> ## Documentation Index
> Fetch the complete documentation index at: https://docs.root.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Library Catalog

> Browse and install Root-secured application packages across Python, JavaScript, Java, and Go ecosystems.

The Library Catalog is Root's browsable directory of patched application-level packages. Access it at [app.root.io/libraries/catalog](https://app.root.io/libraries/catalog).

<Frame caption="Application Library Catalog — filter by Python, JavaScript, Java, or Go, then drill into any package for versions and install commands.">
  <img src="https://mintcdn.com/root-939307ed/cCjlTIX-fOzNh_rn/images/library-catalog-application.png?fit=max&auto=format&n=cCjlTIX-fOzNh_rn&q=85&s=a37e50b1884fe454578c29938c76da9a" width="2660" height="1534" data-path="images/library-catalog-application.png" />
</Frame>

## Supported ecosystems

| Ecosystem      | Package Managers | Registry Endpoint          |
| -------------- | ---------------- | -------------------------- |
| **Python**     | pip, uv, Poetry  | `pkg.root.io/pypi/simple/` |
| **JavaScript** | npm, pnpm, Yarn  | `pkg.root.io/npm/`         |
| **Java**       | Maven, Gradle    | `pkg.root.io/maven/`       |
| **Go**         | Go modules       | `pkg.root.io/gobinary/`    |

For setup instructions, see [Python](/rlc/python), [JavaScript](/rlc/javascript), [Java](/rlc/java), or [Go](/rlc/go).

## Browsing the catalog

### Filter by ecosystem

Click an ecosystem tab (Python, JavaScript, Java, Go) to filter the package list.

### Package details

Click any package name to open its detail page:

* **Available versions** - all versions Root has patched, with CVE fix counts per version
* **CVE summary** - specific CVEs fixed in each patched version, with severity indicators
* **Installation instructions** - copy-paste commands tailored to each supported package manager
* **Project configuration snippets** - how to persist the Root-secured version in your project files (`requirements.txt`, `pyproject.toml`, `package.json`, `pnpm-workspace.yaml`, `yarn.lock`)

<Tip>
  You can share a direct link to any package page in the catalog with teammates.
</Tip>

## Configure access

<Frame caption="Set Up Root Registry — one-time setup per package ecosystem with copy-paste commands for your CLI.">
  <img src="https://mintcdn.com/root-939307ed/cCjlTIX-fOzNh_rn/images/library-catalog-configure.png?fit=max&auto=format&n=cCjlTIX-fOzNh_rn&q=85&s=8873987848ddc1a44257469f0acdf759" width="2632" height="1524" data-path="images/library-catalog-configure.png" />
</Frame>

Click **Configure Root library registry** to open the setup modal. Select your ecosystem (Python, JavaScript, Java, Go) and distribution, then use the generated snippets to authenticate with your API token.

## How Root packages work

Root packages are drop-in replacements. The versioning pattern varies by ecosystem:

**Python** — packages use a `.root.io.N` version suffix:

```
# Upstream vulnerable version
requests==2.31.0

# Root-patched version (same API, CVEs fixed)
requests==2.31.0.root.io.3
```

**JavaScript** — packages are published under the `@rootio/` npm scope. You add `overrides` (or `resolutions`) to your `package.json` to map the original package to the Root-patched equivalent:

```json theme={null}
{
  "overrides": {
    "axios": "npm:@rootio/axios@1.6.0"
  }
}
```

**Java** — packages are served through a Maven-compatible registry at `pkg.root.io/maven/`. Configure your `settings.xml` or `build.gradle` to resolve through Root's registry.

**Go** — modules are served through the GOPROXY protocol at `pkg.root.io/gobinary`. Patched modules keep the same version with a `-rootio.N` suffix and are consumed via `replace` directives in `go.mod`:

```go theme={null}
replace golang.org/x/net v0.17.0 => pkg.root.io/golang/golang.org/x/net v0.17.0-rootio.1
```

In all cases, when Root doesn't have a patched version of a package, the request falls through to the upstream registry (PyPI, npm, Maven Central, or direct Go module fetching).

<Info>
  Root patches the version you are already running. No major or minor version upgrades required. Root backports security fixes into your pinned version.
</Info>

## Package statuses

| Status                 | Meaning                                                                         |
| ---------------------- | ------------------------------------------------------------------------------- |
| **Root Secured**       | A patched version is available. Install it to fix known Critical and High CVEs. |
| **No Fix Available**   | No applicable fix candidate exists. Root is monitoring for upstream patches.    |
| **Working on a Patch** | Root's agents are actively researching and generating a patch.                  |

## What gets patched

Root focuses on **Critical** and **High** severity CVEs. Medium and Low are tracked but not shown in the primary catalog view.

Every patched package includes:

* **SBOM** - Software Bill of Materials
* **VEX statement** - documenting what was fixed
* **Provenance attestation** - SLSA provenance proving the package was built by Root

## Relationship to My Library

The Library Catalog is the reference directory of everything Root offers. [My Library](/platform/my-library) shows what your organization is actually running and whether patched versions are available for your specific packages.