Vercel and Cloudflare clashed after Cloudflare forked Vercel’s experimental “Just Bash” project, removing security warnings and features, which Vercel felt was irresponsible and against open-source etiquette. The situation escalated due to miscommunication, but was later resolved when both sides acknowledged misunderstandings and emphasized the importance of good faith and direct communication in open-source communities.
Certainly! Here’s a five-paragraph summary of the video transcript:
Vercel and Cloudflare, two major players in the web infrastructure space, have a history of rivalry, often clashing over performance, security, and marketing. Recently, their conflict took an unusual turn, centering on an open-source project called “Just Bash.” Developed by Vercel’s CTO, Malta, Just Bash is a TypeScript-based emulation of the Bash shell, designed primarily for AI agents to safely interact with codebases without the risks associated with running real Bash commands on servers. The project is innovative, allowing agents to operate in a virtual Bash environment within a JavaScript VM, which is both safer and more resource-efficient than spinning up full Linux VMs.
The drama began when Cloudflare forked Just Bash and published their own version, “Cloudflare/Shell,” removing several security warnings and disclaimers from the original project. While forking is legally permissible under the Apache 2.0 license, Malta and others at Vercel felt this violated open-source etiquette, especially since Just Bash was still in active development and not yet stable. The fork also stripped out important security features, which could mislead users into thinking the Cloudflare version was production-ready and safe across all environments, when in fact it lacked critical safeguards present in the original.
A key technical distinction between the two companies’ platforms underpins the controversy. Vercel runs user code in Docker containers with full Node.js access, making security layers like Just Bash essential to prevent malicious code from breaking out and affecting the host system. Cloudflare, on the other hand, uses a more restrictive V8-based runtime called “workerd,” which isolates requests at a higher level and doesn’t allow direct access to the underlying OS or Bash. For Cloudflare, the appeal of Just Bash is that it enables Bash-like functionality in an environment where real Bash isn’t available, but their fork removed security measures that are still necessary for other environments like Node.js or Deno.
The situation escalated due to a lack of communication and assumptions of bad faith. Malta publicly criticized Cloudflare’s fork, fearing a repeat of previous incidents where Cloudflare’s forks introduced security vulnerabilities. However, it turned out that Sunil Pi, a respected engineer at Cloudflare, had forked Just Bash out of genuine enthusiasm and experimentation, not as a hostile move. Sunil later clarified that he should have labeled the fork as experimental and perhaps used his personal account rather than Cloudflare’s official GitHub, acknowledging the confusion and unintended consequences.
In the end, both sides recognized their missteps. Malta reflected on the unnecessary pain caused to Sunil and the community, expressing regret for escalating the issue publicly instead of reaching out privately. The video’s creator laments how a promising technical project became overshadowed by drama, emphasizing the importance of assuming good faith and communicating directly before airing grievances in public. The episode serves as a reminder that open-source communities thrive on collaboration and trust, and that most conflicts can be avoided with a simple direct message rather than a public confrontation.