Skip to main content
Root Library Catalog supports pip, uv, and Poetry. All three use the same registry endpoint and credential approach.
If you want to patch an existing Python environment rather than configure a registry, use the Root Patcher CLI instead. Run rootio_patcher pip remediate to automatically identify and replace vulnerable packages in your current environment.

Which tool should I use?

If you’re starting fresh or choosing between tools, here’s a quick guide:
ToolBest for
pipSimple projects, scripts, or any environment where a requirements.txt is sufficient
uvFast installs, modern Python projects, pyproject.toml-based workflows — uv is significantly faster than pip
PoetryProjects that need dependency locking, packaging, and publishing in one tool
All three tools read credentials from ~/.netrc and resolve packages through pkg.root.io/pypi/simple/. The configuration steps differ only in how you point each tool at Root’s registry.

Authentication

All three tools read credentials from ~/.netrc. Add your Root token: 
echo "machine pkg.root.io login token password YOUR_ROOT_TOKEN" >> ~/.netrc
chmod 600 ~/.netrc

pip

Configure the registry

pip config set global.index-url https://pkg.root.io/pypi/simple &&
pip config set global.extra-index-url https://pypi.org/simple

Install

Add the package to your requirements.txt: 
requests==2.31.0
Then install: 
pip install -r requirements.txt

uv

Configure the registry

Add to your pyproject.toml: 
[[tool.uv.index]]
name = "root"
url = "https://pkg.root.io/pypi/simple/"

Install and sync

uv add requests==2.31.0
uv sync --upgrade

Poetry

Configure the registry

poetry source add --priority=primary root https://pkg.root.io/pypi/simple/ &&
poetry source add --priority=supplemental pypi

Install

poetry add requests==2.31.0
poetry update

CI/CD Configuration

Inject credentials via environment and write to ~/.netrc at build time: 
echo "machine pkg.root.io login token password $ROOT_TOKEN" >> ~/.netrc
chmod 600 ~/.netrc

Troubleshooting

IssueSolution
401 UnauthorizedVerify ~/.netrc has correct token and chmod 600 is set
Package not foundConfirm extra-index-url includes PyPI as fallback
SSL errorsEnsure you’re using https:// not http://
Hash mismatchRoot serves patched packages — hashes differ from PyPI; this is expected