This open-source tool scans uploads before they become a problem

Most file upload flows are built for convenience first. A user selects a file. The backend checks the MIME type. Maybe the extension too. Then the file gets stored. That sounds fine — until someone uploads something that only looks harmless. A renamed executable. A hostile archive. A risky PDF. A file that passes basic checks but becomes a problem later when another system stores, unpacks, parses, or serves it. That is exactly the gap I wanted to reduce. So I built Pompelmi — a free, open-source, local-first file upload scanner for Node.js. It helps inspect untrusted files before they move deeper into your system. What Pompelmi checks Pompelmi is designed for upload endpoints that cannot trust: filenames extensions client-provided MIME types It can help detect things like: MIME spoofing and magic-byte mismatches archive abuse such as ZIP bombs, traversal, and deep nesting polyglot files risky document structures optional YARA-based signature matches The idea is simple: inspect first, s