Node.js & Bun & Deno Backend Frameworks 2026 Complete Guide — Hono · Fastify · Express 5 · NestJS 11 · Elysia · tRPC · Encore TS · h3 · Effect Deep Dive

Prologue — "Knowing Node Is the Whole Backend" Is Over

Around 2018, if someone said "I write backends in JavaScript," there was no ambiguity: Node.js + Express. Hear the same sentence in 2026 and you have to ask at least seven follow-ups. "Which runtime? Node 22 LTS, 24, Bun, Deno? Edge or origin? Hono or Fastify? Prisma or Drizzle? Are you wiring tRPC? Going infra-first with Encore TS? Reaching for Effect on top?" The architecture splits completely depending on the answers.

This article draws the map of the Node.js · Bun · Deno backend framework ecosystem as of May 2026. It sweeps everything from runtime differences to framework comparisons, ORMs and validation libraries, queues and workers, auth, logging, WebSockets, and cloud deployment. At the end I tie together real adoption stories from Korean and Japanese companies — Toss, Coupang, KakaoPay, Mercari, LINE Yahoo, DeNA, freee, and others.

Chapter 1 · The 2026 JavaScript Runtime Battlefield

Start with the runtimes themselves. In 2026 the following four all run in production at the same time.

Runtime	Engine	Strengths	Weaknesses
Node.js 22 LTS / 24	V8	Ecosystem, stability, 100% npm compatibility	Slow startup, cold start
Bun 1.2+	JSC (JavaScriptCore)	Fast startup, bundler/test built in	Some native module compatibility issues
Deno 2	V8	Security-first, native TS, standard library	npm compatibility is just that — compatibility
Cloudflare Workers	V8 isolate	~0ms cold start, globally distributed	Some Node APIs missing, CPU limits

On top of that come serverless/edge variants like Vercel Edge Functions, Netlify Edge Functions (Deno), AWS Lambda@Edge, and Deno Deploy. There is no single right answer. Workloads, teams, cost, and cold-start sensitivity all differ.

Two key shifts. One, edge runtimes have become first-class production citizens. Cloudflare Workers runs V8 isolates across 320+ global POPs, making 50ms TTFB routine. Two, Bun and Deno are no longer experiments. Bun 1.2 runs in production at parts of Vercel's infrastructure and parts of Discord; Deno 2 powers Netlify's edge runtime and serves tens of billions of requests daily.

Chapter 2 · Node.js 22 LTS / 24 — Still the Default, Still Evolving

Late 2025 settled Node 22 as active LTS and Node 24 as current, reshaping the standard lineup. The notable additions.

Built-in test runner (node:test) — unit testing without Jest. Stabilized in 2024; by 2026 mock, snapshot, and coverage are in, so small projects need no test dependencies.
--watch mode — restart on file change without nodemon. One less dev-loop dependency.
Built-in .env loading (--env-file) — load env files without dotenv.
fetch / WebStreams / FormData built in — no node-fetch-style polyfills.
Permission Model (experimental) — Deno-style permission control with flags like --allow-fs-read=/etc.
Built-in WebSocket client — from Node 22.
Test Reporter API, stable custom ESM loaders, stable WASI.

Node.js' strengths remain compatibility with 2 million npm packages and proven production. Netflix, PayPal, LinkedIn, Uber, Walmart, Goldman Sachs, and NASA run it as their main backend. For conservative teams Node 22 LTS is the safe default — maintained until April 2027.

Chapter 3 · Bun 1.2+ — JSC-Powered Ambition

Bun is Jarred Sumner's JSC (Safari engine)-based JavaScript runtime + package manager + bundler + test runner + shell. 1.0 landed in 2024; as of May 2026 the 1.2.x line is the stable channel.

Bun's appeal is clear.

Startup time: ~4× faster cold start than Node.
bun install: ~20× faster installs than npm (more on cache hits).
Bundler: handles TS · JSX · CSS · WASM at esbuild speed.
bun test: Jest-compatible API, faster execution.
Bun.serve(): built-in HTTP server, ~3× throughput.
SQLite built in (bun:sqlite), built-in password hashing, built-in ffi.

The weaknesses are equally clear.

