Use npm for getting packages.

.github/workflows/backend-tests.yml

@@ -18,19 +18,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node: [16, 18, 20]
+        node: [1.0.3, canary]
     steps:
       -
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: ${{ matrix.node }}
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+            bun-version: ${{ matrix.node }}
       -
         name: Install libreoffice
         run: |
@@ -42,7 +38,7 @@ jobs:
         run: src/bin/installDeps.sh
       -
         name: Run the backend tests
-        run: cd src && npm test
+        run: cd src && bun test
 
   withpluginsLinux:
     # run on pushes to any branch
@@ -55,19 +51,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node: [16, 18, 20]
+        node: [1.0.3, canary]
     steps:
       -
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: ${{ matrix.node }}
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: ${{ matrix.node }}
       -
         name: Install libreoffice
         run: |
@@ -76,10 +68,8 @@ jobs:
           sudo apt install -y --no-install-recommends libreoffice libreoffice-pdfimport
       -
         name: Install Etherpad plugins
-        # The --legacy-peer-deps flag is required to work around a bug in npm v7:
-        # https://github.com/npm/cli/issues/2199
         run: >
-          npm install --no-save --legacy-peer-deps
+          bun install --no-save --legacy-peer-deps
           ep_align
           ep_author_hover
           ep_cursortrace
@@ -93,21 +83,12 @@ jobs:
           ep_spellcheck
           ep_subscript_and_superscript
           ep_table_of_contents
-      # Etherpad core dependencies must be installed after installing the
-      # plugin's dependencies, otherwise npm will try to hoist common
-      # dependencies by removing them from src/node_modules and installing them
-      # in the top-level node_modules. As of v6.14.10, npm's hoist logic appears
-      # to be buggy, because it sometimes removes dependencies from
-      # src/node_modules but fails to add them to the top-level node_modules.
-      # Even if npm correctly hoists the dependencies, the hoisting seems to
-      # confuse tools such as `npm outdated`, `npm update`, and some ESLint
-      # rules.
       -
         name: Install all dependencies and symlink for ep_etherpad-lite
         run: src/bin/installDeps.sh
       -
         name: Run the backend tests
-        run: cd src && npm test
+        run: cd src && bun run test
 
   withoutpluginsWindows:
     # run on pushes to any branch
@@ -122,13 +103,9 @@ jobs:
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: Install all dependencies and symlink for ep_etherpad-lite
         run: src/bin/installOnWindows.bat
@@ -139,7 +116,7 @@ jobs:
           powershell -Command "(gc settings.json.holder) -replace '\"points\": 10', '\"points\": 1000' | Out-File -encoding ASCII settings.json"
       -
         name: Run the backend tests
-        run: cd src && npm test
+        run: cd src && bun run test
 
   withpluginsWindows:
     # run on pushes to any branch
@@ -155,19 +132,13 @@ jobs:
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: Install Etherpad plugins
-        # The --legacy-peer-deps flag is required to work around a bug in npm
-        # v7: https://github.com/npm/cli/issues/2199
         run: >
-          npm install --no-save --legacy-peer-deps
+          cd src && bun install --no-save
           ep_align
           ep_author_hover
           ep_cursortrace
@@ -181,15 +152,6 @@ jobs:
           ep_spellcheck
           ep_subscript_and_superscript
           ep_table_of_contents
-      # Etherpad core dependencies must be installed after installing the
-      # plugin's dependencies, otherwise npm will try to hoist common
-      # dependencies by removing them from src/node_modules and installing them
-      # in the top-level node_modules. As of v6.14.10, npm's hoist logic appears
-      # to be buggy, because it sometimes removes dependencies from
-      # src/node_modules but fails to add them to the top-level node_modules.
-      # Even if npm correctly hoists the dependencies, the hoisting seems to
-      # confuse tools such as `npm outdated`, `npm update`, and some ESLint
-      # rules.
       -
         name: Install all dependencies and symlink for ep_etherpad-lite
         run: src/bin/installOnWindows.bat
@@ -200,4 +162,4 @@ jobs:
           powershell -Command "(gc settings.json.holder) -replace '\"points\": 10', '\"points\": 1000' | Out-File -encoding ASCII settings.json"
       -
         name: Run the backend tests
-        run: cd src && npm test
+        run: cd src && bun run test

