Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.root.io/llms.txt

Use this file to discover all available pages before exploring further.

The Library Catalog is Root’s browsable directory of patched application-level packages. Access it at app.root.io/libraries/catalog.

Supported ecosystems

EcosystemPackage ManagersRegistry Endpoint
Pythonpip, uv, Poetrypkg.root.io/pypi/simple/
JavaScriptnpm, pnpm, Yarnpkg.root.io/npm/
JavaMaven, Gradlepkg.root.io/maven/
GoGo modulespkg.root.io/gobinary/
For setup instructions, see Python, JavaScript, Java, or Go.

Browsing the catalog

Filter by ecosystem

Click an ecosystem tab (Python, JavaScript, Java, Go) to filter the package list.

Package details

Click any package name to open its detail page:
  • Available versions - all versions Root has patched, with CVE fix counts per version
  • CVE summary - specific CVEs fixed in each patched version, with severity indicators
  • Installation instructions - copy-paste commands tailored to each supported package manager
  • Project configuration snippets - how to persist the Root-secured version in your project files (requirements.txt, pyproject.toml, package.json, pnpm-workspace.yaml, yarn.lock)
You can share a direct link to any package page in the catalog with teammates.

Configure access

Click Configure Root library registry to open the setup modal. Select your ecosystem (Python, JavaScript, Java, Go) and distribution, then use the generated snippets to authenticate with your API token.

How Root packages work

Root packages are drop-in replacements. The versioning pattern varies by ecosystem: Python — packages use a .root.io.N version suffix: 
# Upstream vulnerable version
requests==2.31.0

# Root-patched version (same API, CVEs fixed)
requests==2.31.0.root.io.3
JavaScript — packages are published under the @rootio/ npm scope. You add overrides (or resolutions) to your package.json to map the original package to the Root-patched equivalent: 
{
  "overrides": {
    "axios": "npm:@rootio/axios@1.6.0"
  }
}
Java — packages are served through a Maven-compatible registry at pkg.root.io/maven/. Configure your settings.xml or build.gradle to resolve through Root’s registry. Go — modules are served through the GOPROXY protocol at pkg.root.io/gobinary. Patched modules keep the same version with a -rootio.N suffix and are consumed via replace directives in go.mod: 
replace golang.org/x/net v0.17.0 => pkg.root.io/golang/golang.org/x/net v0.17.0-rootio.1
In all cases, when Root doesn’t have a patched version of a package, the request falls through to the upstream registry (PyPI, npm, Maven Central, or direct Go module fetching).
Root patches the version you are already running. No major or minor version upgrades required. Root backports security fixes into your pinned version.

Package statuses

StatusMeaning
Root SecuredA patched version is available. Install it to fix known Critical and High CVEs.
No Fix AvailableNo applicable fix candidate exists. Root is monitoring for upstream patches.
Working on a PatchRoot’s agents are actively researching and generating a patch.

What gets patched

Root focuses on Critical and High severity CVEs. Medium and Low are tracked but not shown in the primary catalog view. Every patched package includes:
  • SBOM - Software Bill of Materials
  • VEX statement - documenting what was fixed
  • Provenance attestation - SLSA provenance proving the package was built by Root

Relationship to My Library

The Library Catalog is the reference directory of everything Root offers. My Library shows what your organization is actually running and whether patched versions are available for your specific packages.