Terms and conditions of use.

DependencyWatch.io is a free, public, informational tool. It lets a user paste the contents of a dependency manifest or lockfile (such as package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lockb or requirements.txt) into the browser and receive an indication of whether any package versions in that input match entries in a curated database of publicly-disclosed supply-chain compromise incidents maintained by Precursor Security.

The scan runs client-side in the user's browser. The Service also publishes hardening recommendations, an incident feed, and a form for users to submit suspected incidents for triage.

The Service is provided for general information, awareness and educational purposes only. It is not a substitute for, and does not constitute, a professional security assessment, penetration test, audit, incident response engagement, certification, or any form of regulated advice.

The Service is intended exclusively for security, engineering, and technology professionals, and for organisations using it in the course of their business. By accessing or using the Service you represent, warrant and undertake that:

• you are at least 18 years of age and have full legal capacity to enter into binding agreements;
• you are acting wholly or mainly in the course of your trade, business, craft or profession, and not as a “consumer” within the meaning of section 2(3) of the Consumer Rights Act 2015 or any equivalent legislation;
• where you access the Service on behalf of an organisation, you have authority to bind that organisation to these terms, and references to “you” include that organisation;
• your use of the Service is for legitimate security, hardening, audit, research, education, or operational purposes;
• you are not located in, and will not access the Service from, any jurisdiction in which such access would be unlawful, nor are you a person to whom the provision of the Service is prohibited under applicable sanctions or export-control laws.

If you do not meet, or cease to meet, each of these requirements, you must immediately cease all use of the Service. Precursor Security relies on these representations as a fundamental basis for making the Service available to you.

Nothing on the Service is, or should be treated as, advice.

All content made available through the Service — including scan results, match indications, the incident feed, recommendations, hardening guides, links, and any other output — is general information only. It is not, and is not intended to be:

• legal, regulatory, compliance, audit, accountancy, insurance, financial, investment, or other professional advice of any kind;
• a security assessment, audit, attestation, certification, accreditation, or assurance of any system, environment, product, organisation, or person;
• a recommendation that you, or any third party, take or refrain from taking any particular action;
• a representation as to the past, present, or future security, integrity, compliance, or fitness of any system, codebase, dependency, vendor, or organisation;
• a guarantee of any result, outcome, finding, prevention, detection, or remediation.

You must seek your own advice from suitably qualified professionals before acting (or refraining from acting) on the basis of any information made available through the Service.

You expressly acknowledge and agree that:

• supply-chain compromise is a fast-moving, high-uncertainty domain, and any tool addressing it will inevitably be incomplete, delayed, partial, and fallible;
• the incident database underpinning the Service may at any time and without notice be incomplete, out of date, inaccurate, contain errors, or omit incidents (including critical, ongoing, or widely-known ones);
• the Service may at any time produce false positives, false negatives, stale data, broken or misdirected links, partial coverage, mis-attribution, or outright errors;
• a “no match”, “clean”, or similar result is not, and must never be treated as, evidence or confirmation that you, your code, your dependencies, your build pipeline, your systems, or your organisation are uncompromised, secure, free of malware, free of risk, or compliant with any standard;
• a “match”, “alert”, or similar result is not, and must never be treated as, conclusive evidence that any specific system, environment, or organisation has been compromised, and may require independent verification;
• the Service is provided free of charge, on a community-good basis, without any commercial relationship, retainer, engagement letter, or duty of care between you and Precursor Security of any kind;
• you bear sole responsibility for any decision you (or any third party who derives information from you) take or refrain from taking on the basis of the Service, and for the consequences of that decision;
• you will not rely on the Service as the sole or principal basis for any decision concerning the security, integrity, fitness, or compliance of any system, codebase, product, vendor, or organisation;
• any reliance you do place on the Service is at your own risk.

You assume all risk arising from your access to and use of the Service.

The Service is provided strictly “as is”, “as available”, and “with all faults”, without warranty of any kind.

To the maximum extent permitted by applicable law, Precursor Security (and each of the Released Parties defined in section 6) disclaims and excludes all warranties, representations, conditions, undertakings, and terms of any kind, whether express, implied, statutory, collateral, or otherwise, including without limitation any warranty, representation, condition or term:

• of merchantability, satisfactory quality, fitness for purpose, or fitness for any particular purpose;
• of accuracy, completeness, currency, timeliness, reliability, suitability, or availability;
• of non-infringement, title, or quiet enjoyment;
• that the Service is or will be secure, uninterrupted, error-free, or free of viruses, malware, defects, or other harmful components;
• that any defect in the Service will be corrected, or that any update or maintenance will be provided;
• that the incident database is or will be complete, exhaustive, accurate, current, or fit for any particular use;
• arising from course of dealing, course of performance, or usage of trade.

