What is Root Library Catalog?

Root Library Catalog is a collection of patched library versions for popular package managers (npm, PyPI, Maven, and more). These are secured libraries—the same libraries you're using, but with vulnerabilities fixed.

What "Secured Library" Means

A secured library in Root terms means:

• The same library version you're using (e.g., requests==2.31.0)
• With vulnerabilities patched (e.g., requests==2.31.0.root.1)
• Works with your existing code - no breaking changes
• No forced upgrades - you stay on the version that works

This is fundamentally different from competitors who say "upgrade to version 2.32.0 to fix the vulnerability." Root says "here's a patched version 2.31.0 that fixes the vulnerability without breaking your application."

Why Pinned Versions Matter

Version pinning is the practice of locking dependencies to specific versions to ensure reproducible builds and avoid unexpected breakage. Root's approach respects version pinning:

• You pin to requests==2.31.0 - this version works with your application
• A CVE is discovered - upgrading to 2.32.0 might break your code
• Root patches 2.31.0 - you get requests==2.31.0.root.1 with the fix
• Your application still works - no breaking changes, no rewrites

This approach reduces upgrade pain because you don't have to:

• Test new versions for compatibility
• Fix breaking changes in your code
• Deal with transitive dependency conflicts
• Rewrite application logic

How This Reduces Security Noise

Traditional security tools create security noise by:

• Reporting vulnerabilities with no fix available
• Recommending upgrades that break applications
• Marking transitive dependencies as "unfixable"
• Creating tickets that can't be resolved without breaking changes

Root Library Catalog reduces security noise by:

• Providing actual fixes - not just reports or recommendations
• Patching pinned versions - fixes that work with your code
• Fixing transitive dependencies - the 80% of vulnerabilities that live deep in dependency trees
• Delivering working solutions - not tickets that require rewrites

The result: fewer security alerts, more actual fixes, less developer frustration.

Supported Ecosystems

Root Library Catalog currently supports:

• Python (PyPI) - Popular Python packages from PyPI
• JavaScript (npm) - Popular Node.js packages from npm
• Java (Maven) - Popular Java packages from Maven Central

Coming soon:

• Ruby (RubyGems)
• Go (Go modules)
• Rust (Cargo)

Root prioritizes libraries based on popularity, security impact, and customer needs. As demand grows, coverage expands.

The Root Advantage

Root Library Catalog delivers secured libraries that:

• Fix vulnerabilities without breaking applications
• Respect version pinning - patch what you're running, not what vendors want you to upgrade to
• Reduce security noise - actual fixes, not unfixable alerts
• Work with legacy systems - EOL and LTS versions can be secured

This is fundamentally different from the "upgrade to fix" approach that creates breaking changes and technical debt.

How It Works

1. Root discovers what libraries you use (see Discovery and Subscription)
2. When a CVE is found, Root's AVR Factory patches your pinned version
3. You get a secured library - same version, vulnerability fixed
4. You use it - drop-in replacement, no code changes

The entire process is automated. You get secured libraries without manual patching, forced upgrades, or application rewrites.