.github/workflows/docker.yml

@@ -35,14 +35,9 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
       -
-        name: Set up Node.js
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 'lts/*'
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: Test
         run: |
@@ -58,7 +53,7 @@ jobs:
               *) printf %s\\n "unexpected status: ${status}" >&2; exit 1;;
             esac
           done
-          (cd src && npm run test-container)
+          (cd src && bun run test-container)
           git clean -dxf .
       -
         name: Docker meta

.github/workflows/frontend-admin-tests.yml

@@ -16,7 +16,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node: [19, 20]
+        node: [1.0.3, canary]
 
     steps:
       -
@@ -29,19 +29,15 @@ jobs:
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: ${{ matrix.node }}
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: ${{ matrix.node }}
       -
         name: Install etherpad plugins
         # We intentionally install an old ep_align version to test upgrades to
         # the minor version number. The --legacy-peer-deps flag is required to
         # work around a bug in npm v7: https://github.com/npm/cli/issues/2199
-        run: npm install --no-save --legacy-peer-deps ep_align@0.2.27
+        run: bun install ep_align@0.2.27
       # Etherpad core dependencies must be installed after installing the
       # plugin's dependencies, otherwise npm will try to hoist common
       # dependencies by removing them from src/node_modules and installing them

.github/workflows/frontend-tests.yml

@@ -23,13 +23,9 @@ jobs:
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: Install all dependencies and symlink for ep_etherpad-lite
         run: src/bin/installDeps.sh
@@ -78,19 +74,15 @@ jobs:
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: Install Etherpad plugins
         # The --legacy-peer-deps flag is required to work around a bug in npm v7:
         # https://github.com/npm/cli/issues/2199
         run: >
-          npm install --no-save --legacy-peer-deps
+          bun install --no-save --legacy-peer-deps
           ep_align
           ep_author_hover
           ep_cursortrace

.github/workflows/lint-package-lock.yml

@@ -20,16 +20,12 @@ jobs:
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: Install lockfile-lint
-        run: npm install --no-save lockfile-lint
+        run: bun install --no-save lockfile-lint
       -
         name: Run lockfile-lint on package-lock.json
         run: >

.github/workflows/load-test.yml

@@ -20,19 +20,15 @@ jobs:
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: Install all dependencies and symlink for ep_etherpad-lite
         run: src/bin/installDeps.sh
       -
         name: Install etherpad-load-test
-        run: sudo npm install -g etherpad-load-test
+        run: bun install -g etherpad-load-test
       -
         name: Run load test
         run: src/tests/frontend/travis/runnerLoadTest.sh 25 50
@@ -50,22 +46,18 @@ jobs:
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: Install etherpad-load-test
-        run: sudo npm install -g etherpad-load-test
+        run: bun install -g etherpad-load-test
       -
         name: Install etherpad plugins
         # The --legacy-peer-deps flag is required to work around a bug in npm v7:
         # https://github.com/npm/cli/issues/2199
         run: >
-          npm install --no-save --legacy-peer-deps
+          cd src && bun install --no-save --legacy-peer-deps
           ep_align
           ep_author_hover
           ep_cursortrace
@@ -107,19 +99,15 @@ jobs:
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: Install all dependencies and symlink for ep_etherpad-lite
         run: src/bin/installDeps.sh
       -
         name: Install etherpad-load-test
-        run: sudo npm install -g etherpad-load-test
+        run: bun install -g etherpad-load-test
       -
         name: Run load test
         run: src/tests/frontend/travis/runnerLoadTest.sh 5000 5

.github/workflows/rate-limit.yml

@@ -20,13 +20,9 @@ jobs:
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: docker network
         run: docker network create --subnet=172.23.42.0/16 ep_net

.github/workflows/upgrade-from-latest-release.yml

@@ -18,7 +18,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node: [16, 18, 20]
+        node: [1.0.3, canary]
     steps:
       -
         name: Check out latest release
@@ -26,19 +26,15 @@ jobs:
         with:
           ref: master
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: ${{ matrix.node }}
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: ${{ matrix.node }}
       -
         name: Install Etherpad plugins
         # The --legacy-peer-deps flag is required to work around a bug in npm
         # v7: https://github.com/npm/cli/issues/2199
         run: >
-          npm install --no-save --legacy-peer-deps
+          bun install
           ep_align
           ep_author_hover
           ep_cursortrace
@@ -66,7 +62,7 @@ jobs:
         run: src/bin/installDeps.sh
       -
         name: Run the backend tests
-        run: cd src && npm test
+        run: cd src && bun run test
       # Because actions/checkout@v4 is called with "ref: master" and without
       # "fetch-depth: 0", the local clone does not have the ${GITHUB_SHA}
       # commit. Fetch ${GITHUB_REF} to get the ${GITHUB_SHA} commit. Note that a
@@ -87,10 +83,10 @@ jobs:
         run: src/bin/installDeps.sh
       -
         name: Run the backend tests
-        run: cd src && npm test
+        run: cd src && bun run test
       -
         name: Install Cypress
-        run: cd src && npm install cypress
+        run: cd src && bun install cypress
       -
         name: Run Etherpad & Test Frontend
         run: |

