Root Library Catalog delivers patched packages for Python, JavaScript, and Java. There are two ways to consume them:
| Approach | How it works |
|---|
| Registry proxy | Point your package manager at pkg.root.io. Packages arrive patched on every install. |
| Patcher CLI | Run rootio_patcher against your existing environment. The CLI identifies vulnerable packages and replaces them with Root-patched versions. |
Prerequisites
- Root API key — go to Settings → Token Management in the Root platform
- Your standard package manager already installed
Python — pip, uv, Poetry
All Python tools authenticate via ~/.netrc:
echo "machine pkg.root.io login token password YOUR_ROOT_TOKEN" >> ~/.netrc
chmod 600 ~/.netrc
# pip
pip config set global.index-url https://pkg.root.io/pypi/simple &&
pip config set global.extra-index-url https://pypi.org/simple
# uv — add to pyproject.toml
# [[tool.uv.index]]
# name = "root"
# url = "https://pkg.root.io/pypi/simple/"
# Poetry
poetry source add --priority=primary root https://pkg.root.io/pypi/simple/ &&
poetry source add --priority=supplemental pypi
JavaScript — npm, pnpm, yarn
Root serves patched JavaScript packages under the @rootio/ scope. Authentication uses base64-encoded credentials:
npm config set registry https://pkg.root.io/npm/ --location=project &&
npm config set //pkg.root.io/npm/:_authToken YOUR_ROOT_TOKEN --location=project
package.json — no changes to import statements needed:
{
"dependencies": {
"axios": "npm:@rootio/axios@1.6.0"
},
"overrides": {
"axios": "npm:@rootio/axios@1.6.0"
}
}
Java — Maven
Configure ~/.m2/settings.xml to mirror Maven Central through Root:
<settings>
<servers>
<server>
<id>root-io</id>
<username>rootio</username>
<password>${env.ROOT_TOKEN}</password>
</server>
</servers>
<mirrors>
<mirror>
<id>root-io</id>
<name>Root.io Mirror for All Maven Repositories</name>
<url>https://pkg.root.io/maven/</url>
<mirrorOf>central</mirrorOf>
</mirror>
</mirrors>
</settings>
export ROOT_TOKEN="your-token-here"
mvn -U test
Gradle support is coming soon.
