> ## Documentation Index
> Fetch the complete documentation index at: https://docs.root.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Root Library Catalog Overview

> Secure application packages at pkg.root.io - patched by AVR for Python, JavaScript, Java, and Go ecosystems.

Root Library Catalog (RLC) is a secure package registry at `pkg.root.io`. It mirrors the public package ecosystems your teams already use - PyPI, npm, Maven Central, Go modules - and serves patched versions of vulnerable packages transparently.

RLC works as a drop-in registry replacement. No dependency declarations change. No application code changes. You consume the same packages at the same versions; Root ensures they're free of known vulnerabilities.

## Supported Ecosystems

| Ecosystem  | Package Managers | Registry Endpoint       |
| ---------- | ---------------- | ----------------------- |
| Python     | pip, uv, Poetry  | `pkg.root.io/pypi/`     |
| JavaScript | npm, pnpm, yarn  | `pkg.root.io/npm/`      |
| Java       | Maven, Gradle    | `pkg.root.io/maven/`    |
| Go         | Go modules       | `pkg.root.io/gobinary/` |
| .NET       | NuGet            | `pkg.root.io/nuget/`    |

Additional ecosystems including Ruby and Rust are under evaluation. Email [hello@root.io](mailto:hello@root.io) if these are important to your team.

## How Patched Packages Are Delivered

RLC acts as a transparent proxy in front of the upstream registries. When you install a package through `pkg.root.io`:

1. Root's AVR pipeline has already scanned the package for known CVEs
2. If a vulnerability exists and a fix is available, AVR applies a Root Patch and publishes the secured artifact at `pkg.root.io`
3. Your package manager resolves and downloads the patched version - same name, same version string, no code changes required
4. The patched artifact ships with an updated SBOM and VEX statement documenting what was fixed

For Python and Java, packages resolve transparently by version. For JavaScript, Root publishes patched packages under the `@rootio/` scope and uses `overrides`/`resolutions` in `package.json` to redirect resolution - no import statement changes needed. For Go, Root publishes patched modules with a `pkg.root.io/` prefix and uses `replace` directives in `go.mod` to redirect resolution. For .NET, Root publishes patched NuGet packages under the `RootIO.` prefix (aliased) or at the original package name with a patched version suffix (original form).

## Registry Endpoints

| Ecosystem                    | Endpoint                                  | Protocol                |
| ---------------------------- | ----------------------------------------- | ----------------------- |
| Python (pip, uv, Poetry)     | `https://pkg.root.io/pypi/simple/`        | PEP 503 Simple Index    |
| JavaScript (npm, pnpm, yarn) | `https://pkg.root.io/npm/`                | npm registry protocol   |
| Java (Maven)                 | `https://pkg.root.io/maven/`              | Maven repository layout |
| Go (Go modules)              | `https://pkg.root.io/gobinary/`           | GOPROXY protocol        |
| .NET (NuGet)                 | `https://pkg.root.io/nuget/v3/index.json` | NuGet v3 protocol       |

All endpoints require authentication. See [Authentication](/getting-started/authentication) for credential setup, or jump to the ecosystem guide for your stack.

## SBOM and VEX Coverage

Every patched package published to `pkg.root.io` includes:

* **SBOM** - a machine-readable inventory of all components and their versions after patching, in SPDX or CycloneDX format
* **VEX statement** - documents which CVEs were fixed in this artifact and asserts non-exploitability of any remaining known findings
* **Provenance attestation** - cryptographic proof that the artifact was produced by Root's AVR pipeline

These artifacts are available via the Root platform UI, the API, and as package metadata. They give your security team and auditors a complete record of what Root changed and why the fix can be trusted.

## RLC vs. Standard Registries

|                         | PyPI / npm / Maven Central / Go modules | Root Library Catalog                               |
| ----------------------- | --------------------------------------- | -------------------------------------------------- |
| Vulnerability count     | Varies - packages ship as released      | Root Patches applied before delivery               |
| Patching responsibility | Yours - wait for upstream or upgrade    | Root's - automatic via AVR                         |
| Remediation SLA         | None                                    | Critical: 7 days · High: 14 days · Medium: 60 days |
| Security artifacts      | None                                    | SBOM, VEX, Provenance per package                  |
| Version pinning         | Required - upgrade to fix CVEs          | Preserved - same version, CVEs removed             |
| Breaking changes        | Possible on upgrade                     | None - patch-in-place                              |