.github/workflows/windows.yml

@@ -26,13 +26,9 @@ jobs:
         name: Checkout repository
         uses: actions/checkout@v4
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: |
-            src/package-lock.json
-            src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: Install all dependencies and symlink for ep_etherpad-lite
         shell: msys2 {0}
@@ -40,7 +36,7 @@ jobs:
       -
         name: Run the backend tests
         shell: msys2 {0}
-        run: cd src && npm test
+        run: cd src && bun run test
       -
         name: Build the .zip
         shell: msys2 {0}
@@ -106,16 +102,12 @@ jobs:
         name: Extract Etherpad
         run: 7z x etherpad-win.zip -oetherpad
       -
-        uses: actions/setup-node@v3
+        uses: oven-sh/setup-bun@v1
         with:
-          node-version: 20
-          cache: 'npm'
-          cache-dependency-path: |
-            etherpad/src/package-lock.json
-            etherpad/src/bin/doc/package-lock.json
+          bun-version: latest
       -
         name: Install Cypress
-        run: cd etherpad && cd src && npm install cypress
+        run: cd etherpad && cd src && bun install cypress
       -
         name: Run Etherpad
         run: |

.gitignore

@@ -21,3 +21,5 @@ out/
 /src/bin/convertSettings.json
 /src/bin/etherpad-1.deb
 /src/bin/node.exe
+
+*.lockb binary diff=lockb

Dockerfile

@@ -4,7 +4,7 @@
 #
 # Author: muxator
 
-FROM node:lts-alpine
+FROM oven/bun:alpine
 LABEL maintainer="Etherpad team, https://github.com/ether/etherpad-lite"
 
 ARG TIMEZONE=
@@ -99,7 +99,7 @@ COPY --chown=etherpad:etherpad ./ ./
 # seems to confuse tools such as `npm outdated`, `npm update`, and some ESLint
 # rules.
 RUN { [ -z "${ETHERPAD_PLUGINS}" ] || \
-      npm install --no-save --legacy-peer-deps ${ETHERPAD_PLUGINS}; } && \
+      bun install ${ETHERPAD_PLUGINS}; } && \
     src/bin/installDeps.sh && \
     rm -rf ~/.npm
 
@@ -110,7 +110,7 @@ COPY --chown=etherpad:etherpad ${SETTINGS} "${EP_DIR}"/settings.json
 RUN chmod -R g=u .
 
 USER root
-RUN cd src && npm link
+RUN cd src && bun link
 USER etherpad
 
 HEALTHCHECK --interval=20s --timeout=3s CMD ["etherpad-healthcheck"]

src/bin/installDeps.sh

@@ -8,20 +8,17 @@ cd "${MY_DIR}/../.." || exit 1
 # Source constants and useful functions
 . src/bin/functions.sh
 
-# Is node installed?
-# Not checking io.js, default installation creates a symbolic link to node
-is_cmd node || fatal "Please install node.js ( https://nodejs.org )"
+# Is bun installed?
+is_cmd bun || fatal "Please install bun ( https://bun.sh )"
 
-# Is npm installed?
-is_cmd npm || fatal "Please install npm ( https://npmjs.org )"
 
 # Check npm version
-require_minimal_version "npm" "$(get_program_version "npm")" \
-    "$REQUIRED_NPM_MAJOR" "$REQUIRED_NPM_MINOR"
+#require_minimal_version "npm" "$(get_program_version "npm")" \
+#    "$REQUIRED_NPM_MAJOR" "$REQUIRED_NPM_MINOR"
 
 # Check node version
-require_minimal_version "nodejs" "$(get_program_version "node")" \
-    "$REQUIRED_NODE_MAJOR" "$REQUIRED_NODE_MINOR"
+#require_minimal_version "nodejs" "$(get_program_version "node")" \
+#    "$REQUIRED_NODE_MAJOR" "$REQUIRED_NODE_MINOR"
 
