Vercel accuses Cloudflare of stealing

If you’ve ever shipped an open-source tool and then watched a bigger vendor scoop it up, re-wrap it, and put their logo on the box… whew. You already get why this one landed with a thud.

The latest round of “Vercel accuses Cloudflare of stealing” chatter flared up after people noticed Cloudflare had forked Vercel’s just-bash project and published it as @cloudflare/shell. Is that probably fine under the license? Sure. Did it still annoy a lot of developers? Also yes.

And then, like clockwork, it spilled into the usual arenas. X threads. Reddit dogpiles. YouTube explainers with “tech drama” in the title. You know the genre.

The short version people keep arguing about

Here’s what this story usually boils down to, once you strip away the heat:

• The phrase “Vercel accuses Cloudflare of stealing” is mostly community/social-media framing around Cloudflare forking Vercel’s just-bash and publishing it as @cloudflare/shell.
• just-bash is an npm package described as a virtual bash environment built in TypeScript, with an in-memory filesystem, aimed at AI agents and sandboxed command execution.
• just-bash uses the Apache-2.0 license, which generally allows forking and redistribution if you follow the terms and keep the required notices.
• The actual fight isn’t really about legal permission. It’s about open-source etiquette, attribution, naming, and the competitive weirdness when two platform vendors overlap.
• If a company forks OSS, the least-pain route is usually upstream-first, be clear about where it came from, and make improvements easy to merge back.

What “Vercel accuses Cloudflare of stealing” is pointing at, exactly

The concrete spark is pretty simple.

An X post making the rounds said:

“My colleague noticed yesterday that Cloudflare forked just-bash and published it as @cloudflare/shell.”

It also included the key caveat:

“this is completely in their rights …”

Meaning license-wise, it may be allowed.

Source: https://x.com/ivanburazin/status/2033432232090546272

One post, one observation, and suddenly we’re back in the oldest open-source argument on Earth. Is a permissive fork “stealing”… or is it literally the deal we all signed up for?

Depends who you ask. Some folks shrug and call it normal reuse. Others see a vendor taking a community project, slapping on a new label, and using distribution muscle to compete with the original author’s ecosystem. Same facts, very different vibes.

A few YouTube videos captured that whole back-and-forth mood, including the “again?!” energy:

• “Cloudflare and Vercel can't stop fighting”. Https.//www.youtube.com/watch?v=wn1qHif7W18
• “Vercel and Cloudflare are fighting…about bash?”. Https.//www.youtube.com/watch?v=mVKxygo5Sdo
• “Cloudflare Vercel Tech Drama”: https://www.youtube.com/watch?v=CNBfWlBEsJE

They’re commentary, not primary evidence. Still useful if you want to understand how people are interpreting what happened.

Why just-bash isn’t just some random library

This isn’t about a tiny helper function or a forgotten utility package. just-bash sits right at a spicy intersection: AI agents + tool execution + sandboxing.

On npm, just-bash is described as:

• “A virtual bash environment with an in-memory filesystem, written in TypeScript and designed for AI agents.”
• “Broad support for standard unix commands and bash syntax…”
• “Note: This is beta software. Use at your own risk…”

Source: https://www.npmjs.com/package/just-bash

That “designed for AI agents” line is the magnet here.

Agent frameworks often want a “shell tool” so the agent can do practical stuff. Edit files. Grep logs. Format code. Run little scripts. But giving an agent a real shell can be nightmare fuel. So projects like just-bash try to give you the feel of a shell without handing over the keys to the server.

The npm page shows an API like this:

import { Bash } from "just-bash". Const bash = new Bash();
await bash.exec;

const result = await bash.But;
console.log.    // "Hello\n"
console.log.  // 0

So if Cloudflare did publish a fork as @cloudflare/shell as claimed in the X post, it’s not just a petty rename. It becomes a strategic building block for developer tooling, agent runtimes, and platform features. Namespaces matter. @cloudflare/* carries weight.

Is it “stealing,” or is it just… open source doing open source things?

Licensing is the cold shower in this whole debate.

Apache License 2.0 explicitly grants broad rights to:

• “reproduce, prepare Derivative Works… sublicense, and distribute the Work and such Derivative Works…”

Source: https://www.apache.org/licenses/LICENSE-2.0

But Apache-2.Still also comes with obligations. When you redistribute, you’re expected to do things like:

• include a copy of the license
• retain notices like copyright and attribution
• mark modified files with notices saying changes were made

See the “Redistribution” section.
Source: https://www.apache.org/licenses/LICENSE-2.0

So legally, a fork-and-publish can be totally fine, as long as the terms are followed.

Where people get mad usually isn’t “is it allowed.” It’s the social stuff:

Was the upstream credited clearly? Did the fork look like a brand-new Cloudflare invention? Were fixes pushed upstream, or kept private while being marketed as a Cloudflare package? Did the new name confuse the ecosystem?

None of that is courtroom talk. It’s trust talk. And devs are weirdly good at sniffing out when something feels off.

A quick, boring way to sanity-check metadata

If you want to dodge the “he said / she said” loop, you can at least verify basic package metadata:

# Check what npm says about the package and its metadata
npm view just-bash license repository homepage

# If a forked package exists, inspect it the same way
npm view @cloudflare/shell license repository homepage

And if you’re comparing repositories:

git clone https://github.com/vercel-labs/just-bash.git
cd just-bash
git log --oneline --decorate -n 10

Obviously you’d also inspect the fork’s repo, commits, and LICENSE/NOTICE files, assuming it’s public.

The platform subtext nobody can quite ignore

A lot of people wave this off as drama. But there’s a platform rivalry under it, and it’s been simmering.