Native module compatibility: some packages that build via node-gyp still cause friction.
Partial Cluster API support, differences in some process events.
Production validation is not yet at Node's level — though from late 2025, Vercel, Discord, Tigris, and others have used it in parts of their stack.

When to pick Bun: when monorepo build speed is the bottleneck, when cold start matters for serverless and Workers isn't a fit, when you want to use a Bun-first framework like Elysia.

Chapter 4 · Deno 2 — Security First, Standards First

Ryan Dahl (Node's creator) gathered Node's "regrets" and built a new runtime. Deno 2.0 in 2024 marked a big inflection point — npm compatibility finally landed.

Deno's design principles.

Security first — file, network, and env access blocked by default. Explicit --allow-net, --allow-read grants.
TypeScript native — run .ts directly without transpilation.
Standard library — vetted modules like @std/http, @std/fs, @std/crypto.
Single executable — deno compile produces a self-contained binary.
JSR (JavaScript Registry) — a TS-first module registry.

As of 2026 Deno's real strength shows up on Deno Deploy and Netlify Edge Functions (Deno-based). The experience of running TypeScript as-is on globally distributed V8 isolates is very smooth.

The weaknesses: npm compatibility is good but not 100%, and some legacy middleware like Express requires acrobatics on Deno. Instead, Deno-friendly frameworks like Hono, Oak, and Fresh have established themselves.

Chapter 5 · Cloudflare Workers — The Golden Age of Edge V8 Isolates

Workers isn't a "runtime" like Node or Bun so much as a different execution model entirely. Instead of a Node process on a container, it spawns V8 isolates instantly across 320+ global POPs. Cold start effectively approaches zero.

Highlights of the 2026 Workers ecosystem.

Workers + Durable Objects — globally distributed state machines. Strong for WebSockets, sessions, and real-time sync.
Workers KV / R2 / D1 — key-value · object storage · SQLite-based global DB.
Workers Queues — async job queue; an edge alternative to BullMQ.
Workers AI — edge LLM inference (Llama, Mistral, etc.).
Workers Smart Placement — runs automatically at the POP nearest origin.

Constraints exist. CPU time limited to 50ms (free) / 30s (paid), partial Node API support (compatibility ON via nodejs_compat), 128MB memory. Heavy ML inference or long-trace processing won't fit.

Hono has become the de facto standard. Cloudflare itself uses Hono in worker demos and docs, and Cloudflare staff contribute directly to the honojs/hono repository.

Chapter 6 · Hono 4 — Edge-First, Multi-Runtime Winner

Hono (Japanese for "flame") is a framework built by Yusuke Wada of Japan. The same code runs on Cloudflare Workers, Deno, Bun, Node.js, Vercel, AWS Lambda, and Fastly Compute@Edge — that's the decisive strength.

import { Hono } from 'hono'

const app = new Hono()

app.get('/', (c) => c.text('Hello Hono!'))
app.get('/users/:id', (c) => {
  const id = c.req.param('id')
  return c.json({ id, name: 'Alice' })
})

export default app

Features.

Built on Web Standards: runs on Request/Response/fetch APIs. No runtime lock-in.
Fast: ~5× Express on Workers, on par with Fastify on Node.
Type safe: end-to-end types (hono/client) so the client infers server types directly.
Rich middleware: JWT, OAuth, CORS, compression, cache, logger, bearer, basic auth — all built in.
RPC mode (hono/rpc): tRPC-style type-safe calls.
Validator integration: Zod, Valibot, ArkType, TypeBox, class-validator all supported.

In 2026 Hono is the de facto standard for edge-first frameworks. Cloudflare's official demos, Vercel's docs, and Deno Deploy's guides all use Hono as the example.

Chapter 7 · Fastify 5 — The Fastest Orthodox Node Framework

If Hono is the king of the edge, Fastify 5 is the performance champion on the Node runtime. Same middleware model as Express, but much faster and type-friendly.

TechEmpower — top tier in the Node bracket, ~2× Express throughput.
JSON-schema-based serialization: fast-json-stringify makes response serialization ~2× faster.
Encapsulation model: plugin isolation keeps big codebases clean.
Pino logging built in: the fastest Node logger by default.
TypeBox integration: JSON Schema and TS types simultaneously.
Fastify v5 (2024) — requires Node 20+, ESM-first, 100% async middleware, stricter schemas.

