How I promoted my open-source security repo to 575 GitHub stars by treating it like a real product

When people talk about growing an open-source project, the advice usually sounds vague: post on social media share it on Reddit write blog posts keep shipping That advice is not wrong, but it is incomplete. What worked for me with Pompelmi was not “being everywhere.” It was making the project easy to understand, easy to trust, and easy to discover in places where the right developers were already looking. Pompelmi is an open-source file upload security tool for Node.js. It scans files before storage to help detect malware, MIME spoofing, risky archives, and other upload-related problems. It works with frameworks like Express, Next.js, NestJS, Fastify, and Koa. At the time of writing, the repo has grown to hundreds of stars and picked up mentions from places like Stack Overflow, Help Net Security, Node Weekly, Detection Engineering Weekly, and Bytes. I did not get there with paid ads. I did not get there with a huge audience. And I definitely did not get there from one viral post. I got