 # Get the name of the settings file
 settings="settings.json"
@@ -48,10 +45,10 @@ cd src
 
 if [ -z "${ETHERPAD_PRODUCTION}" ]; then
   log "Installing dev dependencies"
- npm ci --no-optional --omit=optional --include=dev --lockfile-version 1 || exit 1
+ bun install --no-optional --omit=optional --include=dev --lockfile-version 1 || exit 1
 else
   log "Installing production dependencies"
-  npm ci --no-optional --omit=optional --omit=dev --lockfile-version 1 --production || exit 1
+  bun install --no-optional --omit=optional --omit=dev --lockfile-version 1 --production || exit 1
 fi
 
 # Remove all minified data to force node creating it new

src/bin/installOnWindows.bat

@@ -14,7 +14,7 @@ cd /D node_modules
 mklink /D "ep_etherpad-lite" "..\src"
 
 cd /D "ep_etherpad-lite"
-cmd /C npm ci || exit /B 1
+cmd /C bun install --frozen-lockfile || exit /B 1
 
 cd /D "%~dp0\..\.."
 

src/bin/release.js

@@ -137,7 +137,7 @@ try {
   writeJson('./src/package.json', pkg);
 
   // run npm version `release` where release is patch, minor or major
-  run('npm install --package-lock-only', {cwd: 'src/'});
+  run('bun install --package-lock-only', {cwd: 'src/'});
   // run npm install --package-lock-only <-- required???
 
   // Many users will be using the latest LTS version of npm, and the latest LTS version of npm uses

src/bin/run.sh

@@ -32,4 +32,4 @@ src/bin/installDeps.sh "$@" || exit 1
 # Move to the node folder and start
 log "Starting Etherpad..."
 
-exec node src/node/server.js "$@"
+exec bun run src/node/server.js "$@"

src/node/security/crypto.js

@@ -1,15 +1,18 @@
 'use strict';
 
 const crypto = require('crypto');
-const util = require('util');
 
+const newMethod = async (...args) => new Promise((resolve) => crypto.hkdf(...args, resolve));
 
 /**
  * Promisified version of Node.js's crypto.hkdf.
  */
-exports.hkdf = util.promisify(crypto.hkdf);
+exports.hkdf = newMethod;
+
+const newMethod2 = async (...args) => new Promise((resolve) => crypto.randomBytes(...args,
+    resolve));
 
 /**
  * Promisified version of Node.js's crypto.randomBytes
  */
-exports.randomBytes = util.promisify(crypto.randomBytes);
+exports.randomBytes = newMethod2;

src/package.json

@@ -33,6 +33,7 @@
     "async": "^3.2.4",
     "axios": "^1.5.1",
     "clean-css": "^5.3.2",
+    "command-exists": "^1.2.9",
     "cookie-parser": "^1.4.6",
     "cross-spawn": "^7.0.3",
     "ejs": "^3.1.9",
@@ -67,7 +68,7 @@
     "terser": "^5.20.0",
     "threads": "^1.7.0",
     "tinycon": "0.6.8",
-    "ueberdb2": "^4.2.13",
+    "ueberdb2": "^4.2.17",
     "underscore": "1.13.6",
     "unorm": "1.6.0",
     "wtfnode": "^0.9.1"
@@ -93,6 +94,7 @@
     "typescript": "^4.9.5"
   },
   "engines": {
+    "bun": ">=1.0.3",
     "node": ">=16.20.1",
     "npm": ">=6.14.0"
   },

src/static/js/pluginfw/installer.js

@@ -34,7 +34,7 @@ exports.uninstall = async (pluginName, cb = null) => {
     // The --no-save flag prevents npm from creating package.json or package-lock.json.
     // The --legacy-peer-deps flag is required to work around a bug in npm v7:
     // https://github.com/npm/cli/issues/2199
-    await runCmd(['npm', 'uninstall', '--no-save', '--legacy-peer-deps', pluginName]);
+    await runCmd(['bun', 'uninstall', '--no-save', '--legacy-peer-deps', pluginName]);
   } catch (err) {
     logger.error(`Failed to uninstall plugin ${pluginName}`);
     cb(err || new Error(err));
@@ -53,7 +53,7 @@ exports.install = async (pluginName, cb = null) => {
     // The --no-save flag prevents npm from creating package.json or package-lock.json.
     // The --legacy-peer-deps flag is required to work around a bug in npm v7:
     // https://github.com/npm/cli/issues/2199
-    await runCmd(['npm', 'install', '--no-save', '--legacy-peer-deps', pluginName]);
+    await runCmd(['bun', 'install', '--no-save', '--legacy-peer-deps', pluginName]);
   } catch (err) {
     logger.error(`Failed to install plugin ${pluginName}`);
     cb(err || new Error(err));
@@ -72,19 +72,19 @@ exports.getAvailablePlugins = (maxCacheAge) => {
   const nowTimestamp = Math.round(Date.now() / 1000);
 
