ['image/jpeg', 'image/png', 'application/pdf'],
  fileSizeLimit: 10 * 1024 * 1024,
  diskWriteBeforeScan: false,
  scanErrorBehavior: 'reject',
  clamdUnavailableBehavior: 'reject'
})

console.log(scorecard.grade)    // 'A'
console.log(scorecard.score)    // 95
console.log(scorecard.findings) // array of passed/failed checks

From the CLI:

npx pompelmi scorecard --config ./pompelmi.config.js

VS Code Extension

A VS Code extension scaffold is now available at packages/vscode/.
Right-click any file in the IDE and select "Scan with pompelmi".
Marketplace publishing coming in a future release.

Quarantine Mode

Automatically move infected files to a quarantine directory:

watch('/uploads', {
  host: 'localhost',
  port: 3310,
  quarantine: '/quarantine'
}, {
  onMalicious: 'quarantine'
})

npx pompelmi watch ./uploads --quarantine ./quarantine

Each quarantined file gets a sidecar JSON with original path,
virus name, timestamp, and SHA256 hash.

Changes

docker/ — Dockerfile, entrypoint.sh, HTTP scan API server
.github/workflows/docker.yml — automated Docker Hub publishing
src/Scorecard.js — A-F grading for upload security config
src/Watcher.js — quarantine mode support
packages/vscode/ — VS Code extension scaffold
bin/pompelmi.js — scorecard command and --quarantine flag
docs/docker-image.html — Docker Hub image guide
docs/scorecard.html — scorecard API and CLI reference
docs/vscode.html — VS Code extension guide
docs/*.html — navbar updated across all pages
README.md — Docker Hub badge, new features

Full Changelog

https://github.com/pompelmi/pompelmi/compare/v1.17.0...v1.18.0

View release on GitHub

v1.17.0 New feature 26d

Notable features

Dual CommonJS and ES Modules entry points via `package.json` exports
Native Deno support with example usage
Cloudflare Workers package `@pompelmi/cloudflare` for edge scanning

Full changelog

What's New

Native ESM Support

pompelmi now supports both CommonJS and ES Modules natively.
No more createRequire workarounds.

// ESM (new)
import { scan, scanBuffer, Verdict } from 'pompelmi'

// CommonJS (unchanged)
const { scan, scanBuffer, Verdict } = require('pompelmi')

Deno Support

pompelmi now works natively in Deno:

import { scan, Verdict } from 'npm:pompelmi'

const result = await scan('./file.pdf', {
  host: 'localhost',
  port: 3310
})

Cloudflare Workers Package

@pompelmi/cloudflare is now available on npm.
Scan file uploads at the edge via a remote clamd instance.

npm install @pompelmi/cloudflare

import { scanBuffer } from '@pompelmi/cloudflare'

export default {
  async fetch(request, env) {
    const formData = await request.formData()
    const file = formData.get('file')
    const buffer = await file.arrayBuffer()

    const result = await scanBuffer(buffer, {
      host: env.CLAMAV_HOST,
      port: parseInt(env.CLAMAV_PORT)
    })

    if (result !== 'clean') {
      return new Response('File rejected', { status: 422 })
    }

    return new Response('OK')
  }
}

Landing Page Improvements

pompelmi.app now shows:

Runtime compatibility logos: Node.js • Bun • Deno • Cloudflare Workers
Framework logos grid: Express • Fastify • NestJS • Next.js • Hono • Remix • SvelteKit
Live GitHub stars and npm downloads badges

GitHub Sponsors

A Sponsor button is now visible on the GitHub repo via .github/FUNDING.yml.

Runtime Support

| Runtime | Status |
|---------|--------|
| Node.js | ✅ |
| Bun | ✅ |
| Deno | ✅ |
| Cloudflare Workers | ✅ via @pompelmi/cloudflare |

Framework Integrations

| Package | Framework |
|---------|-----------|
| @pompelmi/nestjs | NestJS |
| @pompelmi/fastify | Fastify |
| @pompelmi/nextjs | Next.js |
| @pompelmi/hono | Hono |
| @pompelmi/remix | Remix |
| @pompelmi/sveltekit | SvelteKit |
| @pompelmi/cloudflare | Cloudflare Workers |
| @pompelmi/testing | Jest / Vitest / Node |

Changes

src/index.mjs — native ESM entry point
package.json — dual CJS/ESM exports field
deno.json — Deno configuration
packages/cloudflare/ — Cloudflare Workers package
.github/FUNDING.yml — GitHub Sponsors button
docs/deno.html — Deno usage guide
docs/cloudflare.html — Cloudflare Workers guide
docs/*.html — navbar updated
index.html — landing page runtime and framework logos

Full Changelog

https://github.com/pompelmi/pompelmi/compare/v1.16.0...v1.17.0

View release on GitHub

v1.16.0 New feature 27d

⚠ Upgrade required

Node.js runtime updated to version 24 in CI workflows

Notable features

Remix plugin `@pompelmi/remix` with action wrapper
SvelteKit plugin `@pompelmi/sveltekit` with server handler and hook
In‑memory scan statistics tracker via `createStats()`

Full changelog

What's New

Remix Plugin

@pompelmi/remix is now available on npm.

npm install @pompelmi/remix pompelmi

import { withPompelmi } from '@pompelmi/remix'

export const action = withPompelmi(async ({ request }) => {
  const formData = await request.formData()
  return json({ ok: true })
}, { host: 'localhost', port: 3310 })

SvelteKit Plugin

@pompelmi/sveltekit is now available on npm.

npm install @pompelmi/sveltekit pompelmi

import { withPompelmi } from '@pompelmi/sveltekit'

export const POST = withPompelmi(async ({ request }) => {
  return new Response(JSON.stringify({ ok: true }))
}, { host: 'localhost', port: 3310 })

Scan Statistics

Track scan activity in-memory with createStats():

const { createStats } = require('pompelmi')

const stats = createStats()
const result = await stats.track(() => scan(filePath, options))

stats.get()
// {
//   totalScanned: 1247,
//   totalClean: 1245,
//   totalInfected: 2,
//   totalErrors: 0,
//   avgScanTimeMs: 45,
//   lastScanAt: '2026-05-07T...',
//   uptime: 3600000
// }

app.get('/pompelmi/stats', (req, res) => res.json(stats.get()))

Navbar Fix

All docs/ HTML pages now have a consistent navbar linking to every
page in the documentation site. Previously several pages were missing
links to newer sections.