Skip to main content
A Root Patch is the smallest safe fix for a vulnerable package. For application packages, Root Patches target the vulnerable code within a specific package version — without bumping to a newer release unless necessary.

What is a Root Patch?

[Definition, scope — what gets patched within a package, what stays the same coming soon]

Patch Types

[Backported patches — applying an upstream fix to the version you declared; native distribution package upgrades — using the package maintainer’s own update when available coming soon]

How Patches Are Applied Without Version Bumps

[Why Root patches in-place rather than forcing upgrades — compatibility guarantees, lockfile stability coming soon]

Viewing Patch History for a Package

[How to see which CVEs were addressed, which Root Patches were applied, and when — via the Root platform or API coming soon]

SBOM and VEX for Patched Packages

[What the updated SBOM contains, how VEX statements document each patched vulnerability coming soon]

Patch Freshness SLA

[Root’s commitment to patch availability after CVE publication coming soon]