DEV Community

Leo
Leo

Posted on • Originally published at cicd.deployment.to

Aikido buys Root to patch open source in place, without the upgrade dance

Every open-source CVE backlog has that one line item you keep sliding into next quarter. The library is a couple of majors behind, the upgrade breaks four services, and the fix upstream ships against a version you cannot ride to. So you file the ticket again. (Everyone's doing great, thanks for asking.) On June 30, Aikido Security said it had acquired Root, whose whole pitch is to make that ticket go away by another route: patch the vulnerability directly into the version already resolved by your build, and skip the upgrade entirely. Per The New Stack, the deal is worth $70 million, and Root's patching technology gets folded into a new Aikido product.

Let me phrase what has just moved as plainly as I can. A vendor now edits open-source packages on your behalf and hands you back a version string upstream never shipped. If that sentence made you flinch, hold the flinch. It is doing useful work.

The problem this is actually solving

The dirty secret of dependency remediation is that a lot of "known" CVEs sit unfixed because remediating them means a version bump that carries breaking changes. You do not get a security patch for the 2.x line, you get a "fixed in 4.0" release note and a laugh track. Backporting the fix is the right operational move: keep the API surface, change only the vulnerable bytes. Linux distributions have done exactly this for decades. The reason your app team is not doing it too is that nobody has the muscle to maintain a patched fork of every transitive dependency in a lockfile.

If Aikido now makes that muscle available to the average CI/CD owner, teams get a lever they simply did not have. That is the honest upside. Own it.

Who is signing what, exactly

Here is the part I care about, which is trust. When your build resolves a package by name and version, you rely on a chain: the registry answers, the digest matches what upstream published, the SBOM you generate downstream still refers back to that same identity. A backported build breaks that chain by design, because the artifact on disk is no longer what upstream shipped. So the question stops being "does this fix the CVE?" and becomes "what is the provenance of the thing you are handing me?"

For a CI/CD owner, three answers matter, and none of them belong on a marketing page:

  • Where does the modified artifact live? A private registry, a scoped proxy, a rewritten dependency URL?
  • What identity signs it, and what does the attestation say the input was? "Version 2.4.7 plus these patch hunks, built from these sources" is verifiable. "Trust us, we patched it" is a slide.
  • How does your SBOM tell auditors and downstream consumers that the digest they now depend on is not upstream 2.4.7 anymore? Because it is not.

None of this is a reason to walk away. All of it is a reason to demand real answers before flipping the switch.

Before you plug it into a pipeline

Assume the technology works exactly as pitched. What still has to be true in your pipeline for it to be safe?

You need a build that can express "resolve from upstream, or from this trusted proxy" without accidentally shadowing the wrong copy on some developer laptop. You need a policy engine that treats a backported artifact as a first-class object with its own signature and its own attestation, not a masquerading upstream. And you need a plan for the day the vendor is unavailable, because a patch you cannot rebuild is a patch you cannot audit. Anyone who has tried to reproduce a six-month-old build knows that day arrives on its own schedule.

The other watch-item is scope. In-place patching is a lovely fit for language ecosystems with long-tail versions running in production. It is a harder story for artifacts already frozen inside container images, where the fix has to reach the base image or the built layer, not just the manifest. Whether the acquired technology covers both surfaces is worth pinning down on the sales call, before it becomes a surprise on a Friday.

A minimal attestation you would want to see attached to every patched artifact looks something like this in intent:

subject:
  name: example-lib
  digest:
    sha256: <digest-of-patched-artifact>
predicate:
  vendor: <patching-vendor>
  upstream_version: <upstream-version-string>
  upstream_digest:
    sha256: <digest-of-original-upstream-artifact>
  patches:
    - id: <cve-id>
      diff_sha256: <digest-of-patch-diff>
  builder:
    id: <signed-builder-identity>
signature:
  keyid: <full-40-char-sha>
Enter fullscreen mode Exit fullscreen mode

Placeholders on purpose. If you cannot fill those fields in, neither can your auditor.

The kicker

The market has been telling us for years that "upgrade or accept the risk" is a false choice. It is fine to see a company answer the third door, and fine to see the answer priced at $70 million. Just remember what you are trading. Convenience today, in exchange for a new entry on the very short list of parties who can change what a dependency means inside your build. Add them to the list of things you sign and rebuild. Then breathe.

Top comments (0)