Skip to content
AI Coding Flow
Back to articles
nextjscloudflarevercelviteai-codingvinext

Cloudflare Rebuilt Next.js in One Week with AI — Here's What Actually Happened

Cloudflare's vinext reimplements 94% of the Next.js API on Vite, built by one engineer with Claude AI for $1,100. Vercel fired back with 7 security disclosures. Here's the full story and what it means for developers.

7 min read

Cloudflare Rebuilt Next.js in One Week with AI — Here's What Actually Happened

One engineer, 800 AI sessions, $1,100 in Claude API tokens, and a framework war that's reshaping how we think about competitive moats in open source.

The short version

In February 2026, Cloudflare released vinext — a Vite plugin that reimplements the public Next.js API surface. Routing, server rendering, React Server Components, server actions, caching, middleware. All of it running on Vite instead of the Next.js compiler toolchain.

Steve Faulkner, Engineering Director at Cloudflare, built it in one week using Claude AI. The cost: roughly $1,100 in API tokens.

Two days later, Vercel CEO Guillermo Rauch disclosed seven security vulnerabilities in vinext — two critical, two high, two medium, one low. The internet had opinions.

This is the full story.

What vinext actually is

vinext is not a fork of Next.js. It doesn't copy Next.js source code. Instead, it reimplements the same API surface as a Vite plugin.

What does that mean in practice? You take an existing Next.js project, replace next with vinext in your scripts, and your app runs on Vite's toolchain. Same app/ directory, same pages/ directory, same next.config.js. The developer-facing API is the same — the engine underneath is different.

Here's what it covers:

  • App Router: nested layouts, loading states, error boundaries, parallel routes, intercepting routes
  • Pages Router: getStaticProps, getServerSideProps, getStaticPaths, _app, _document
  • React Server Components via @vitejs/plugin-rsc
  • Server Actions, middleware, caching
  • ~94% of the Next.js 16 API surface

And it's fast. On a 33-route test app, production builds finished in 1.67 seconds using Vite 8's Rolldown bundler versus 7.38 seconds for Next.js 16 with Turbopack — 4.4x faster. Client bundles shrank from 168.9 KB to 72.9 KB gzipped, a 57% reduction.

Cloudflare itself warns these numbers are "directional, not definitive" — based on one test fixture, not real-world production apps. Fair enough.

How one engineer built a framework in a week

This is the part that got everyone's attention.

Steve Faulkner spent a couple of hours defining the architecture with Claude — what to build, in what order, which abstractions to use. From there, the workflow was methodical: define a task, let the AI write the implementation and tests.

Over 800 AI sessions produced most of the code. But here's the important nuance: every line passes the same quality gates you'd expect from human-written code. The project has:

  • 1,700+ Vitest unit tests
  • 380 Playwright E2E tests (ported from Next.js's own test suite)
  • Full TypeScript type checking via tsgo
  • Linting via oxlint

Faulkner was clear about the human element: "I had to course-correct regularly." Architecture decisions, prioritization, knowing when the AI was heading down a dead end — that was all human judgment.

This is a meaningful distinction. It wasn't "vibe coding" in the careless sense. It was an experienced engineer directing AI with intent and validating the output through rigorous testing.

Why Cloudflare did this

The answer starts with a word: portability.

Next.js is the most popular React framework. But it has become increasingly optimized for Vercel's own infrastructure. Features like ISR, middleware, image optimization, and caching work best — and sometimes only — on Vercel.

Cloudflare had already invested in OpenNext, an adapter that transforms Next.js build output to run on other platforms. The @opennextjs/cloudflare package lets you deploy Next.js apps on Cloudflare Workers. It works. But it's always playing catch-up with Vercel's releases.

vinext takes a different approach: instead of adapting Next.js output, it reimplements the API from scratch. If your competitive advantage depends on implementation complexity and your test suite is public, you've published the blueprint for your own replacement.

Cloudflare also introduced an experimental feature called Traffic-aware Pre-Rendering (TPR): it uses Cloudflare zone analytics at deploy time to pre-render pages based on recent traffic patterns. Pages outside that set fall back to on-demand SSR with ISR caching. This is only possible because vinext controls the full build pipeline.

Vercel's response

Two days after the announcement, Vercel's CEO Guillermo Rauch posted on X:

"We've identified, responsibly disclosed, and confirmed 2 critical, 2 high, 2 medium, 1 low security vulnerabilities in Cloudflare's vibe-coded framework Vinext. We believe the security of the internet is the highest priority, especially in the age of AI."

The vulnerabilities included Server-Side Request Forgery (SSRF), broken authentication flows, missing security headers, and improper path parsing.

Vercel submitted the findings through Cloudflare's bug bounty program and offered to donate the rewards to AI and cybersecurity research.

The timing and framing were... strategic. Alongside the security disclosure, Vercel published a "Migrate to Vercel from Cloudflare" guide. Turning a security disclosure into a customer acquisition opportunity is a bold move.

To add context: security researcher Sam Curry noted he had reported an improper path parsing vulnerability in Next.js itself two years prior — and Vercel reported the exact same class of vulnerability to vinext. As Curry put it, a "funny coincidence."

Independent security findings

Vercel wasn't the only one looking. Independent researchers from Hacktron AI ran their own audit and found 45 vulnerabilities, 24 of which were manually validated. The critical findings included:

  • Cross-request state pollution: vinext used AsyncLocalStorage.enterWith() to pass request data between RSC and SSR sandboxes. Simpler than the alternative, and all tests passed. But tests only send one request at a time. In production with concurrent traffic, one user's request could read another user's auth token.
  • Unsafe cache keys: vinext's patched fetch caches responses using URL, HTTP method, and request body as the key. What's missing? Request headers. That means authenticated and unauthenticated requests could share cached responses.

These aren't trivial issues. They're the kind of bugs that emerge from AI-generated code that passes unit tests but hasn't been reviewed by a human who understands production concurrency patterns.

What this means for developers

If you're using Next.js on Vercel

Nothing changes for you right now. Vercel remains the most optimized platform for Next.js, and that's unlikely to change soon.

If you're deploying Next.js elsewhere

You now have options:

  • OpenNext (@opennextjs/cloudflare): the mature, production-tested approach. Transforms Next.js build output for Cloudflare Workers. Supports Next.js 14 and 15. This is what most teams should use today.
  • vinext: experimental, faster builds, broader vision. But not production-ready for most applications. Watch this space.

If you're thinking about framework choices

This episode reveals something important: framework moats built on implementation complexity are eroding. When one engineer can reimplement 94% of a framework's API in a week using AI, the value shifts from "code that works" to "code that's been battle-tested, secured, and maintained over years."

The writing is cheap. The trust is expensive.

If you're interested in AI-assisted development

vinext is one of the most compelling case studies for AI-assisted engineering to date. Not because the code is perfect — it clearly isn't — but because it demonstrates what's possible when an experienced engineer uses AI as a force multiplier with rigorous testing.

The $1,100 cost to reach 94% API coverage is the number that will keep framework maintainers awake at night.

The bigger picture

This isn't really about vinext vs Next.js. It's about two shifts happening simultaneously:

  1. Platform portability is becoming a battleground. Developers are pushing back against vendor lock-in. OpenNext, vinext, and similar projects are the result.

  2. AI is compressing the timeline for reimplementation. What used to take a team months now takes one engineer a week. This changes the economics of competitive moats in software.

Cloudflare and Vercel will continue competing. vinext will get more secure. Next.js will improve its self-hosting story. Developers benefit from all of it.

The framework wars of 2026 are just getting started.

References