Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.root.io/llms.txt

Use this file to discover all available pages before exploring further.

Root Library Catalog delivers patched packages for Python, JavaScript, Java, Go, and .NET. There are two ways to consume them:
ApproachHow it works
Registry proxyPoint your package manager at pkg.root.io. Packages arrive patched on every install.
Patcher CLIRun rootio_patcher against your existing environment. The CLI identifies vulnerable packages and replaces them with Root-patched versions.
This guide covers the registry proxy approach. See Root Patcher CLI for the CLI-based approach.

Prerequisites

1. Install the Root Patcher CLI

The Root Patcher CLI (rootio_patcher) is required to pull Root-secured packages into your environment. 
# macOS (Apple Silicon)
curl -sL https://github.com/rootio-avr/rootio_patcher/releases/latest/download/rootio_patcher_darwin_arm64.tar.gz | tar xz
chmod +x rootio_patcher && sudo mv rootio_patcher /usr/local/bin/

# Linux (x86_64)
curl -sL https://github.com/rootio-avr/rootio_patcher/releases/latest/download/rootio_patcher_linux_x86_64.tar.gz | tar xz
chmod +x rootio_patcher && sudo mv rootio_patcher /usr/local/bin/
For macOS Intel and Windows, see the full installation instructions.

2. Set your API key

Get your API key from Settings → Token Management in the Root platform, then export it: 
export ROOTIO_API_KEY="your-api-key-here"

3. Your standard package manager

Have pip, uv, Poetry, npm, pnpm, yarn, Maven, Go, or the .NET SDK already installed.

Python - pip, uv, Poetry

All Python tools authenticate via ~/.netrc: 
echo "machine pkg.root.io login token password YOUR_ROOT_TOKEN" >> ~/.netrc
chmod 600 ~/.netrc
Then point your package manager at Root: 
# pip
pip config set global.index-url https://pkg.root.io/pypi/simple &&
pip config set global.extra-index-url https://pypi.org/simple

# uv - add to pyproject.toml
# [[tool.uv.index]]
# name = "root"
# url = "https://pkg.root.io/pypi/simple/"

# Poetry
poetry source add --priority=primary root https://pkg.root.io/pypi/simple/ &&
poetry source add --priority=supplemental pypi
See the full Python guide for per-tool details and CI/CD configuration.

JavaScript - npm, pnpm, yarn

Root serves patched JavaScript packages under the @rootio/ scope. Authentication uses base64-encoded credentials: 
npm config set registry https://pkg.root.io/npm/ --location=project &&
npm config set //pkg.root.io/npm/:_authToken YOUR_ROOT_TOKEN --location=project
Patched packages are applied via overrides in package.json - no changes to import statements needed: 
{
  "dependencies": {
    "axios": "npm:@rootio/axios@1.6.0"
  },
  "overrides": {
    "axios": "npm:@rootio/axios@1.6.0"
  }
}
See the full JavaScript guide for pnpm, Yarn 1, and Yarn 3 variants.

Java - Maven

Configure ~/.m2/settings.xml to mirror Maven Central through Root: 
<settings>
  <servers>
    <server>
      <id>root-io</id>
      <username>rootio</username>
      <password>${env.ROOT_TOKEN}</password>
    </server>
  </servers>
  <mirrors>
    <mirror>
      <id>root-io</id>
      <name>Root.io Mirror for All Maven Repositories</name>
      <url>https://pkg.root.io/maven/</url>
      <mirrorOf>central</mirrorOf>
    </mirror>
  </mirrors>
</settings>
Then export your token and run Maven as usual: 
export ROOT_TOKEN="your-token-here"
mvn -U test
See the full Java guide for the complete settings.xml and CI/CD setup.

Go - Go modules

Configure GOPROXY to authenticate with Root’s module proxy: 
export GOPROXY="https://:${ROOTIO_API_KEY}@pkg.root.io/gobinary,https://proxy.golang.org,direct"
Then use the Root Patcher CLI to add replace directives to your go.mod: 
# Preview patches
rootio_patcher go remediate

# Apply patches
rootio_patcher go remediate --dry-run=false

# Build
go build ./...
The patcher adds entries like: 
replace golang.org/x/net v0.17.0 => pkg.root.io/golang/golang.org/x/net v0.17.0-rootio.1
Your import statements remain unchanged - the replace directives transparently redirect module resolution to Root’s patched versions. See the full Go guide for checksum verification, multi-module projects, and CI/CD setup.

.NET - NuGet

Add Root as a NuGet package source: 
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
    <add key="root-io" value="https://pkg.root.io/nuget/v3/index.json" />
  </packageSources>
  <packageSourceCredentials>
    <root-io>
      <add key="Username" value="root" />
      <add key="ClearTextPassword" value="YOUR_ROOT_TOKEN" />
    </root-io>
  </packageSourceCredentials>
</configuration>
Then use the patcher to apply Root-patched package versions (aliased RootIO.* form): 
# Preview patches
rootio_patcher nuget remediate

# Apply patches - rewrites PackageReference to RootIO.* aliased names
rootio_patcher nuget remediate --dry-run=false

# Restore and build
dotnet restore && dotnet build
See the full NuGet guide for CI/CD configuration and troubleshooting.