pkg.root.io. It mirrors the public package ecosystems your teams already use — PyPI, npm, Maven Central — and serves patched versions of vulnerable packages transparently.
RLC works as a drop-in registry replacement. No dependency declarations change. No application code changes. You consume the same packages at the same versions; Root ensures they’re free of known vulnerabilities.
Supported Ecosystems
| Ecosystem | Package Managers | Registry Endpoint |
|---|---|---|
| Python | pip, uv, Poetry | pkg.root.io/pypi/ |
| JavaScript | npm, pnpm, yarn | pkg.root.io/npm/ |
| Java | Maven, Gradle | pkg.root.io/maven/ |
How Patched Packages Are Delivered
RLC acts as a transparent proxy in front of the upstream registries. When you install a package throughpkg.root.io:
- Root’s AVR pipeline has already scanned the package for known CVEs
- If a vulnerability exists and a fix is available, AVR applies a Root Patch and publishes the secured artifact at
pkg.root.io - Your package manager resolves and downloads the patched version — same name, same version string, no code changes required
- The patched artifact ships with an updated SBOM and VEX statement documenting what was fixed
@rootio/ scope and uses overrides/resolutions in package.json to redirect resolution — no import statement changes needed.
Registry Endpoints
| Ecosystem | Endpoint | Protocol |
|---|---|---|
| Python (pip, uv, Poetry) | https://pkg.root.io/pypi/simple/ | PEP 503 Simple Index |
| JavaScript (npm, pnpm, yarn) | https://pkg.root.io/npm/ | npm registry protocol |
| Java (Maven) | https://pkg.root.io/maven/ | Maven repository layout |
SBOM and VEX Coverage
Every patched package published topkg.root.io includes:
- SBOM — a machine-readable inventory of all components and their versions after patching, in SPDX or CycloneDX format
- VEX statement — documents which CVEs were fixed in this artifact and asserts non-exploitability of any remaining known findings
- Provenance attestation — cryptographic proof that the artifact was produced by Root’s AVR pipeline
RLC vs. Standard Registries
| PyPI / npm / Maven Central | Root Library Catalog | |
|---|---|---|
| Vulnerability count | Varies — packages ship as released | Root Patches applied before delivery |
| Patching responsibility | Yours — wait for upstream or upgrade | Root’s — automatic via AVR |
| Remediation SLA | None | Critical: 7 days · High: 14 days · Medium: 60 days |
| Security artifacts | None | SBOM, VEX, Provenance per package |
| Version pinning | Required — upgrade to fix CVEs | Preserved — same version, CVEs removed |
| Breaking changes | Possible on upgrade | None — patch-in-place |