When to pick Fastify: when throughput matters on a Node origin server, when you need auto-generated OpenAPI (@fastify/swagger), when many small Fastify apps make up a microservice mesh.

Coupang showcased migrating some services from Express to Fastify at a 2024 conference: 40% throughput improvement, 30% reduction in p99 latency.

Chapter 8 · Express 5 — A Decade-Long Wait for GA, Still Alive

Express 5.0 had its first alpha back in 2014 and finally reached stable in September 2024 — nearly ten years later. 5.1.x followed in 2025.

Key 5.0 changes.

Native async/await support — promises rejected by middleware are forwarded to next(err) automatically.
path-to-regexp v6 — improved route regex handling, security fixes (ReDoS defense).
req.host / req.protocol behavior normalized.
Node 18+ required.

It is still the most-used Node framework in the world. Number 1 in download counts, dependent packages, tutorials, courses, and StackOverflow answers. Infinite learning material makes it a solid choice for a junior backend dev's first project.

Weaknesses are clear. Performance trails Fastify and Hono, type support requires a separate package (@types/express), OpenAPI automation depends on a third-party library (express-openapi-validator). Reasons to pick Express for a brand-new production are dwindling.

Chapter 9 · Koa.js — The Original async Middleware

TJ Holowaychuk's (Express's original author) follow-up. Koa 2.x is stable as of 2026. The framework that first cleaned up async/await middleware.

import Koa from 'koa'

const app = new Koa()

app.use(async (ctx, next) => {
  const start = Date.now()
  await next()
  const ms = Date.now() - start
  ctx.set('X-Response-Time', `${ms}ms`)
})

app.use(async (ctx) => {
  ctx.body = 'Hello Koa'
})

app.listen(3000)

Onion-model middleware: natural before/after handling around await next().
Everything lives on ctx — no req/res split.
Smaller and lighter than Express — clean once you adapt.

Adoption shrank by 2026. With Hono · Fastify · Express 5 offering similar abstractions, fresh reasons to pick Koa are thin. Still, meta-frameworks like Strapi, Egg.js, and Sails sit on top of Koa, so indirect users remain plentiful.

Chapter 10 · NestJS 11 — Angular-Style Dependency Injection

NestJS is Kamil Mysliwiec's enterprise-oriented framework. It pulls Angular's decorators, modules, and DI pattern straight into the backend. v11 stabilized in late 2025.

import { Controller, Get, Param, Module } from '@nestjs/common'

@Controller('users')
class UsersController {
  @Get(':id')
  findOne(@Param('id') id: string) {
    return { id, name: 'Alice' }
  }
}

@Module({ controllers: [UsersController] })
export class AppModule {}

Features.

Modules · controllers · services · providers pattern — Spring Boot / ASP.NET-style structure for large codebases.
DI container — constructor injection, interface-based testing.
Built-in microservices — Redis, NATS, Kafka, gRPC, MQTT transports.
GraphQL, WebSocket, Swagger, Auth, Caching all first-class modules.
CLI codegen — nest g module users, etc.

NestJS v11 changes.

Express v5 / Fastify 5 simultaneous support — pick the adapter.
Node 20+ required.
SWC build default — ~20× faster TypeScript compilation.

When to pick NestJS: when the team is big, when DI, testing, and doc automation matter for enterprise needs, when you run many microservices in a monorepo. If it feels too heavy, lighter options like Hono and Fastify are better.

Chapter 11 · AdonisJS 6 — The Laravel of JavaScript

Harminder Virk's full-stack MVC framework. It carries over Laravel's design almost verbatim, and v6 in 2024 modernized around ESM and TypeScript-first.

Features.

Lucid ORM (Active Record), Edge template engine, Auth · Mail · Session · Validation · Queue all built in.
Rich CLI: node ace make:controller, node ace migration:run, and so on.
Full stack: Inertia.js integration for easy React/Vue front ends.
Routing: route groups, middleware, resource routing.

If Hono and Fastify are "build-from-parts," AdonisJS is "comes assembled." It's the most familiar choice for Laravel-trained developers moving to Node. Even in 2026 it's strong in India, Eastern Europe, and Latin American communities.