   return new Promise(async (resolve, reject) => {
-      // check cache age before making any request
-      if (exports.availablePlugins && maxCacheAge && (nowTimestamp - cacheTimestamp) <= maxCacheAge) {
-          return resolve(exports.availablePlugins);
-      }
+    // check cache age before making any request
+    if (exports.availablePlugins && maxCacheAge && (nowTimestamp - cacheTimestamp) <= maxCacheAge) {
+      return resolve(exports.availablePlugins);
+    }
 
-      await axios.get('https://static.etherpad.org/plugins.json')
-          .then(pluginsLoaded => {
-              exports.availablePlugins = pluginsLoaded.data;
-              cacheTimestamp = nowTimestamp;
-              resolve(exports.availablePlugins);
-          })
-  })
-}
+    await axios.get('https://static.etherpad.org/plugins.json')
+        .then((pluginsLoaded) => {
+          exports.availablePlugins = pluginsLoaded.data;
+          cacheTimestamp = nowTimestamp;
+          resolve(exports.availablePlugins);
+        });
+  });
+};
 
 
 exports.search = (searchTerm, maxCacheAge) => exports.getAvailablePlugins(maxCacheAge).then(

src/static/js/pluginfw/plugins.js

@@ -8,16 +8,17 @@ const runCmd = require('../../../node/utils/run_cmd');
 const tsort = require('./tsort');
 const pluginUtils = require('./shared');
 const defs = require('./plugin_defs');
+const {cwd} = require("os");
 
 const logger = log4js.getLogger('plugins');
 
 // Log the version of npm at startup.
 (async () => {
   try {
-    const version = await runCmd(['npm', '--version'], {stdio: [null, 'string']});
-    logger.info(`npm --version: ${version}`);
+    const version = await runCmd(['bun', '--version'], {stdio: [null, 'string']});
+    logger.info(`bun --version: ${version}`);
   } catch (err) {
-    logger.error(`Failed to get npm version: ${err.stack || err}`);
+    logger.error(`Failed to get bun version: ${err.stack || err}`);
     // This isn't a fatal error so don't re-throw.
   }
 })();
@@ -111,16 +112,30 @@ exports.getPackages = async () => {
   //   * The `--no-production` flag is required (or the `NODE_ENV` environment variable must be
   //     unset or set to `development`) because otherwise `npm ls` will not mention any packages
   //     that are not included in `package.json` (which is expected to not exist).
-  const cmd = ['npm', 'ls', '--long', '--json', '--depth=0', '--no-production'];
-  const {dependencies = {}} = JSON.parse(await runCmd(cmd, {stdio: [null, 'string']}));
-  await Promise.all(Object.entries(dependencies).map(async ([pkg, info]) => {
-    if (!pkg.startsWith(exports.prefix)) {
-      delete dependencies[pkg];
-      return;
-    }
-    info.realPath = await fs.realpath(info.path);
-  }));
-  return dependencies;
+  const commandExists = require('command-exists').sync;
+  if (commandExists('npm')) {
+    const cmd = ['npm', 'ls', '--long', '--json', '--depth=0', '--no-production'];
+    const {dependencies = {}} = JSON.parse(await runCmd(cmd, {stdio: [null, 'string']}));
+    await Promise.all(Object.entries(dependencies).map(async ([pkg, info]) => {
+      if (!pkg.startsWith(exports.prefix)) {
+        delete dependencies[pkg];
+        return;
+      }
+      info.realPath = await fs.realpath(info.path);
+    }));
+    return dependencies;
+  } else {
+    const cmd = ['npm', 'ls', '--long', '--json', '--depth=0', '--no-production'];
+    const {dependencies = {}} = JSON.parse(await runCmd(cmd, {stdio: [null, 'string']}));
+    await Promise.all(Object.entries(dependencies).map(async ([pkg, info]) => {
+      if (!pkg.startsWith(exports.prefix)) {
+        delete dependencies[pkg];
+        return;
+      }
+      info.realPath = await fs.realpath(info.path);
+    }));
+    return dependencies;
+  }
 };
 
 const loadPlugin = async (packages, pluginName, plugins, parts) => {