Edgar Misaél Cano Domínguez

Posted on Jun 15

I built a JS/TS runtime in Rust where nothing runs without your permission

#rust #javascript #security #node

Last week I shipped v2.0.2 of 3va — a JavaScript and TypeScript runtime written in Rust. Here is why I built it and what makes it different from Node.js, Bun, and Deno.

The problem

In 2024, the xz backdoor was hidden inside a postinstall script. The event-stream attack in 2018 targeted a specific Bitcoin wallet by injecting code at install time. The node-ipc protest-ware in 2022 deleted files on machines with Russian or Belarusian IP addresses.

All three attacks had the same root cause: the runtime trusted the package.

npm, pnpm, Yarn, and Bun all execute postinstall scripts by default. Some let you opt out. None of them block it unconditionally at the runtime level — because that would require the runtime to enforce permissions, and none of them do.

3va does.

How it works

Every capability is blocked by default. The filesystem, network, environment variables, child processes, and native addons are all hard-blocked unless you explicitly grant them:

# This runs. It cannot read files, open sockets, or spawn processes.
3va run app.ts

# This can read /app/config and talk to api.stripe.com. Nothing else.
3va run app.ts --allow-read=/app/config --allow-net=api.stripe.com

Permissions apply uniformly to your code and every dependency it loads. There is no trusted/untrusted boundary that a package can cross.

Post-install scripts are blocked unconditionally. Not as a flag. Not as a config option. The package manager simply does not execute them. Ever.

Drop-in replacement — same ecosystem, same frameworks

This is the part that surprised most people I showed it to.

3va installs from the same registries you already use:

3va install express          # from npmjs.org
3va install react@18         # specific version
3va install @std/path --allow-net=jsr.io  # from JSR

It runs the same frameworks:

Frontend: Next.js, Astro, Nuxt, SvelteKit, Remix, Gatsby, SolidStart, Qwik
Backend: Express, Fastify, Koa, NestJS
Mobile: React Native

No migration. No adapter layer. You add a "3va" key to your existing package.json to declare permissions — a pattern Node.js, Bun, pnpm, and Yarn all ignore safely, just like "jest" or "eslint" config.

No pm2

3va ships with a process manager built into the runtime:

3va start server.js --name api
3va status
3va logs api --lines 200
3va restart api
3va stop api        # SIGTERM → SIGKILL after 1.5s

Auto-restart on crash is on by default. Process state survives reboots. No separate daemon, no extra install.

DDoS protection built in

The HTTP layer enforces a hard connection limit of 1,024 concurrent connections and includes Slowloris mitigation out of the box. Node.js and Bun have neither.

This is intentional behavior — 3va drops excess connections rather than queuing them indefinitely. In a stress test at 2,000 concurrent connections, Node.js produced 281 connection errors and eventually fell over. 3va stayed up and rejected the overflow cleanly.

v2.2.0 roadmap targets RUDY (R-U-Dead-Yet) detection and adaptive rate limiting.

Post-quantum cryptography

The vvva_crypto crate implements ML-KEM-768 and ML-DSA-65, both exposed directly to JS:

const { pq } = require('crypto');

const { publicKey, secretKey } = pq.kem.generateKeyPair();
const { ciphertext, sharedSecret } = pq.kem.encapsulate(publicKey);
const recovered = pq.kem.decapsulate(ciphertext, secretKey);

Hybrid TLS (__pqTlsConnect) combines classical TLS with an ML-KEM-768 key exchange on top. Full post-quantum TLS in production is the v3 target.

Honest benchmarks

I am not going to tell you 3va is faster than Bun. It is not.

	Node.js 25	Bun 1.3	3va 2.0 (debug build)
Startup	175 ms	16 ms	94 ms
HTTP throughput (100k req)	—	20,758 req/s	1,572 req/s
Memory (HTTP server)	44 MB	32 MB	29 MB
Install time (warm cache)	984 ms	7.8 ms	16.8 ms

The debug build numbers will improve in release mode. But Bun's JSC engine is genuinely faster for raw throughput and startup. That is a known tradeoff.

What 3va gives you instead: permission isolation at runtime, not just at install time. That is the exchange.

What is included

✅ Runtime (JS + TypeScript, no config needed)
✅ Package manager (npm / Yarn / JSR registries, global dedup like pnpm)
✅ Process manager (replaces pm2)
✅ Test runner (Jest-compatible, no Jest install)
✅ Bundler (tree shaking, code splitting, source maps)
✅ Dev server with HMR (auto-detects framework)
✅ CPU profiler (.cpuprofile + flamegraph SVG)
✅ Audit (malware scan + OSV CVE + secrets detection)
✅ CDP debugger (--inspect)
✅ Interactive REPL sandbox
✅ NAPI v8 native addons
✅ WebAssembly / WASI preview1
✅ Post-quantum TLS (ML-KEM-768 hybrid)
✅ DDoS protection (rate limiting + Slowloris)
✅ Accessible mode (EN 301 549, screen reader friendly)

Install

# npm
npm install -g @edge_166/3va

# Homebrew
brew install OdinoCano/3va/3va

# Chocolatey
choco install 3va

# Scoop
scoop bucket add 3va https://github.com/OdinoCano/3va
scoop install 3va

# cargo
cargo install vvva_cli

# Flatpak
flatpak install flathub com.github.OdinoCano.3va

The name

Veni, Vidi, Vici, Abiit. He came, he saw, he conquered, he left.

It is a tribute to Satoshi Nakamoto's approach: build something that matters, ship it to the world, and step away. The code should speak for itself.

DEV Community