Skip to main content
Root Library Catalog (RLC) is a secure package registry at pkg.root.io. It mirrors the public package ecosystems your teams already use - PyPI, npm, Maven Central, Go modules, NuGet, Composer - and serves patched versions of vulnerable packages transparently. RLC works as a drop-in registry replacement. No dependency declarations change. No application code changes. You consume the same packages at the same versions; Root ensures they’re free of known vulnerabilities.

Supported Ecosystems

Additional ecosystems including Ruby and Rust are under evaluation. Email hello@root.io if these are important to your team.

How Patched Packages Are Delivered

RLC acts as a transparent proxy in front of the upstream registries. When you install a package through pkg.root.io:
  1. Root’s AVR pipeline has already scanned the package for known CVEs
  2. If a vulnerability exists and a fix is available, AVR applies a Root Patch and publishes the secured artifact at pkg.root.io
  3. Your package manager resolves and downloads the patched version - same name, same version string, no code changes required
  4. The patched artifact ships with an updated SBOM and VEX statement documenting what was fixed
For Python and Java, packages resolve transparently by version. For JavaScript, Root publishes patched packages under the @rootio/ scope and uses overrides/resolutions in package.json to redirect resolution - no import statement changes needed. For Go, Root publishes patched modules with a pkg.root.io/ prefix and uses replace directives in go.mod to redirect resolution. For .NET, Root publishes patched NuGet packages under the RootIO. prefix (aliased) or at the original package name with a patched version suffix (original form). For PHP, Root publishes patched packages as a Composer repository; the patcher updates composer.json with pinned version constraints and adds pkg.root.io as a repository source.

Registry Endpoints

All endpoints require authentication. See Authentication for credential setup, or jump to the ecosystem guide for your stack.

SBOM and VEX Coverage

Every patched package published to pkg.root.io includes:
  • SBOM - a machine-readable inventory of all components and their versions after patching, in SPDX or CycloneDX format
  • VEX statement - documents which CVEs were fixed in this artifact and asserts non-exploitability of any remaining known findings
  • Provenance attestation - cryptographic proof that the artifact was produced by Root’s AVR pipeline
These artifacts are available via the Root platform UI, the API, and as package metadata. They give your security team and auditors a complete record of what Root changed and why the fix can be trusted.

RLC vs. Standard Registries