Dataset validation
Package Supply Chain Risk CSV Sample
A validation sample for a possible open-source package risk and dependency-change feed built from public advisory, package metadata, and open-source insight APIs. It is data infrastructure only, not a legal, license, or exploitability decision engine.
observed_at,ecosystem,package_name,version,event_type,advisory_id,risk_flag,source
2026-07-02T14:15:00Z,npm,sample-package,1.4.2,new_advisory,OSV-2026-0001,vulnerability,OSV
2026-07-02T13:30:00Z,pypi,sample-framework,3.2.1,license_changed,,license_review,deps.dev
2026-07-01T18:45:00Z,maven,com.example:sample-lib,2.0.0,dependency_changed,,dependency_review,deps.dev
CSV Schema
The fields are intentionally simple so buyers can inspect the shape in spreadsheets, BI tools, and lightweight data pipelines.
observed_atecosystempackage_nameversionevent_typeadvisory_idrisk_flagsource
Monetization Hypothesis
This sample tests dataset and report-style demand before we invest in ingestion, export automation, or marketplace onboarding.
- API subscription for package/advisory watchlists and release polling.
- CSV or SBOM-enrichment feed for teams that start with spreadsheet review.
- Build only after tracked request, download, or developer-intent signals appear.
Public Sources
The full product would normalize public records into stable datasets and API endpoints only after validation gates are met.
- OSV vulnerability API
- deps.dev Open Source Insights API
- GitHub Security Advisory data
- Public package registries