Cloudflare Forks Vercel's 'Just Bash,' Igniting Renewed Open-Source Etiquette Debate

A recent fork of Vercel’s ‘Just Bash’ package by Cloudflare has reignited public debate concerning open-source etiquette and security practices between the two companies. Just Bash, developed by Vercel CTO Malta, is a TypeScript-based Bash emulation with an in-memory file system, designed to securely sandbox AI agent code within Node.js environments. Cloudflare’s Sunil Pai initially praised the project, but a subsequent fork, published as @cloudflare/shell within Cloudflare’s agents monorepo, quickly drew Malta’s public criticism. Malta’s article highlighted concerns over the fork’s removal of beta disclaimers, its replacement of a secure Pyodide implementation with one granting full JavaScript host access, and the deletion of defense-in-depth layers critical for security in Node.js and Deno environments, despite the fork claiming broad cross-platform compatibility.

This incident underscores fundamental architectural differences between Vercel and Cloudflare. On Vercel, which leverages Docker-based Node.js deployments where Node can execute native shell commands, Just Bash serves as a crucial security layer to prevent agent code from breaking out to the host system. Conversely, Cloudflare’s workerd V8-based isolates inherently lack native Bash access, making Just Bash valuable for enabling Bash functionality within their ecosystem. Sunil Pai later clarified that his team’s fork was a good-faith, personal experimentation to adapt Just Bash for Cloudflare’s specific runtime needs, where some Node.js-specific security layers are redundant or incompatible. The drama, amplified by Vercel CEO Guillermo Rauch’s strong criticism referencing past conflicts, ultimately led to Malta’s public apology to Sunil, advocating for direct communication over public disputes and emphasizing the importance of assuming good faith within the developer community.