Any sections 9 to 11 (and 13, 14 and 16) of the Sale of Goods Act 1979, sections 3, 4 and 5 of the Supply of Goods and Services Act 1982, sections 13 to 15 of the Supply of Goods and Services Act 1982, and any equivalent statutory or implied terms in any jurisdiction, are, to the maximum extent permitted by law, excluded.

No advice or information, whether oral or written, obtained by you from Precursor Security or through the Service creates any warranty or other obligation not expressly stated in these terms.

In this section, “Released Parties” means Precursor Security, its parent, subsidiaries, affiliates, group companies, and each of their respective officers, directors, partners, members, shareholders, employees, contractors, consultants, agents, suppliers, licensors, sub-processors, and successors and assigns.

To the maximum extent permitted by applicable law, in no event shall any of the Released Parties be liable to you, or to any third party deriving rights through you, for any loss, damage, cost, expense, fine, penalty, or other liability of any kind whatsoever arising out of, related to, or in connection with:

• your access to, or use of, or inability to access or use, the Service;
• any output, result, indication, content, data, recommendation, advisory, link, opinion, or other information made available through, or absent from, the Service;
• any action you (or any third party) take, or fail to take, on the basis of, or in reliance on, the Service;
• any error, omission, inaccuracy, defect, bug, delay, interruption, downtime, data loss, security vulnerability, malware, intrusion, or unauthorised access affecting the Service;
• any conduct, content, product, or service of any third party on, linked from, or in connection with the Service;
• any modification, suspension, or discontinuance of the Service or any part of it;
• any other matter relating to, or arising in connection with, the Service.

This exclusion applies to all categories of loss and damage, including without limitation:

• direct, indirect, incidental, special, consequential, exemplary, aggravated, and punitive damages;
• loss of profits, revenue, business, sales, customers, contracts, opportunity, goodwill, reputation, anticipated savings, or use;
• loss of, or damage to, data, software, systems, source code, secrets, credentials, infrastructure, devices, or backups, including loss arising from the corruption, deletion, exfiltration, or unauthorised disclosure of the same;
• loss arising from any security breach, compromise, intrusion, ransomware, supply-chain attack, data exfiltration or other security incident affecting you or any third party, whether or not such incident was foreseen, foreseeable, preventable, or related to the Service;
• third-party claims of any kind, including from customers, employees, partners, suppliers, investors, insurers, or regulators;
• regulatory fines, penalties, investigations, sanctions, or enforcement action;
• remediation, incident-response, forensic, legal, public-relations, breach-notification, professional-advice, or substitute-service costs;
• any other loss or damage of any kind, however described or arising.

This exclusion applies regardless of:

• the legal basis or theory of the claim, including breach of contract, tort (including negligence and gross negligence), breach of statutory duty, misrepresentation (other than fraudulent), strict liability, restitution, indemnity, equity, or any other theory;
• whether the loss is characterised as direct or indirect, foreseeable or unforeseeable;
• whether the Released Parties have been advised of, knew of, or ought reasonably to have known of the possibility of such loss;
• whether any limited or exclusive remedy set out in these terms is found to have failed of its essential purpose;
• whether the claim arises in connection with these terms, the Service, or otherwise.

The Service is provided free of charge. You acknowledge and agree that the allocation of risk set out in these terms — namely, that you bear all risk arising from the Service and the Released Parties bear none — is a fundamental and inseparable basis on which Precursor Security agrees to make the Service available, that the Service would not be offered at all but for this allocation, that you have had a fair and reasonable opportunity to consider these terms, and that the allocation is reasonable in the circumstances.

Nothing in these terms excludes or limits any liability that cannot lawfully be excluded or limited, including liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot lawfully be excluded or limited under the law of England and Wales. If, and only to the extent that, any exclusion or limitation in these terms is held by a court of competent jurisdiction to be unenforceable, that exclusion or limitation shall be reduced to the minimum extent necessary to render it enforceable, and all other exclusions and limitations shall continue in full force and effect.

