Vercel accuses Cloudflare of stealing

Vercel’s CTO-built “Just Bash” is at the center of a dispute after Cloudflare forked it into “Cloudflare/Shell,” and the fork allegedly removed key safety warnings and security hardening that the original project treats as essential for early, fast-moving agent sandboxing. The conflict matters because it’s not just about open-source reuse: it’s about whether a fork presented as broadly usable could mislead developers into deploying a less-protected environment for AI agents that need to run “bash-like” commands.

Just Bash is a TypeScript emulation of Bash designed for AI agents, using an in-memory filesystem so agents can explore codebases without paying the cost of giving each agent a full virtual Linux instance. That design is tightly coupled to a security model meant to prevent host escape—situations where agent-controlled code can break out of the sandbox and execute real commands on the underlying system. Malta (the Just Bash maintainer) emphasizes that the project is under heavy development and includes defense-in-depth layers such as disabling dangerous JavaScript evaluation paths (e.g., `eval` and the `Function` constructor) and checks aimed at prototype-pollution-prone patterns.

Cloudflare’s fork, posted as “Cloudflare/Shell” under the permissive Apache 2.0 license, triggered backlash because it reportedly stripped out the “beta” disclaimer and removed references to optional features that increase the attack surface. More critically, the fork replaced the Python implementation approach with one that, in the original author’s view, would “immediately get you owned” by granting Python full access to the JavaScript host environment—while also removing security-relevant code that Just Bash previously used to constrain that risk. The argument is that Just Bash’s safeguards were built for a Node.js-style threat model, and removing them undermines the very reason the emulation exists.

The dispute also reflects deeper platform incentives. Vercel runs developer code in real Docker-like environments where Node can reach down to the native shell (meaning an agent that can access real Bash could potentially exec commands, read files, and interfere with other processes). Just Bash exists to move the “bash layer” upward into a controlled emulation so agents can’t go deeper into the host. Cloudflare, by contrast, runs code in V8-based isolates (workerd) with a different isolation boundary and fewer capabilities than Node—so Cloudflare can’t simply run Node packages the same way, and it can’t execute real Bash commands in the same manner. That mismatch helps explain why Cloudflare would want a Bash-like experience at the edge.

Still, the tone of the fallout turns on process and trust. Malta’s account suggests the fork was created in good faith by Sunil Pi (3.1), a Cloudflare leader who publicly praised Just Bash and was trying to make it work for Cloudflare’s agent stack. But the fork’s packaging and documentation allegedly made it look like a safe, general solution, even though the original project warned otherwise. The result: Vercel interpreted the fork as another risky “ecosystem fork” after earlier Cloudflare controversies, while Cloudflare framed it as enabling a capability developers can’t otherwise get at the edge.

By the end, the narrative shifts from technical grievances to community damage control: Malta later regrets the public escalation and apologizes to Sunil Pi, urging more direct communication (“send a DM first”) rather than public posts that assume bad intent. The core takeaway is that the Just Bash vs. Cloudflare/Shell fight is really about security boundaries, documentation clarity, and how quickly open-source collaboration can sour when incentives and threat models don’t align.