Documentation Index
Fetch the complete documentation index at: https://docs.root.io/llms.txt
Use this file to discover all available pages before exploring further.
Root Library Catalog (RLC) is a secure package registry at pkg.root.io. It mirrors the public package ecosystems your teams already use - PyPI, npm, Maven Central, Go modules - and serves patched versions of vulnerable packages transparently.
RLC works as a drop-in registry replacement. No dependency declarations change. No application code changes. You consume the same packages at the same versions; Root ensures they’re free of known vulnerabilities.
Supported Ecosystems
| Ecosystem | Package Managers | Registry Endpoint |
|---|
| Python | pip, uv, Poetry | pkg.root.io/pypi/ |
| JavaScript | npm, pnpm, yarn | pkg.root.io/npm/ |
| Java | Maven, Gradle | pkg.root.io/maven/ |
| Go | Go modules | pkg.root.io/gobinary/ |
| .NET | NuGet | pkg.root.io/nuget/ |
How Patched Packages Are Delivered
RLC acts as a transparent proxy in front of the upstream registries. When you install a package through pkg.root.io:
- Root’s AVR pipeline has already scanned the package for known CVEs
- If a vulnerability exists and a fix is available, AVR applies a Root Patch and publishes the secured artifact at
pkg.root.io
- Your package manager resolves and downloads the patched version - same name, same version string, no code changes required
- The patched artifact ships with an updated SBOM and VEX statement documenting what was fixed
For Python and Java, packages resolve transparently by version. For JavaScript, Root publishes patched packages under the @rootio/ scope and uses overrides/resolutions in package.json to redirect resolution - no import statement changes needed. For Go, Root publishes patched modules with a pkg.root.io/ prefix and uses replace directives in go.mod to redirect resolution. For .NET, Root publishes patched NuGet packages under the RootIO. prefix (aliased) or at the original package name with a patched version suffix (original form).
Registry Endpoints
| Ecosystem | Endpoint | Protocol |
|---|
| Python (pip, uv, Poetry) | https://pkg.root.io/pypi/simple/ | PEP 503 Simple Index |
| JavaScript (npm, pnpm, yarn) | https://pkg.root.io/npm/ | npm registry protocol |
| Java (Maven) | https://pkg.root.io/maven/ | Maven repository layout |
| Go (Go modules) | https://pkg.root.io/gobinary/ | GOPROXY protocol |
| .NET (NuGet) | https://pkg.root.io/nuget/v3/index.json | NuGet v3 protocol |
SBOM and VEX Coverage
Every patched package published to pkg.root.io includes:
- SBOM - a machine-readable inventory of all components and their versions after patching, in SPDX or CycloneDX format
- VEX statement - documents which CVEs were fixed in this artifact and asserts non-exploitability of any remaining known findings
- Provenance attestation - cryptographic proof that the artifact was produced by Root’s AVR pipeline
These artifacts are available via the Root platform UI, the API, and as package metadata. They give your security team and auditors a complete record of what Root changed and why the fix can be trusted.
RLC vs. Standard Registries
| PyPI / npm / Maven Central / Go modules | Root Library Catalog |
|---|
| Vulnerability count | Varies - packages ship as released | Root Patches applied before delivery |
| Patching responsibility | Yours - wait for upstream or upgrade | Root’s - automatic via AVR |
| Remediation SLA | None | Critical: 7 days · High: 14 days · Medium: 60 days |
| Security artifacts | None | SBOM, VEX, Provenance per package |
| Version pinning | Required - upgrade to fix CVEs | Preserved - same version, CVEs removed |
| Breaking changes | Possible on upgrade | None - patch-in-place |