Chapter 12 · Elysia — Bun-Native, End-to-End Typed

Elysia is SaltyAom's Bun-first framework. Top throughput on Bun, and type inference that's more precise than Hono's.

import { Elysia, t } from 'elysia'

const app = new Elysia()
  .get('/users/:id', ({ params }) => ({ id: params.id, name: 'Alice' }), {
    params: t.Object({ id: t.String() }),
  })
  .listen(3000)

export type App = typeof app

Features.

Top of TechEmpower in some scenarios — sometimes ahead of Hono and Fastify.
Eden — tRPC-style type-safe client. Import the App type above and inference is automatic.
TypeBox-based validation — JSON Schema generated alongside.
Plugin system — Swagger, JWT, CORS, Static, WebSocket all included.
AOT compilation — routes analyzed statically for speed.

Weakness: tied to Bun. Can't run directly on Node or Deno. So "use Elysia if you're going with Bun, otherwise Hono" is the common 2026 conclusion.

Chapter 13 · h3 / Nitro / UnJS — The Backend Engine Behind Vue/Nuxt

UnJS is the universal library collection led by Pooya Parsa in the Vue/Nuxt ecosystem. At its center sit h3 (HTTP framework) and Nitro (server engine).

h3 — minimal HTTP framework. Express-like handler model with multi-runtime support.
Nitro — full server engine on top of h3. Bundles routing, assets, cache, storage, tasks, middleware, and adapters; builds for Node, Bun, Deno, Workers, Lambda, Netlify, and Cloudflare.

The server side of Nuxt 3/4 is Nitro. Other meta-frameworks like SolidStart and Analog also run on Nitro. For standalone backends you can pull in nitropack on its own.

The appeal is one codebase targeting every runtime. The weakness is less awareness and fewer resources than Hono.

Chapter 14 · Encore TS — Infra as Code, Literally

Encore is the backend framework + infra Marcus Kohlberg started. Declared resources auto-provision in the cloud — that's the decisive difference from other frameworks.

import { api } from 'encore.dev/api'
import { SQLDatabase } from 'encore.dev/storage/sqldb'

const db = new SQLDatabase('users', { migrations: './migrations' })

export const getUser = api(
  { expose: true, method: 'GET', path: '/users/:id' },
  async ({ id }: { id: string }) => {
    const row = await db.queryRow`SELECT * FROM users WHERE id = ${id}`
    return row
  },
)

Databases, queues, pub-sub, cache, cron — declare in code and infra is auto-generated.
Local dev: spins up all dependencies via Docker containers automatically.
Type-safe RPC: a function call is an API call.
Tracing, metrics, and logs collected automatically.
Encore Cloud Platform (paid) or self-hosted (AWS, GCP) deploys.

When to pick Encore: small teams short on DevOps, startups that want infra standardization. The weakness is lock-in impression and less granular infra control.

Chapter 15 · Effect — Functional TypeScript's Ambition

Effect-TS is the functional TS ecosystem led by Michael Arnaldi. It brings Scala's ZIO and Haskell's IO monad ideas into TypeScript.

Features.

Effect.gen / Effect.pipe: expresses async error handling, retries, timeouts, and cancellation in the type system.
Schema: a Zod alternative. Richer type inference and transformations.
Services & Layers: DI container + dependency composition.
Stream / Queue / Hub: structured concurrency.
HttpApi: an HTTP server framework built on Effect.

import { Effect, pipe } from 'effect'

const getUser = (id: string) =>
  pipe(
    Effect.tryPromise(() => fetch(`/users/${id}`)),
    Effect.flatMap((res) => Effect.tryPromise(() => res.json())),
    Effect.retry({ times: 3 }),
    Effect.timeout('5 seconds'),
  )

The learning curve is steep. But for complex async workflows (payments, orchestration, many external API calls), it's far clearer than try/catch hell. You see it more and more in 2026, but the entire team needs to be comfortable with functional style.