You shall indemnify, keep indemnified, defend, and hold harmless the Released Parties, on a full-indemnity basis and on demand, from and against any and all claims, demands, actions, proceedings, liabilities, losses, damages, awards, judgments, fines, penalties, costs and expenses (including reasonable legal costs on a full-indemnity basis, expert costs, and the cost of management time) arising out of, related to, or in connection with:

• your access to or use of the Service;
• any breach by you of these terms, including any breach of a representation, warranty, or undertaking;
• any Submission you make through the Service;
• your violation of any law, regulation, or third-party right (including any intellectual property, privacy, or confidentiality right);
• any reliance placed on the Service by you or by any third party deriving information, output, or advice from you.

Precursor Security may, at its option, assume the exclusive defence and control of any matter otherwise subject to indemnification by you, in which case you will cooperate in asserting any available defences. You will not settle any matter that affects the Released Parties without Precursor Security's prior written consent.

You alone are responsible for:

• the security of your own systems, source code, dependencies, build pipelines, secrets, credentials, devices, and networks;
• independently verifying any output of the Service against your own circumstances before acting on it;
• engaging suitably qualified professionals for any incident response, remediation, regulated advice, formal assessment, or legal matter;
• ensuring that you have the right to process, paste, upload, or otherwise submit any content you provide to the Service, and that doing so does not breach any contract, duty of confidence, intellectual property right, applicable law, or third-party right;
• complying with all laws and regulations applicable to you, including those relating to data protection, computer misuse, export control, and sanctions;
• maintaining your own backups and continuity arrangements; the Service is not a backup or continuity tool.

You must not use the Service to scan, probe, or otherwise interact with any system, codebase, or lockfile that you are not authorised to handle.

You shall not, and shall not permit any third party to:

• use the Service in any way that violates any applicable law, regulation, or third-party right;
• attempt to gain unauthorised access to the Service, our systems, infrastructure, or any related network or account;
• interfere with, disrupt, overload, degrade, or impair the Service or any servers, networks, APIs, or services connected to it (including via denial-of-service, brute-force, or scraping techniques);
• circumvent, disable, weaken, or otherwise interfere with any security, rate-limiting, authentication, or access-control feature of the Service;
• reverse-engineer, decompile, disassemble, or otherwise attempt to derive the source code or underlying ideas of the Service, except to the limited extent permitted by mandatory law;
• use the Service, or any output or data derived from it, to develop, train, evaluate, or improve any product or service that competes with the Service or with any service offered by Precursor Security;
• extract, scrape, harvest, mirror, redistribute, sell, sublicense, or otherwise commercialise the incident database, the recommendations, or any other content of the Service, in whole or in substantial part;
• introduce viruses, malware, worms, or any other malicious or harmful code into the Service;
• misrepresent the output of the Service to any third party, including by implying that Precursor Security has assessed, certified, accredited, or assured the security of any system, organisation, or person;
• use the Service in any manner inconsistent with these terms or with its intended informational purpose.

We may suspend, restrict, throttle, or terminate access to the Service, in whole or in part and as to any user, at any time, in our sole discretion, with or without notice, including where we reasonably suspect misuse.

The Service includes a form for users to submit details of suspected supply-chain incidents for triage. By submitting any content (a “Submission”) to Precursor Security you represent, warrant and undertake that:

• you have the right to disclose the Submission, and that doing so does not breach any obligation of confidence, contract, intellectual property right, applicable law, or third-party right;
• the Submission does not contain any personal data of any third party beyond what is strictly necessary to describe the incident, and does not contain payment card data, special category personal data (within the meaning of the UK GDPR), government identifiers, or any other particularly sensitive personal data;
• the Submission is, to the best of your knowledge, accurate, complete, and not misleading;
• the Submission is not unlawful, defamatory, harassing, infringing, or otherwise objectionable.

You grant Precursor Security a worldwide, royalty-free, perpetual, irrevocable, transferable and sub-licensable licence to use, store, copy, modify, adapt, translate, publish, distribute, and otherwise exploit the Submission for any purpose connected with operating, improving, marketing, or promoting the Service or Precursor Security's business, including publishing the substance of the Submission (in summarised, edited, or attributed form) in the incident feed and related materials.

Precursor Security is under no obligation to publish, act on, respond to, acknowledge, or retain any Submission, and may edit, decline, anonymise, or remove any Submission at its sole discretion. Precursor Security accepts no liability for any consequence of doing, or not doing, any of those things.

The Service, including its design, layout, text, graphics, code, structure, branding, and the compilation of the incident database, is owned by, or licensed to, Precursor Security and is protected by intellectual property and other laws.

