pkg.root.io. It mirrors the public package ecosystems your teams already use - PyPI, npm, Maven Central - and serves patched versions of vulnerable packages transparently.
RLC works as a drop-in registry replacement. No dependency declarations change. No application code changes. You consume the same packages at the same versions; Root ensures they’re free of known vulnerabilities.
Supported Ecosystems
| Ecosystem | Package Managers | Registry Endpoint |
|---|---|---|
| Python | pip, uv, Poetry | pkg.root.io/pypi/ |
| JavaScript | npm, pnpm, yarn | pkg.root.io/npm/ |
| Java | Maven, Gradle | pkg.root.io/maven/ |
How Patched Packages Are Delivered
RLC acts as a transparent proxy in front of the upstream registries. When you install a package throughpkg.root.io:
- Root’s AVR pipeline has already scanned the package for known CVEs
- If a vulnerability exists and a fix is available, AVR applies a Root Patch and publishes the secured artifact at
pkg.root.io - Your package manager resolves and downloads the patched version - same name, same version string, no code changes required
- The patched artifact ships with an updated SBOM and VEX statement documenting what was fixed
@rootio/ scope and uses overrides/resolutions in package.json to redirect resolution - no import statement changes needed.
Registry Endpoints
| Ecosystem | Endpoint | Protocol |
|---|---|---|
| Python (pip, uv, Poetry) | https://pkg.root.io/pypi/simple/ | PEP 503 Simple Index |
| JavaScript (npm, pnpm, yarn) | https://pkg.root.io/npm/ | npm registry protocol |
| Java (Maven) | https://pkg.root.io/maven/ | Maven repository layout |
SBOM and VEX Coverage
Every patched package published topkg.root.io includes:
- SBOM - a machine-readable inventory of all components and their versions after patching, in SPDX or CycloneDX format
- VEX statement - documents which CVEs were fixed in this artifact and asserts non-exploitability of any remaining known findings
- Provenance attestation - cryptographic proof that the artifact was produced by Root’s AVR pipeline
RLC vs. Standard Registries
| PyPI / npm / Maven Central | Root Library Catalog | |
|---|---|---|
| Vulnerability count | Varies - packages ship as released | Root Patches applied before delivery |
| Patching responsibility | Yours - wait for upstream or upgrade | Root’s - automatic via AVR |
| Remediation SLA | None | Critical: 7 days · High: 14 days · Medium: 60 days |
| Security artifacts | None | SBOM, VEX, Provenance per package |
| Version pinning | Required - upgrade to fix CVEs | Preserved - same version, CVEs removed |
| Breaking changes | Possible on upgrade | None - patch-in-place |