Chapter 16 · tRPC 11 — End-to-End Type-Safe RPC

tRPC is Alex/KATT's RPC framework. Its core idea: GraphQL's type safety without the schema.

import { initTRPC } from '@trpc/server'
import { z } from 'zod'

const t = initTRPC.create()

export const appRouter = t.router({
  getUser: t.procedure
    .input(z.object({ id: z.string() }))
    .query(({ input }) => ({ id: input.id, name: 'Alice' })),
})

export type AppRouter = typeof appRouter

Import the AppRouter type on the client and calls are fully type-safe.

v11 (late 2024): first-class React Server Components, signal-based subscriptions, fetch adapter.
Adapters for Next.js, Express, Fastify, Hono, Nuxt.
Subscriptions: WebSocket / SSE.
Batch, prefetch, caching are first-class.

Strong when you write backend and frontend together in a Next.js / Nuxt monorepo. Not for clients in other languages or externally published APIs — that's OpenAPI/GraphQL territory.

Chapter 17 · Validation Libraries — Zod · Valibot · ArkType · TypeBox

API input validation and type inference is one of the core 2026 backend decisions.

Library	Model	Strengths	Weaknesses
Zod 3.x	Object builder	#1 ecosystem; first-class in Hono, tRPC, Fastify	Weak tree-shaking, bundle size
Valibot	Modular	~10× smaller bundles, great tree-shaking	Smaller ecosystem
ArkType	Type expressions	Fast inference, TS-native expression	Learning curve
TypeBox	JSON Schema	Standard JSON Schema generated alongside, default for Fastify	Verbose API
Joi	Class	Mature, hapi standard	Weak type inference
Yup	Class	React-form friendly	Shrinking on backends

The default is still Zod. When bundle size is decisive (edge, shared mobile sync code) — Valibot. When perf matters most — ArkType. When OpenAPI auto-generation matters — TypeBox.

Chapter 18 · The ORM War — Prisma 6 vs Drizzle 0.40

The hottest comparison of 2025–2026. The two ORMs have completely different philosophies.

Prisma 6.

Declarative schema (schema.prisma) — a separate DSL.
migrate, introspect, studio — a rich toolchain.
Type-safe queries auto-generated.
All major DBs supported — Postgres, MySQL, SQLite, MongoDB, CockroachDB, MS SQL.
Drawbacks: heavy on edge runtimes (separate engine binary), migration lock-in.

Drizzle ORM 0.40.

TypeScript-first schema — defined directly in .ts files.
SQL-shaped builder — low learning curve.
Small bundle, edge friendly — de facto standard for Cloudflare D1, Vercel Postgres, Turso.
Drawbacks: tooling not yet as rich as Prisma's.

When to use Prisma: large monorepos, diverse backends like MongoDB, migration-automation-centric workflows. When to use Drizzle: edge deployment, Workers / Vercel / Neon / Turso, SQL-fluent teams.

Also still active: Kysely (type-safe SQL builder, thinnest), MikroORM 6 (Unit of Work, enterprise), TypeORM 0.3 (decorator-based, share shrinking), Sequelize 6 (legacy), Objection.js / Bookshelf / Knex (query builder + light ORM).

Chapter 19 · API Patterns — REST · GraphQL · tRPC · gRPC · OpenAPI

Pattern	Strengths	Weaknesses
REST + OpenAPI	Ubiquity, caching, rich tooling	Over-fetching, multiple round-trips
GraphQL	Single endpoint, client-driven fetch	Hard caching, N+1, complex
tRPC	End-to-end TS types, low boilerplate	TS-only, hard to expose externally
gRPC + Protobuf	Bi-directional streaming, polyglot, efficient	Hard to call directly from browsers
JSON-RPC	Simple, friendly to message queues	Sparse tooling

The 2026 practical trend: REST + OpenAPI for public APIs, gRPC for internal microservices, tRPC for monorepo full-stack, GraphQL for public graph APIs, JSON-RPC or NATS for events/RPC. Don't try to unify on one — pick what fits each boundary.

Chapter 20 · Job Queues — BullMQ · Cloudflare Queues · Inngest

Wherever async jobs, retries, backoff, and scheduling are needed.

BullMQ (Redis-based).

The most widely used Node job queue. Priorities, retries, rate limits, sandbox, UI (Bull Board) — all there.
Weakness: Redis dependency, requires you to operate it.

Cloudflare Queues.

