Root Library Catalog provides a Maven-compatible repository at pkg.root.io/maven/.
Root Library Catalog supports both Maven and Gradle. There are two ways to consume Root-patched Java dependencies:
| Approach | How it works |
|---|
| Patcher CLI (Maven only) | Run rootio_patcher maven remediate - reads your pom.xml, rewrites vulnerable dependency versions to Root-patched equivalents, and adds exclusions to prevent transitive re-introduction. Run mvn clean install afterward. |
| Registry proxy | Configure your build tool (Maven or Gradle) to resolve dependencies through pkg.root.io/maven/. Covered below. |
Maven
~/.m2/settings.xml
Configure Root as a mirror for Maven Central and add your credentials:
<settings>
<servers>
<server>
<id>root-io</id>
<username>rootio</username>
<password>YOUR_ROOT_TOKEN</password>
</server>
</servers>
<mirrors>
<mirror>
<id>root-io</id>
<name>Root.io Mirror for All Maven Repositories</name>
<url>https://pkg.root.io/maven/</url>
<mirrorOf>central</mirrorOf>
</mirror>
</mirrors>
<profiles>
<profile>
<id>root-io</id>
<repositories>
<repository>
<id>root-io</id>
<name>Root.io Maven Patches</name>
<url>https://pkg.root.io/maven/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>root-io</id>
<name>Root.io Maven Plugins</name>
<url>https://pkg.root.io/maven/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</pluginRepository>
</pluginRepositories>
</profile>
</profiles>
<activeProfiles>
<activeProfile>root-io</activeProfile>
</activeProfiles>
</settings>
Keep your Root token out of source control. Use environment variable interpolation (${env.ROOT_TOKEN}) in settings.xml and export the token in your shell or CI environment.
Add the dependency to pom.xml
<dependency>
<groupId>com.example</groupId>
<artifactId>your-artifact</artifactId>
<version>1.2.3</version>
</dependency>
Fetch the dependency
mvn dependency:get -Dartifact=com.example:your-artifact:1.2.3
CI/CD Configuration
# GitHub Actions example
- name: Build with Maven
run: mvn -U test
env:
ROOT_TOKEN: ${{ secrets.ROOT_TOKEN }}
settings.xml to inject the token safely:
<password>${env.ROOT_TOKEN}</password>
Gradle
The Root.io Gradle Plugin automatically patches vulnerable dependencies at build time with zero changes to your dependency declarations.
Installation
Add the plugin repository to settings.gradle.kts:
pluginManagement {
repositories {
maven {
url = uri("https://pkg.root.io/gradle-plugins")
credentials {
username = "token"
password = providers.environmentVariable("ROOTIO_API_KEY").get()
}
}
gradlePluginPortal()
}
}
build.gradle.kts:
plugins {
id("io.root.patcher") version "0.1.0"
}
Configuration
rootio {
// API key is resolved automatically from:
// 1. Build script: apiKey.set("...")
// 2. Environment variable: ROOTIO_API_KEY
// 3. JVM system property: systemProp.ROOTIO_API_KEY
// 4. .env file: ROOTIO_API_KEY=...
ttlHours.set(24) // Cache TTL (default: 24 hours)
maxRetries.set(3) // Retry attempts (default: 3)
}
Build
export ROOTIO_API_KEY="your-api-key-here"
./gradlew build
Troubleshooting
| Issue | Solution |
|---|
401 Unauthorized | Verify token in settings.xml and that the server id matches the mirror id |
Could not resolve artifact | Confirm mirrorOf is set to central |
| Checksum validation errors | Expected for patched artifacts - Root’s checksums differ from Maven Central |
| SNAPSHOT artifacts | Set <snapshots><enabled>false</enabled></snapshots> to avoid SNAPSHOT resolution through Root |