Subject to your compliance with these terms, Precursor Security grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable licence to access and use the Service for your internal informational and security-hardening purposes only. All rights not expressly granted are reserved.

Where the Service surfaces summaries of publicly-disclosed incidents, the underlying facts remain matters of public record; Precursor Security claims no proprietary right in those facts themselves, only in the compiled database, the curation, and the presentation of it.

Third-party names, marks, and logos referenced on the Service (including package names, ecosystems, and vendor names) are the property of their respective owners and are used for identification and reference only. No endorsement, sponsorship, or affiliation is implied.

The Service contains links to third-party websites, documentation, vendor advisories, and other resources. These links are provided for convenience only. Precursor Security does not endorse, control, monitor, or assume any responsibility for any third-party content, products, services, or practices, or for any change to or unavailability of the same. Your use of any third-party site or service is at your own risk and is subject to that third party's own terms.

Our handling of personal data in connection with the Service is described in our Privacy Policy, which is incorporated into these terms by reference.

Precursor Security may at any time, in its sole discretion and without notice or liability, modify, suspend, withdraw, discontinue, or impose limits on all or any part of the Service, including any feature, content, data, recommendation, advisory, the incident database, or any related interface or API.

Precursor Security may update these terms from time to time. The updated version will be identified by a revised “Last updated” date and takes effect as soon as it is posted. Your continued access to or use of the Service after a change constitutes acceptance of the updated terms. If you do not agree to a change, your sole remedy is to cease using the Service.

To the maximum extent permitted by law, any claim by you arising out of, related to, or in connection with these terms or the Service must be commenced (by issue of proceedings) within six (6) months after the cause of action first arises; otherwise, the claim is permanently and irrevocably barred.

A person who is not a party to these terms has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any provision of them, save that each of the Released Parties may enforce, and rely upon, sections 5 (No warranty), 6 (Exclusion of liability) and 7 (Indemnity) in its own right. The consent of any Released Party (other than Precursor Security) is not required to vary, rescind, or terminate these terms.

Precursor Security shall not be liable for any failure or delay in performing its obligations (if any) under, or in connection with, the Service or these terms to the extent caused by any event or circumstance beyond its reasonable control, including (without limitation) acts of God, war, terrorism, civil unrest, pandemic, epidemic, government action, sanctions, fire, flood, power or telecommunications failure, denial-of-service attack, cyber-attack, supply-chain compromise, third-party service outage, or industrial action.

These terms, and any dispute, claim, or matter (including non-contractual disputes or claims) arising out of or in connection with them, their subject matter, or their formation, are governed by and construed in accordance with the laws of England and Wales.

You and Precursor Security irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any such dispute, claim or matter. Precursor Security retains the right to bring proceedings against you for breach of these terms in your country of residence or in any other relevant country.

Entire agreement. These terms (together with the Privacy Policy referenced in section 13) constitute the entire agreement between you and Precursor Security concerning the Service and supersede all prior or contemporaneous communications, proposals and agreements, whether oral or written, on that subject. You acknowledge that, in entering into these terms, you have not relied on any statement, representation, assurance, or warranty (whether made innocently or negligently) that is not expressly set out in these terms.

Severability. If any provision of these terms is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, that provision shall be modified to the minimum extent necessary to make it enforceable, or, if it cannot be so modified, severed; and the remaining provisions shall continue in full force and effect.

No waiver. No failure or delay by Precursor Security in exercising any right or remedy under these terms shall operate as a waiver of that right or remedy, nor shall any single or partial exercise preclude any other or further exercise. A waiver is effective only if given in writing by Precursor Security.

Assignment. You may not assign, transfer, sub-contract, charge, or otherwise dispose of any of your rights or obligations under these terms, in whole or in part, without Precursor Security's prior written consent. Precursor Security may assign, novate, or otherwise transfer its rights and obligations under these terms freely.

Survival. The provisions of sections 3 to 7 (inclusive), 10 (last paragraph), 11, 15, 16, 18 and 19 shall survive any termination, expiry, or withdrawal of the Service or these terms.

Headings. Section headings are for convenience only and do not affect the interpretation of these terms.

No agency. Nothing in these terms creates any partnership, joint venture, agency, fiduciary, or employment relationship between you and Precursor Security.

Questions about these terms, or about the Service generally, can be sent to info@precursorsecurity.com, or by post to Leeds HQ, 55 St Paul's Street, Leeds, LS1 2TE, United Kingdom.