Vendor Dossier PDF
A pro-grade, 6-8 page security / vendor review dossier for any npm package. The same data the free /health pages use, plus security advisories from OSV, release cadence, and a decision matrix scoped to your use case (load-bearing / peripheral / defer / sunset). PDF + raw JSON, delivered within 24 h.
$9 per package
Get a dossier
You get the lodash sample dossier instantly + a custom dossier for the npm package of your choice. 7-day refunds.
Buy a Vendor Dossier ($9) See free /health snapshots firstWhat's in a dossier
- Executive summary with the depmedic 0-100 health score (popularity, maintenance, quality, risk) + letter grade.
- Identity and ownership: publisher, maintainers, license, repository, types support.
- Adoption signal: downloads, dependents, stars, forks, open vs closed issues.
- Release cadence: last 12 versions with days between - shows whether maintenance is alive or stalled.
- Known security advisories from OSV.dev: ID, summary, severity, dates.
- Decision matrix: GO / CAUTION / NO for load-bearing, peripheral, defer, sunset use cases.
- Vendor questionnaire: the questions to ask the maintainer in a security review.
- Operational mitigations: pin, mirror, watch, allowlist.
- Sources and methodology: every input named so an auditor can reproduce.
How it works
- Buy ($9). You get the bundle download instantly:
sample-lodash.pdfshowing the format, plus the request guide. - Reply to your Polar receipt with the npm package name. Subject:
Vendor Dossier - <package>. - Receive your dossier within 24 hours, usually same day. PDF + raw JSON.
Compared to writing it yourself
| Yourself | Vendor Dossier | |
|---|---|---|
| Time | 2-4 hours per package | ~1 minute (forward the receipt) |
| Format | Whatever you can paste together | Consistent printable PDF, comparable across packages |
| OSV advisory pull | Manual, click click click | Auto, every advisory in one table |
| Decision matrix | From memory | Scored against load-bearing / peripheral / defer / sunset |
| Reproducible | Hard, depends on which tab you opened | Yes, raw JSON included; methodology cited |
| Cost | $200+ at typical engineer rate | $9 |
Bigger needs?
Org Dep Health Monitor - $19/mo
Up to 200 packages monitored continuously. Weekly digest + same-day alerts on grade drops, deprecations, advisories. Includes 4 Vendor Dossier PDFs per quarter (a $36 standalone value). Slack webhook supported.
Subscribe ($19/mo) Read more