Skip to main content
Root Library Catalog serves patched JavaScript packages under the @rootio/ scope. Rather than replacing your registry globally, you add an override or resolution that maps the vulnerable package to its Root-patched equivalent at pkg.root.io/npm/.
The Root Patcher CLI automates the override injection described on this page. Run rootio_patcher npm remediate and it will read your lock file, query Root’s API, and write the correct overrides or resolutions entries into your package.json automatically.

Which package manager should I use?

Root supports npm, pnpm, and both Yarn generations. The auth setup is shared across all of them; the difference is in how each package manager applies the @rootio/ override.
Package managerBest for
npmDefault Node.js projects, no special tooling required
pnpmMonorepos, projects prioritizing disk efficiency, faster installs
Yarn 1 (Classic)Existing Yarn 1 projects using resolutions
Yarn 3+ (Berry)Projects already on Berry — auth is configured differently than Yarn 1
The overrides / resolutions / pnpm.overrides field in package.json is what tells your package manager to resolve the original package name to Root’s patched @rootio/ equivalent. This is required for all JavaScript package managers.

Authentication

All package managers use the same auth setup. The registry requires base64-encoded credentials: 
# This sets the registry and encodes your credentials as base64(root:YOUR_TOKEN)
npm config set registry https://pkg.root.io/npm/ --location=project &&
npm config set //pkg.root.io/npm/:_authToken YOUR_ROOT_TOKEN --location=project
This writes to your project-level .npmrc.

npm

Configure auth

npm config set registry https://pkg.root.io/npm/ --location=project &&
npm config set //pkg.root.io/npm/:_authToken YOUR_ROOT_TOKEN --location=project

Update package.json

Remove the original package and add the Root-patched version using @rootio/ scope: 
npm remove requests
Add to package.json: 
{
  "dependencies": {
    "axios": "npm:@rootio/axios@1.6.0"
  },
  "overrides": {
    "axios": "npm:@rootio/axios@1.6.0"
  }
}

Install

npm install

pnpm

Configure auth

Same as npm: 
npm config set registry https://pkg.root.io/npm/ --location=project &&
npm config set //pkg.root.io/npm/:_authToken YOUR_ROOT_TOKEN --location=project

Update package.json

pnpm remove axios
Add to package.json: 
{
  "dependencies": {
    "axios": "npm:@rootio/axios@1.6.0"
  },
  "pnpm": {
    "overrides": {
      "axios": "npm:@rootio/axios@1.6.0"
    }
  }
}

Install

pnpm install

yarn

Yarn 1 (Classic)

Configure auth (same as npm): 
npm config set registry https://pkg.root.io/npm/ --location=project &&
npm config set //pkg.root.io/npm/:_authToken YOUR_ROOT_TOKEN --location=project
Update package.json: 
yarn remove axios

{
  "resolutions": {
    "axios": "npm:@rootio/axios@1.6.0"
  }
}

yarn install

Yarn 3+ (Berry)

Configure auth: 
yarn config set npmScopes.rootio.npmRegistryServer https://pkg.root.io/npm/ &&
yarn config set 'npmRegistries["//pkg.root.io/npm/"].npmAuthIdent' 'root:YOUR_ROOT_TOKEN'
Update package.json: 
yarn remove axios

{
  "resolutions": {
    "axios": "npm:@rootio/axios@1.6.0"
  }
}

yarn install

How @rootio/ packages work

Root publishes patched packages under the @rootio/ npm scope. The overrides / resolutions / pnpm.overrides fields in package.json tell your package manager to resolve the original package name to the Root-patched equivalent — no changes to your import statements required.

Troubleshooting

IssueSolution
401 UnauthorizedVerify your token: npm config get //pkg.root.io/npm/:_authToken
Package not foundConfirm @rootio/ scoped package exists for your version
integrity check failuresExpected — Root patches modify package contents
Overrides not applyingEnsure both dependencies and overrides are updated