Root Library Catalog provides a Maven-compatible repository at pkg.root.io/maven/.
There are two ways to consume Root-patched Java dependencies:
| Approach | How it works |
|---|
| Patcher CLI (recommended) | Run rootio_patcher maven remediate — reads your pom.xml, rewrites vulnerable dependency versions to Root-patched equivalents, and adds exclusions to prevent transitive re-introduction. Run mvn clean install afterward. |
| Registry proxy | Mirror Maven Central through pkg.root.io/maven/ so all dependency resolution flows through Root’s registry. Covered below. |
Gradle support is coming soon. Maven is the supported Java build tool today.
Maven
~/.m2/settings.xml
Configure Root as a mirror for Maven Central and add your credentials:
<settings>
<servers>
<server>
<id>root-io</id>
<username>rootio</username>
<password>YOUR_ROOT_TOKEN</password>
</server>
</servers>
<mirrors>
<mirror>
<id>root-io</id>
<name>Root.io Mirror for All Maven Repositories</name>
<url>https://pkg.root.io/maven/</url>
<mirrorOf>central</mirrorOf>
</mirror>
</mirrors>
<profiles>
<profile>
<id>root-io</id>
<repositories>
<repository>
<id>root-io</id>
<name>Root.io Maven Patches</name>
<url>https://pkg.root.io/maven/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>root-io</id>
<name>Root.io Maven Plugins</name>
<url>https://pkg.root.io/maven/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</pluginRepository>
</pluginRepositories>
</profile>
</profiles>
<activeProfiles>
<activeProfile>root-io</activeProfile>
</activeProfiles>
</settings>
Keep your Root token out of source control. Use environment variable interpolation (${env.ROOT_TOKEN}) in settings.xml and export the token in your shell or CI environment.
Add the dependency to pom.xml
<dependency>
<groupId>com.example</groupId>
<artifactId>your-artifact</artifactId>
<version>1.2.3</version>
</dependency>
Fetch the dependency
mvn dependency:get -Dartifact=com.example:your-artifact:1.2.3
CI/CD Configuration
# GitHub Actions example
- name: Build with Maven
run: mvn -U test
env:
ROOT_TOKEN: ${{ secrets.ROOT_TOKEN }}
settings.xml to inject the token safely:
<password>${env.ROOT_TOKEN}</password>
Gradle
Gradle support is coming soon. Contact Root if this is blocking your adoption.
Troubleshooting
| Issue | Solution |
|---|
401 Unauthorized | Verify token in settings.xml and that the server id matches the mirror id |
Could not resolve artifact | Confirm mirrorOf is set to central |
| Checksum validation errors | Expected for patched artifacts — Root’s checksums differ from Maven Central |
| SNAPSHOT artifacts | Set <snapshots><enabled>false</enabled></snapshots> to avoid SNAPSHOT resolution through Root |