Workers-native. Globally distributed without you operating anything.
Weakness: Cloudflare ecosystem lock-in.

Inngest (durable workflow specialist).

The durable functions platform covered in a separate post. Auto retries and persistence at the step-function level.
Weakness: external-service lock-in; self-hosting is possible but operationally complex.

Also: Hatchet (self-hostable durable workflow, Postgres-based), Trigger.dev (worker-based with UI), Temporal (when polyglot is required) — see the dedicated comparison post.

Chapter 21 · Auth — Auth.js v5 · Lucia v3 · better-auth

OAuth, JWT, sessions. The 2026 landscape.

Auth.js v5 (formerly NextAuth) — tightly integrated with Next.js, 80+ OAuth providers.
Lucia v3 — session-based, direct DB control. Light and explicit.
better-auth — type-first auth library that surfaced in late 2024. OAuth, 2FA, magic links, and API keys built in.
Clerk · Auth0 · Stytch · WorkOS — hosted IDPs.

Selection criteria: full-stack monorepo — Auth.js or better-auth, standalone backend needing explicit sessions — Lucia, want to outsource ops — Clerk/WorkOS.

Chapter 22 · Testing — Vitest · Jest 30 · node test · Bun test · Playwright

Tool	Strengths
Vitest	Vite-native, fast watch mode, Jest-compatible API
Jest 30	Most mature, rich resources, powerful mocks
node test	Zero dependencies, fast CI
Bun test	Fastest on Bun
Playwright	E2E, browser automation

For new projects in 2026, Vitest has become the default. node test is increasingly common in CI environments. For E2E, Playwright is the de facto standard (multi-browser and faster than Cypress).

Chapter 23 · Logging — Pino · Winston · Bunyan

The Node backend logging triumvirate.

Pino: the fastest Node logger. Optimized JSON serialization, default in Fastify. Separate transports (pino-pretty, pino-elasticsearch).
Winston: the richest transports — file, console, http, syslog, many external services. Slower than Pino.
Bunyan: JSON-first, good CLI tooling. Popularity has shrunk but some companies keep it as standard.

The usual 2026 choice: new project — Pino, need many external sinks — Winston. Layer OpenTelemetry on top for distributed tracing.

Chapter 24 · WebSockets — ws · uWebSockets.js · Socket.io · Hono WS

Library	Strengths	When
ws	Simplest, RFC6455 direct	Low-level WS, custom protocols
uWebSockets.js	Fastest (C++ binding)	Hundreds of thousands of concurrent connections
Socket.io 4.8	rooms, acks, reconnect, pub-sub adapters	Same library on the client
Hono WebSocket	Workers, Bun, Node multi-runtime	WS at the edge
Bun.serve WS	Native Bun speed	Bun only

Discord handles ~100M concurrent connections on Elixir + Rust, while some APIs run on Node + Socket.io. uWebSockets.js gets used by some exchanges and gaming companies.

Chapter 25 · Cloud Deployment — Vercel · Workers · Lambda · Render · Railway · Fly.io

2026 backend deployment options.

Vercel: Next.js first-class, supports Edge + Node + Python. PR-level preview environments.
Cloudflare Workers: the king of the edge. Plays well with Hono, Itty Router, SvelteKit.
AWS Lambda: the most universal. IaC via SAM, CDK, Serverless Framework.
Render: a Heroku successor. Coherent across Docker, Postgres, cron, queues.
Railway: PaaS with great DX. GitHub → deploy instantly.
Fly.io: global Docker. With Postgres and Redis. Has Japan and Korea regions.

When to pick what.

New full-stack SaaS: Vercel + Neon/Supabase + Upstash + Inngest.
Edge-first API: Cloudflare Workers + D1/R2/KV + Hono.
Heavily coupled with other AWS services: Lambda + DynamoDB + SQS.
Prefer running containers directly: Fly.io, Render, Railway.

Chapter 26 · Mid-Tier and Minor Frameworks

Less common but strong in their domains.

Restify — REST-first lightweight framework. Used at Netflix in some services.
Polka · Sirv — minimalist routers. Often baked into build tooling.
Marble.js — RxJS-based reactive framework. Functional + streams.
Ts.ED — decorator-based. Express/Koa adapters.
FoalTS — full-stack TS framework.
Feathers — REST + realtime integrated.
Moleculer — microservices framework.

