pkg.root.io. It mirrors the public package ecosystems your teams already use - PyPI, npm, Maven Central, Go modules, NuGet, Composer - and serves patched versions of vulnerable packages transparently.
RLC works as a drop-in registry replacement. No dependency declarations change. No application code changes. You consume the same packages at the same versions; Root ensures they’re free of known vulnerabilities.
Supported Ecosystems
Additional ecosystems including Ruby and Rust are under evaluation. Email hello@root.io if these are important to your team.
How Patched Packages Are Delivered
RLC acts as a transparent proxy in front of the upstream registries. When you install a package throughpkg.root.io:
- Root’s AVR pipeline has already scanned the package for known CVEs
- If a vulnerability exists and a fix is available, AVR applies a Root Patch and publishes the secured artifact at
pkg.root.io - Your package manager resolves and downloads the patched version - same name, same version string, no code changes required
- The patched artifact ships with an updated SBOM and VEX statement documenting what was fixed
@rootio/ scope and uses overrides/resolutions in package.json to redirect resolution - no import statement changes needed. For Go, Root publishes patched modules with a pkg.root.io/ prefix and uses replace directives in go.mod to redirect resolution. For .NET, Root publishes patched NuGet packages under the RootIO. prefix (aliased) or at the original package name with a patched version suffix (original form). For PHP, Root publishes patched packages as a Composer repository; the patcher updates composer.json with pinned version constraints and adds pkg.root.io as a repository source.
Registry Endpoints
All endpoints require authentication. See Authentication for credential setup, or jump to the ecosystem guide for your stack.
SBOM and VEX Coverage
Every patched package published topkg.root.io includes:
- SBOM - a machine-readable inventory of all components and their versions after patching, in SPDX or CycloneDX format
- VEX statement - documents which CVEs were fixed in this artifact and asserts non-exploitability of any remaining known findings
- Provenance attestation - cryptographic proof that the artifact was produced by Root’s AVR pipeline