The Root Patcher CLI (rootio_patcher) scans your installed packages, queries Root’s remediation API for available patches, and applies Root-fixed packages to your project — automatically.
When to Use the Patcher
There are two ways to consume Root-patched packages:
| Approach | Best for |
|---|
Registry proxy (pkg.root.io) | New projects, CI/CD pipelines, clean installs — point your package manager at Root’s registry and packages arrive patched |
| Patcher CLI | Existing environments, one-shot remediation, or projects where changing global registry config isn’t practical |
pom.xml rather than requiring a full registry mirror configuration.
Installation
Linux (x86_64)
curl -sL https://github.com/rootio-avr/rootio_patcher/releases/latest/download/rootio_patcher_linux_x86_64.tar.gz | tar xz
chmod +x rootio_patcher
sudo mv rootio_patcher /usr/local/bin/
macOS (Apple Silicon — M1/M2/M3)
curl -sL https://github.com/rootio-avr/rootio_patcher/releases/latest/download/rootio_patcher_darwin_arm64.tar.gz | tar xz
chmod +x rootio_patcher
sudo mv rootio_patcher /usr/local/bin/
macOS (Intel)
curl -sL https://github.com/rootio-avr/rootio_patcher/releases/latest/download/rootio_patcher_darwin_x86_64.tar.gz | tar xz
chmod +x rootio_patcher
sudo mv rootio_patcher /usr/local/bin/
Windows (PowerShell)
Invoke-WebRequest -Uri "https://github.com/rootio-avr/rootio_patcher/releases/latest/download/rootio_patcher_windows_x86_64.zip" -OutFile "rootio_patcher.zip"
Expand-Archive -Path rootio_patcher.zip -DestinationPath .
# Add rootio_patcher.exe to your PATH or run it directly
Verify
Configuration
| Variable | Required | Default | Description |
|---|
ROOTIO_API_KEY | Yes | — | Your Root API key |
ROOTIO_API_URL | No | https://api.root.io | Override Root API endpoint |
ROOTIO_PKG_URL | No | https://pkg.root.io | Override Root package registry |
LOG_LEVEL | No | info | debug, info, warn, or error |
export ROOTIO_API_KEY="your-api-key-here"
To get your API key, go to Settings → Token Management in the Root platform and click Generate API Token.
Dry-Run Mode
All commands run in dry-run mode by default — they preview what would change without modifying anything. This is recommended before applying patches for the first time.
# Preview what would be patched (no changes made)
rootio_patcher pip remediate
# Apply patches for real
rootio_patcher pip remediate --dry-run=false
=== DRY-RUN MODE ===
The following operations would be performed:
1. Package: requests @ 2.25.1
Patch (Aliased): rootio-requests @ 2.25.1+root.io.1
CVEs Fixed: [CVE-2023-32681]
Commands:
pip uninstall -y requests
pip install --no-deps --index-url https://root:<key>@pkg.root.io/pypi/simple/ rootio-requests==2.25.1+root.io.1
To apply these patches, run with --dry-run=false
Python — pip
The patcher uses post-install patching: it reads your current environment with pip list, queries Root’s API for available patches, then uninstalls vulnerable packages and reinstalls Root-patched versions.
# Preview
rootio_patcher pip remediate
# Apply
rootio_patcher pip remediate --dry-run=false
| Flag | Default | Description |
|---|
--dry-run | true | Preview changes without applying |
--python-path | python | Path to a specific Python interpreter |
--use-alias | true | Install under Root’s aliased name (e.g., rootio-requests) |
rootio_patcher pip remediate --python-path=./venv/bin/python --dry-run=false
JavaScript — npm, yarn, pnpm
The patcher uses pre-install patching: it reads your lock file, queries Root’s API, then injects overrides or resolutions into your package.json. You run your package manager’s install command afterward to apply the changes.
# npm (default)
rootio_patcher npm remediate --dry-run=false
# yarn
rootio_patcher npm remediate --package-manager=yarn --dry-run=false
# pnpm
rootio_patcher npm remediate --package-manager=pnpm --dry-run=false
npm install # or yarn install / pnpm install
| Flag | Default | Options | Description |
|---|
--dry-run | true | — | Preview changes without applying |
--package-manager | npm | npm, yarn, pnpm | Which package manager to target |
npm:@rootio/<package>@<version> into the appropriate override field for your package manager:
| Package manager | Field updated |
|---|
| npm | overrides |
| pnpm | pnpm.overrides |
| Yarn 1 | resolutions |
| Yarn 2+ (Berry) | resolutions |
Java — Maven
The patcher uses pre-install patching: it reads your pom.xml (and any multi-module submodules), queries Root’s API, then rewrites dependency groupId and version values to use Root-patched equivalents. It also adds <exclusions> to prevent transitive re-introduction of vulnerable versions.
# Preview
rootio_patcher maven remediate
# Apply
rootio_patcher maven remediate --dry-run=false
# Specify a pom.xml path
rootio_patcher maven remediate --file=path/to/pom.xml --dry-run=false
| Flag | Default | Description |
|---|
--dry-run | true | Preview changes without applying |
--file | pom.xml | Path to the target pom.xml |
For multi-module Maven projects, run the patcher from the root of the project. It will discover all submodule pom.xml files automatically.
CI/CD
Set ROOTIO_API_KEY as a secret in your CI environment and run the patcher as a remediation step.
GitHub Actions
- name: Patch vulnerable dependencies
run: rootio_patcher pip remediate --dry-run=false
env:
ROOTIO_API_KEY: ${{ secrets.ROOTIO_API_KEY }}
- name: Patch vulnerable dependencies
run: |
rootio_patcher npm remediate --package-manager=npm --dry-run=false
npm install
env:
ROOTIO_API_KEY: ${{ secrets.ROOTIO_API_KEY }}
Source
rootio_patcher is open source under the Apache 2.0 license: github.com/rootio-avr/rootio_patcher 