It's rare you'd pick any of these fresh, but you can run into them in maintenance code, so it pays to know the names and where they sit.

Chapter 27 · Monitoring & Observability — OpenTelemetry · Sentry · Datadog · Grafana

The 2026 backend observability stack.

OpenTelemetry — standard trace/metric/log spec. Effectively every tool integrates.
Sentry — error tracking standard. Widely adopted in Korea and Japan too.
Datadog · New Relic — full-spectrum APM, expensive but rich.
Grafana Stack — Prometheus + Loki + Tempo. Self-host friendly.
Honeycomb — distributed tracing specialist; the thought leader of observability 1.0.

A common Node pattern: enable automatic instrumentation with @opentelemetry/sdk-node, route errors through Sentry, and forward to Grafana or Datadog.

Chapter 28 · Security — Helmet · CSRF · Rate Limit · CORS

helmet — auto-set security headers: CSP, HSTS, X-Frame, X-Content-Type, etc.
csurf is deprecated. In 2026 use successors like csrf-csrf.
express-rate-limit · @fastify/rate-limit · hono-rate-limiter — IP / per-user rate limiting.
CORS — precise allowlists on origin, credentials, methods.

Add OWASP Top 10 (SQL injection, XSS, broken auth, security misconfig, etc.) as a code-review checklist. In 2026 ridiculous incidents almost always trace back to something already listed in OWASP.

Chapter 29 · Korean Enterprise Adoption — Toss · Coupang · KakaoPay · Karrot

Toss. Node + Hono in parts of the payments backend. Edge routing for the global distributed payments API uses Cloudflare Workers + Hono, as disclosed at the 2025 Toss Tech Conference. Internal Slack and tooling backends run on Node + Fastify.

Coupang. Migrated some fulfillment APIs from Express to Fastify. At a 2024 conference they reported ~40% throughput gains and ~30% reductions in p99 latency. Some search-indexing workers run on BullMQ + Node.

KakaoPay. Most of the backend is Spring Boot, but some BFFs (Backend for Frontend) are Node + NestJS. tRPC-style patterns reduce coupling with the frontend.

Karrot (Daangn Market). Realtime layers like chat and notifications use Node + Socket.io. Recently experimenting with Bun on some workers.

Line Games · Kakao Games · Nexon. Game meta APIs use Node in places. WebSockets pair with uWebSockets.js or in-house C++ servers.

Chapter 30 · Japanese Enterprise Adoption — Mercari · LINE Yahoo · DeNA · freee

Mercari. Yusuke Wada, Hono's creator, worked at Mercari before joining Cloudflare. Parts of the Mercari Shops backend run on Hono + Cloudflare Workers. Workers handle global payments routing and edge image processing.

LINE Yahoo. The main backend is Kotlin/Java, but some integration BFFs and newer services like LINE Novel use Node + NestJS. Some ad-system backends are experimenting with Bun.

DeNA. Parts of mobile-game backends use Node. Socket.io handles chat and events.

freee. Some APIs of the accounting SaaS use Node + Fastify. Pair Fastify with TypeBox for auto-generated OpenAPI.

Cybozu · CyberAgent · Recruit. Many internal tools run on Node + NestJS or Hono. Recruit is experimenting with Bun on some ad-system components.

Chapter 31 · New-Project Decision Tree

A decision tree to help with "which one should I use."

Full-stack monorepo (Next/Nuxt)? → tRPC + Hono/Fastify + Zod + Drizzle.
Edge-first API? → Cloudflare Workers + Hono + Drizzle + D1/Turso.
Enterprise, big team, DI required? → NestJS 11 + Fastify adapter + Prisma 6 + Class Validator.
Adopting Bun? → Elysia + TypeBox + Drizzle.
From a Laravel background? → AdonisJS 6.
Want infra automated too? → Encore TS.
Complex async workflows? → Effect + Hono.
Maintaining legacy Express? → Upgrade to Express 5, plan a gradual move to Fastify.

This is just a guideline; team familiarity is the biggest variable. There is no "best tool." The best tool is the one your team can ship and debug quickly.

