Dev.to
6/15/2026

I built a JS/TS runtime in Rust where nothing runs without your permission
Short summary
3va is a new JavaScript/TypeScript runtime written in Rust with default-deny permissions—everything (filesystem, network, child processes) is blocked unless explicitly allowed, preventing supply-chain attacks. It bundles a package manager, process manager, test runner, and bundler; trades raw performance for security isolation. Already supports major frameworks (Next.js, Express) without migration.
- •New JS/TS runtime with default-deny permissions blocks supply-chain attacks like xz and event-stream
- •Bundles package manager, process manager, test runner—no migration needed for existing frameworks
- •Trades raw performance for security isolation and memory efficiency; includes post-quantum TLS
Generated with AI, which can make mistakes.
Is this a good recommendation for you?



