Skip to main content
Root Library Catalog serves patched JavaScript packages under the @rootio/ scope. Rather than replacing your registry globally, you add an override or resolution that maps the vulnerable package to its Root-patched equivalent at pkg.root.io/npm/.

Prerequisites

The Root Patcher CLI (rootio_patcher) is required to pull Root-secured packages into your environment. Install it before configuring your package manager.
For macOS Intel and Windows, see the full installation instructions. Then set your API key:

Which package manager should I use?

Root supports npm, pnpm, and both Yarn generations. The auth setup is shared across all of them; the difference is in how each package manager applies the @rootio/ override.
The overrides / resolutions / pnpm.overrides field in package.json is what tells your package manager to resolve the original package name to Root’s patched @rootio/ equivalent. This is required for all JavaScript package managers.

Authentication

All package managers use the same auth setup. The registry requires base64-encoded credentials:
This writes to your project-level .npmrc.

npm

Configure auth

Update package.json

Remove the original package and add the Root-patched version using @rootio/ scope:
Add to package.json:

Install


pnpm

Configure auth

Same as npm:

Update package.json

Add to package.json:

Install


yarn

Yarn 1 (Classic)

Configure auth (same as npm):
Update package.json:

Yarn 3+ (Berry)

Configure auth:
Update package.json:

How @rootio/ packages work

Root publishes patched packages under the @rootio/ npm scope. The overrides / resolutions / pnpm.overrides fields in package.json tell your package manager to resolve the original package name to the Root-patched equivalent - no changes to your import statements required.

Troubleshooting