Chapter 32 · Antipatterns — Common Mistakes

Letting async errors slip past next in Express — await without try/catch produces unhandled rejections.
Putting Prisma directly on the edge — requires a separate engine binary. Swap to Drizzle or Kysely.
Wrapping everything in tRPC — including publicly exposed APIs, so other-language clients can't connect.
Adopting Bun in production blindly — without verifying some native modules still don't work.
Over-relying on Hono RPC — compile time slows and type inference explodes.
Over-fragmented NestJS modules — 50 modules in a tiny app kill readability.
Introducing Effect without team consensus — if only one person is functional-native, PR reviews stall.

Chapter 33 · Pitfalls of Performance Benchmarks

The 2026 consensus: don't decide on "TechEmpower scores" alone.

Hello World benchmarks ignore middleware, ORMs, and external API calls — an unrealistic scenario.
Real production has DB latency taking 80%+ of the time. A faster framework is meaningless if queries are slow.
Memory efficiency · GC pressure · p99 TTFB matter more than throughput in many cases.
Cold start only matters in serverless. On container origins, it's not a worry.

Use benchmarks as a reference only, and load-test your own workload (k6, autocannon, oha) for the truth.

Chapter 34 · Learning Roadmap

Assuming you already know Node decently.

Hono in a week: launch a Todo API on the free Workers plan with Hono + D1.
Fastify in two weeks: a small SaaS API with Postgres + Drizzle + Zod, with OpenAPI auto-generated.
NestJS in a month: one book (official docs or Ariel Weinberger's course) + a small microservice demo.
tRPC in a week: a Next.js monorepo with full-stack CRUD via tRPC.
Effect in two months: longer if you need to come up to speed on functional style.

Interview staples — event loop, backpressure, cluster · worker_threads, stream API, CommonJS vs ESM, N+1 problem and dataloader, GraphQL N+1 mitigation, JWT vs sessions, rate-limit algorithms (token bucket, sliding window).

Chapter 35 · Closing — No Right Answers, But Better Questions

The 2026 JavaScript backend landscape is far more complex than the "Node + Express" era, but that's because options multiplied, not because progress slowed. Edge computing has become production, type safety has become the default, infra has become code, cold start approaches zero.

When you start your next project, instead of "what framework is hot," ask these first.

Where does it run? Edge, origin, both?
Who writes it? A team comfortable with functional? Familiar with decorators?
Is it externally exposed? Then OpenAPI · REST.
Who writes the client? Same monorepo — tRPC. Other language — gRPC/REST.
Who operates it? Lean DevOps — Vercel, Railway, Encore.
Will you regret it in six months? "Maintenance population" beats "trend."

Great backends don't come from great frameworks. They come from great questions.

References

Node.js Releases — https://nodejs.org/en/about/previous-releases
Node.js 22 LTS Blog — https://nodejs.org/en/blog/release/v22.11.0
Bun Documentation — https://bun.sh/docs
Deno 2 Release — https://deno.com/blog/v2
Cloudflare Workers — https://developers.cloudflare.com/workers/
Hono — https://hono.dev/
Fastify v5 — https://fastify.dev/blog/2024/10/01/fastify-v5-ga/
Express 5 Release — https://expressjs.com/2024/10/15/v5-release.html
Koa.js — https://koajs.com/
NestJS — https://nestjs.com/
AdonisJS 6 — https://adonisjs.com/
Elysia — https://elysiajs.com/
h3 — https://h3.unjs.io/
Nitro — https://nitro.unjs.io/
Encore TS — https://encore.dev/
Effect — https://effect.website/
tRPC — https://trpc.io/
Zod — https://zod.dev/
Valibot — https://valibot.dev/
ArkType — https://arktype.io/
TypeBox — https://github.com/sinclairzx81/typebox
Prisma — https://www.prisma.io/
Drizzle ORM — https://orm.drizzle.team/
Kysely — https://kysely.dev/
BullMQ — https://docs.bullmq.io/
Auth.js — https://authjs.dev/
Lucia — https://lucia-auth.com/
Pino — https://getpino.io/
Socket.io — https://socket.io/
Mercari Engineering Hono Article — https://engineering.mercari.com/en/blog/
Toss Tech — https://toss.tech/