Introducing the Root Library Catalog

The Problem We're Solving

If you're reading this, you've probably lived through this scenario: A critical CVE drops in one of your application dependencies. 

Here’s how it usually goes:

• Your security scanner flags it. 

• Your AppSec team escalates. 

• And your engineering team groans once again. Why? Because fixing it means either upgrading to a new version (and potentially breaking everything) or waiting weeks for an upstream backport that may never come.

Here's the real problem: You're often pinned to a specific version for compatibility reasons. Maybe you're running a one-year-old version of numpy because upgrading would break your data pipeline. Or you're stuck on an older React version because your entire component library depends on it.

Meanwhile, your exposure window grows. Your compliance team starts asking questions. Your customers start asking questions. And you're stuck in the middle, trying to balance security, stability, and velocity.

A vulnerability requires a fix, but you don't want to upgrade because you don't want to break your application. That's where we come in.

The Tricky Part About Dependencies

While base images get most of the security headlines, application dependencies like JavaScript packages, Python libraries, and Java artifacts that power your actual application logic, are where the real complexity lives. They're more numerous. They change more frequently. They have more dependencies. And they're harder to patch because they're often pinned to specific versions and may be dependencies for other packages for compatibility reasons.

The challenge compounds when you consider that vulnerabilities can exist in both direct dependencies (packages you explicitly install) and transitive dependencies (packages your dependencies depend on). You need to ensure the security of your entire dependency tree—not just what you can see.

Yet until today, there was no end-to-end solution for securing them. You could discover vulnerabilities (SCA scanners do that). You could try to fix them (good luck with that). But you couldn't discover secure versions and install them directly without jumping through hoops, changing workflows, or accepting vendor lock-in.

That changes today.

Introducing the Root Library Catalog

Today, we're announcing the first customer-ready release of the Root Library Catalog, a comprehensive catalog that enables developers and AppSec engineers to proactively manage open source components and dependencies, discover Root-maintained secure package versions, and install them directly into existing workflows through authenticated, ecosystem-native integrations.

This isn't just another package catalog. It ensures the security of your software by patching vulnerabilities in both direct and transitive dependencies, all while maintaining the integrity of your code.

Three Core Outcomes

1. Comprehensive Security
Root patches vulnerabilities in both direct dependencies (packages you explicitly install) and transitive dependencies (packages your dependencies depend on). Most solutions only address direct dependencies, leaving your transitive dependency tree vulnerable. Root secures your entire dependency tree—not just what you can see.

2. Integration
Authenticated access and installation through Root's private registries for Python (via pip, uv, or Poetry), JavaScript/TypeScript (via npm, pnpm, or Yarn), and Java (via Maven or Gradle), with clear setup instructions. Native integration with your existing package managers means zero workflow disruption. Configure once, and your entire team—and CI/CD pipelines—automatically use secure packages.

3. Entitlement Foundation
Access control and SLA coverage for subscribed customers, establishing the technical base for future transparency and automation features. This is just the beginning.

Why This Matters

We're pretty outspoken about this: the current state of application dependency security is broken.

Most organizations are pointing their developers directly at public registries (PyPI, npm, Maven Central) with no security layer. They're trusting that upstream maintainers will patch vulnerabilities quickly. They're hoping that their scanners will catch issues before production. They're praying that forced upgrades won't break their builds.

Hope is not a security strategy.

The Root Library Catalog changes that with a fundamentally different approach: long-term support (LTS) for your pinned versions.

Here's what that means: If you're running a one-year-old version of numpy because upgrading would break your application, we don't force you to upgrade. Instead, we backport security fixes from newer versions directly into your current version. When a CVE is discovered, we create a Root-maintained secure version of your exact package version—same functionality, zero vulnerabilities, no breaking changes.

This is continuous security for static dependencies. You stay on the version that works. We keep it secure.

For organizations using centralized package managers, simply point at Root as your main package registry. If we don't have the package you're looking for, it will default to the previously configured registry. Anytime a developer needs a package that is zero-CVE and trusted, with all artifacts and provenance included, they can get it from Root as a trusted partner. This represents a massive step forward: organizations can now secure their entire stack—zero-CVE container packages, zero-CVE container images, and zero-CVE container libraries—all built in their own environment but pulled from Root as a trusted source.

How It Works

The Root Library Catalog provides package-manager–specific setup instructions for:

Python Ecosystem:

• pip — Standard Python package installer

• uv — Fast Python package installer and resolver

• Poetry — Dependency management and packaging tool

JavaScript/TypeScript Ecosystem:

• npm — Node Package Manager

• pnpm — Fast, disk space efficient package manager

• Yarn — Package manager for JavaScript

Java/JVM Ecosystem:

• Maven — Build automation and dependency management

• Gradle — Build automation tool

Integration Workflows

Project-Level Configuration:
Update your project configuration files (requirements.txt, pyproject.toml, package.json, pom.xml, build.gradle) to persist Root-secured versions. Once configured, all team members and CI/CD pipelines automatically use secure packages.

CI/CD Integration:
Pin Root-secured versions at the project level to enable seamless integration into your CI/CD workflows. Every build automatically pulls from Root's secure registries, eliminating the need for manual intervention.

Enterprise Repository Integration:
For organizations using centralized package managers, simply point at Root as your main package registry. If we don't have the package you're looking for, it will default to the previously configured registry.

What Makes This Different

You might be thinking: "One vendor has virtual machines. Another has libraries. What makes Root different?"

Three things:

1. Enterprise Repository Integration
Unlike competitors who offer language-specific registries, Root provides direct integration with enterprise repository infrastructure that most organizations already use. For organizations using centralized package managers, simply point at Root as your main package registry. If we don't have the package you're looking for, it will default to the previously configured registry. No workflow changes. No retraining. No vendor lock-in.

2. Comprehensive Dependency Tree Security
Root patches vulnerabilities in both direct dependencies (packages you explicitly install) and transitive dependencies (packages your dependencies depend on). Most solutions only address direct dependencies, leaving your transitive dependency tree vulnerable. Root secures your entire dependency tree—not just what you can see.

3. End-to-End Experience
This isn't just a catalog. It's part of Root's complete offering—from base images (Root Image Catalog) to application dependencies (Root Library Catalog). One platform. One workflow. One vendor.

The Road Ahead

This is just the beginning. The Root Library Catalog represents the foundation for a much larger vision: securing the entire open source stack, from operating system layers to application dependencies, through a single platform.

In the coming months, we'll be expanding:

• Coverage: More packages, more languages, more versions

• Automation: Automatic discovery and installation recommendations

• Transparency: Enhanced visibility into remediation processes and timelines

• Integration: Deeper CI/CD and enterprise repository integrations

But today, we're delivering something that didn't exist before: a way to find and install secure packages without changing your workflow.

Try It Today

The Root Library Catalog is available now.

For customers with active Root Image Catalog subscriptions: You already have access. Authenticate and start installing secure packages today.

Not a customer? Book a demo to start evaluating secure versions for your most critical dependencies.

This is what Shift Out looks like in practice: open source that arrives clean of vulnerabilities, secured by default. No engineering required.

Ready to Shift Out?

• Schedule a Root Libraries Catalog Demo

• Sign Up For a Root Account

• Browse the Root Image Catalog

Mickey Gordon is the Co-Founder and Chief Product Officer at Root, where he leads product