Last week I shipped v2.0.0 of 3va — a JavaScript and TypeScript runtime written in Rust. Here is why I built it and what makes it different from Node.js, Bun, and Deno.
The problem
In 2024, the xz backdoor was hidden inside a postinstall script. The event-stream attack in 2018 targeted a specific Bitcoin wallet by injecting code at install time. The node-ipc protest-ware in 2022 deleted files on machines with Russian or Belarusian IP addresses.
All three attacks had the same root cause: the runtime trusted the package.
npm, pnpm, Yarn, and Bun all execute postinstall scripts by default. Some let you opt out. None of them block it unconditionally at the runtime level — because that would require the runtime to enforce permissions, and none of them do.
3va does.
How it works
Every capability is blocked by default. The filesystem, network, environment variables, child processes, and native addons are all hard-blocked unless you explicitly grant them:
Bash
Permissions apply uniformly to your code and every dependency it loads. There is no trusted/untrusted boundary that a package can cross.
Post-install scripts are blocked unconditionally. Not as a flag. Not as a config option. The package manager simply does not execute them. Ever.
Drop-in replacement — same ecosystem, same frameworks
This is the part that surprised most people I showed it to.
3va installs from the same registries you already use:
Bash
It runs the same frameworks:
Frontend: Next.js, Astro, Nuxt, SvelteKit, Remix, Gatsby, SolidStart, Qwik
Backend: Express, Fastify, Koa, NestJS
Mobile: React Native
No migration. No adapter layer. You add a "3va" key to your existing package.json to declare permissions — a pattern Node.js, Bun, pnpm, and Yarn all ignore safely, just like "jest" or "eslint" config.
No pm2
3va ships with a process manager built into the runtime:
Bash
Auto-restart on crash is on by default. Process state survives reboots. No separate daemon, no extra install.
DDoS protection built in
The HTTP layer enforces a hard connection limit of 1,024 concurrent connections and includes Slowloris mitigation out of the box. Node.js and Bun have neither.
This is intentional behavior — 3va drops excess connections rather than queuing them indefinitely. In a stress test at 2,000 concurrent connections, Node.js produced 281 connection errors and eventually fell over. 3va stayed up and rejected the overflow cleanly.
v2.2.0 roadmap targets RUDY (R-U-Dead-Yet) detection and adaptive rate limiting.
Post-quantum cryptography
The vvva_crypto crate implements ML-KEM-768 and ML-DSA-65, both exposed directly to JS:
Js
Hybrid TLS (__pqTlsConnect) combines classical TLS with an ML-KEM-768 key exchange on top. Full post-quantum TLS in production is the v3 target.
Honest benchmarks
I am not going to tell you 3va is faster than Bun. It is not.
Node.js 25
Bun 1.3
3va 2.0 (debug build)
Startup
175 ms
16 ms
94 ms
HTTP throughput (100k req)
—
20,758 req/s
1,572 req/s
Memory (HTTP server)
44 MB
32 MB
29 MB
Install time (warm cache)
984 ms
7.8 ms
16.8 ms
The debug build numbers will improve in release mode. But Bun's JSC engine is genuinely faster for raw throughput and startup. That is a known tradeoff.
What 3va gives you instead: permission isolation at runtime, not just at install time. That is the exchange.
What is included
✅ Runtime (JS + TypeScript, no config needed)
✅ Package manager (npm / Yarn / JSR registries, global dedup like pnpm)
✅ Process manager (replaces pm2)
✅ Test runner (Jest-compatible, no Jest install)
✅ Bundler (tree shaking, code splitting, source maps)
✅ Dev server with HMR (auto-detects framework)
✅ CPU profiler (.cpuprofile + flamegraph SVG)
✅ Audit (malware scan + OSV CVE + secrets detection)
✅ CDP debugger (--inspect)
✅ Interactive REPL sandbox
✅ NAPI v8 native addons
✅ WebAssembly / WASI preview1
✅ Post-quantum TLS (ML-KEM-768 hybrid)
✅ DDoS protection (rate limiting + Slowloris)
✅ Accessible mode (EN 301 549, screen reader friendly)
Install
Bash
The name
Veni, Vidi, Vici, Abiit. He came, he saw, he conquered, he left.
It is a tribute to Satoshi Nakamoto's approach: build something that matters, ship it to the world, and step away. The code should speak for itself.
Links
GitHub: github.com/OdinoCano/3va
crates.io: search vvva
Roadmap: docs/12-roadmap/ in the repo
Feedback welcome — especially from anyone who hits a compatibility issue with a framework or package. That is the highest-priority bug category right now.
Top comments (0)