Both Vercel and Cloudflare sell developer infrastructure.Still want to be the default place you deploy.Still circle the Next.js ecosystem in ways that make everything feel… competitive.

Cloudflare has been investing hard in Workers and framework support. Their docs describe Cloudflare Workers as a “serverless platform for building, deploying, and scaling apps across Cloudflare’s global network.”
Source: https://developers.cloudflare.com/workers/

They’ve also been pushing Node.js compatibility because the Workers runtime, workerd, is not Node.js. That gap affects how smoothly apps and toolchains run, especially around Next.js ecosystems. Cloudflare describes a “hybrid model” for Node.js compatibility and notes that newer compatibility flags make more Node APIs and npm packages work.
Source: https://blog.cloudflare.com/more-npm-packages-on-cloudflare-workers-combining-polyfills-and-native-code/

So when something like just-bash shows up, explicitly made for sandboxed, shell-like execution for AI agents… yeah, platform vendors are going to care. Whoever controls the default “shell tool” for agents can shape the ecosystem.

And Cloudflare engineers clearly take shell details seriously. Their postmortem about a missing pipefail option is the classic reminder bash can absolutely ruin your day in production.
Source: https://blog.cloudflare.com/pipefail-how-a-missing-shell-option-slowed-cloudflare-down/

That post isn’t about just-bash. It’s just a useful gut-check: “shell stuff” is not a toy over there.

Forking OSS without lighting yourself on fire

I’ve been on both sides of this. Maintainer hat on, you feel protective. Company hat on, you sometimes fork because you have to ship. The friction is real.

Here’s what tends to calm things down fast:

Lead with attribution. Put upstream links in the README. Keep LICENSE/NOTICE intact since Apache-2.0 expects it. Say it plainly: this is a fork of X.

Treat upstreaming like the default behavior. Fix a bug? Send the PR upstream early. If you truly need private patches, at least open an issue describing the problem so it doesn’t look like you’re quietly hoarding improvements.

Don’t pick a name that makes people squint. Publishing under a big vendor scope like @vendor/* can amplify confusion. Names that signal “fork” or “adapter” tend to create less chaos than names that look like replacements.

Document what changed. A CHANGES_FROM_UPSTREAM.md file does more work than people expect. It’s also the place to spell out security model changes, sandbox assumptions, and default limits.

Remember the supply-chain trust angle. Repackaging can feel like a power move even when it’s not intended way. Transparency gives people enough info to decide whether they’re comfortable adopting your package.

Why devs react so strongly to repackaging, even when it’s allowed

Because open source isn’t just code. It’s reputation. Governance. Mindshare. All the squishy human stuff.

Reddit threads on the Cloudflare side can tilt into “Cloudflare is proving you don’t need to pay Vercel,” which obviously pours gasoline on the rivalry narrative.
Source: https://www.reddit.com/r/CloudFlare/comments/1nc9np1/cloudflare_fires_latest_salvo_against_vercel/

And Hacker News threads framed around “Cloudflare forked just-bash and they really, really should not have” show how fast the conversation shifts away from license text and toward norms.
Source: https://news.ycombinator.com/item?id=47392479

So when someone says “Vercel accuses Cloudflare of stealing,” a lot of the time what they really mean is: this is legal, but it feels like taking advantage of a permissive community. Fair or not, it’s a very human reaction. Predictable, too.

So what do you do with this story?

This whole “Vercel accuses Cloudflare of stealing” episode is a good reminder open-source compliance is the floor. Apache-2.0 makes forking easy. Community trust is the part that’s slow to build and weirdly fast to lose.

If you’re building on OSS, and we all are, the move is pretty simple. Fork if you must. Be loud about provenance.Plus generous about upstreaming.

If you want more platform cost/feature comparisons in this same space, check out our internal post on cloud pricing: Cloud free tier offerings (2026). And if you’ve got a strong opinion on whether this counts as “stealing” or just “Tuesday in open source,” leave a comment. I’m genuinely curious where working devs draw the line.

Sources

• X post mentioning fork and publish as @cloudflare/shell. Https.//x.com/ivanburazin/status/2033432232090546272
• just-bash npm package page (description, usage, beta note). Https.//www.npmjs.com/package/just-bash
• Apache License 2.0 (terms for redistribution/derivatives). Https.//www.apache.org/licenses/LICENSE-2.0
• Cloudflare Workers docs (platform context). Https.//developers.cloudflare.com/workers/
• Cloudflare blog on improved Node.js compatibility for Workers (runtime context). Https.//blog.cloudflare.com/more-npm-packages-on-cloudflare-workers-combining-polyfills-and-native-code/
• Cloudflare blog “PIPEFAIL” postmortem (bash/shell engineering context). Https.//blog.cloudflare.com/pipefail-how-a-missing-shell-option-slowed-cloudflare-down/
• Hacker News thread referencing the fork discourse. Https.//news.ycombinator.com/item?id=47392479
• Reddit thread reflecting community sentiment. Https.//www.reddit.com/r/CloudFlare/comments/1nc9np1/cloudflare_fires_latest_salvo_against_vercel/
• YouTube commentary. “Cloudflare and Vercel can't stop fighting”. Https.//www.youtube.com/watch?v=wn1qHif7W18
• YouTube commentary. “Vercel and Cloudflare are fighting…about bash?”. Https.//www.youtube.com/watch?v=mVKxygo5Sdo
• YouTube commentary. “Cloudflare Vercel Tech Drama (Again?!)”: https://www.youtube.com/watch?v=CNBfWlBEsJE