Skip to main content
Platform updates, new supported images and packages, API changes, and bug fixes are documented here.

March 2026

Platform

  • Severities filter for package API - The /v1/packages endpoint now supports filtering by severities, enabling callers to scope package queries to critical/high/medium/low findings directly.
  • Image rebuilder publish output - The image rebuilder pipeline now publishes SBOM and VEX artifacts to S3 on completion, making them immediately available via the artifact download endpoints.
  • API key authorization cleanup - Removed legacy v2 API key authorization paths; all authentication now routes through the v3 auth layer.
  • Debian/Ubuntu CVE enrichment fix - Restored CVE and fixed-CVE enrichment for discovered packages on Debian and Ubuntu distros. Package name resolution for these distros now correctly links to patch metadata.
  • Research not found handling - The artifact list API no longer returns an error when no research record is found for a CVE ticket; it returns an empty list instead.

Image Catalog

  • Subscriptions table now shows per-severity CVE breakdown (Critical / High / Medium / Low) before and after Root Patches are applied.

February 2026

Platform

  • CVE metadata backfill on subscription - When a new image or package is subscribed, Root now backfills existing CVE metadata immediately so the Vulnerabilities page reflects current state without waiting for the next scan cycle.
  • Jira panic fix - Fixed a crash in the Jira webhook handler when Jira returned an empty response body on status change events.

OS Packages

  • Added Debian support to the OS Package Registry. Debian bookworm and bullseye packages are now available via the Root package registry. See Debian.

January 2026

OS Packages

  • Added Alpine and Ubuntu getting started guides. Root-patched OS packages for Alpine (3.18, 3.19, 3.20) and Ubuntu (22.04, 24.04) are now available. See Alpine and Ubuntu.

Platform

  • OS Package Registry documentation and navigation added to the Root docs site.

December 2025

Image Catalog

  • 500+ images available - Root Image Catalog now covers over 500 Docker Hub image families, including all major language runtimes, databases, web servers, and infrastructure tools.

API

  • Public patch feed (/external/patch_feed) now supports filtering by os_distro_major and package_src_name parameters in addition to ecosystem.
  • OSV-format feed (/external/osv/{id}.json) added, providing OSV-compatible vulnerability records for all Root-tracked CVEs.

November 2025

Platform

  • JFrog Artifactory integration - Root Image Catalog can now be configured as an upstream source in JFrog Artifactory. See JFrog Artifactory.
  • Amazon ECR pull-through cache - Added support for mirroring cr.root.io images into AWS ECR for private subnet access and local caching. See Amazon ECR.

Root Library Catalog

  • Python package support expanded: pip, uv, and Poetry all now support transparent resolution through pkg.root.io. See the Python integration guides.
  • JavaScript support added: npm, pnpm, Yarn 1, and Yarn 3+ all supported. See JavaScript.
  • Java/Maven support added. See Maven.