@rootio/ scope. Rather than replacing your registry globally, you add an override or resolution that maps the vulnerable package to its Root-patched equivalent at pkg.root.io/npm/.
Prerequisites
The Root Patcher CLI (rootio_patcher) is required to pull Root-secured packages into your environment. Install it before configuring your package manager.
Which package manager should I use?
Root supports npm, pnpm, and both Yarn generations. The auth setup is shared across all of them; the difference is in how each package manager applies the@rootio/ override.
The
overrides / resolutions / pnpm.overrides field in package.json is what tells your package manager to resolve the original package name to Root’s patched @rootio/ equivalent. This is required for all JavaScript package managers.Authentication
All package managers use the same auth setup. The registry requires base64-encoded credentials:.npmrc.
npm
Configure auth
Update package.json
Remove the original package and add the Root-patched version using@rootio/ scope:
package.json:
Install
pnpm
Configure auth
Same as npm:Update package.json
package.json:
Install
yarn
Yarn 1 (Classic)
Configure auth (same as npm):Yarn 3+ (Berry)
Configure auth:How @rootio/ packages work
Root publishes patched packages under the @rootio/ npm scope. The overrides / resolutions / pnpm.overrides fields in package.json tell your package manager to resolve the original package name to the Root-patched equivalent - no changes to your import statements required.