Latest incident:GitHub Advisory malware sweep — 25 npm packages (Epic Games / Unreal Engine internal-scope dependency-confusion cluster, LuminaryCloud, Reddit Voyager, nodemon family) taken down 2026-07-09 / 2026-07-10 (10 Jul 2026)
Terms of Service

Terms and conditions of use.

These terms govern your use of DependencyWatch.io (the “Service”), operated by Precursor Security (“Precursor Security”, “we”, “us”, or “our”). By accessing or using the Service, in any way, you agree to be bound by these terms in full. If you do not agree to any part of them, you must not access or use the Service.

Please read carefully. These terms contain a full exclusion of warranties, an exclusion of liability, an indemnity, and other important provisions that allocate risk between you and Precursor Security.

Last updated: 13 May 2026

1.About the Service

DependencyWatch.io is a free, public, informational tool operated from the United Kingdom by Precursor Security. It lets a user paste the contents of a dependency manifest or lockfile (such as package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lockb or requirements.txt) into the browser and receive an indication of whether any package versions in that input match entries in a community-curated database of publicly-disclosed supply-chain compromise incidents.

The incident database is aggregated from publicly-available sources, including third-party security advisories, vendor disclosures, registry advisories, independent security research, and incident reports submitted by users of the Service. Precursor Security curates and presents this material for awareness but does not claim proprietary ownership of the underlying facts, advisories, or research that the Service surfaces. References to third-party packages, vendors, ecosystems and researchers are made for identification and reference only; all such names and marks remain the property of their respective owners and no endorsement, sponsorship or affiliation is implied.

The scan runs client-side in the user's browser. The Service also publishes hardening recommendations, an incident feed, and a form for users to submit suspected incidents for triage.

The Service is provided for general information, awareness and educational purposes only. It is not a substitute for, and does not constitute, a professional security assessment, penetration test, audit, incident response engagement, certification, or any form of regulated advice.

2.Eligibility, acceptance and professional-use representation

The Service is intended exclusively for security, engineering, and technology professionals, and for organisations using it in the course of their business. By accessing or using the Service you represent, warrant and undertake that:

  • you are at least 18 years of age and have full legal capacity to enter into binding agreements;
  • you are acting wholly or mainly in the course of your trade, business, craft or profession, and not as a “consumer” within the meaning of section 2(3) of the Consumer Rights Act 2015 or any equivalent legislation;
  • where you access the Service on behalf of an organisation, you have authority to bind that organisation to these terms, and references to “you” include that organisation;
  • your use of the Service is for legitimate security, hardening, audit, research, education, or operational purposes;
  • you are not located in, and will not access the Service from, any jurisdiction in which such access would be unlawful, nor are you a person to whom the provision of the Service is prohibited under applicable sanctions or export-control laws.

If you do not meet, or cease to meet, each of these requirements, you must immediately cease all use of the Service. Precursor Security relies on these representations as a fundamental basis for making the Service available to you.

3.Information only, not advice

Nothing on the Service is, or should be treated as, advice.

All content made available through the Service (including scan results, match indications, the incident feed, recommendations, hardening guides, links, and any other output) is general information only. It is not, and is not intended to be:

  • legal, regulatory, compliance, audit, accountancy, insurance, financial, investment, or other professional advice of any kind;
  • a security assessment, audit, attestation, certification, accreditation, or assurance of any system, environment, product, organisation, or person;
  • a recommendation that you, or any third party, take or refrain from taking any particular action;
  • a representation as to the past, present, or future security, integrity, compliance, or fitness of any system, codebase, dependency, vendor, or organisation;
  • a guarantee of any result, outcome, finding, prevention, detection, or remediation.

You must seek your own advice from suitably qualified professionals before acting (or refraining from acting) on the basis of any information made available through the Service.

4.Assumption of risk and no reliance

You expressly acknowledge and agree that:

  • supply-chain compromise is a fast-moving, high-uncertainty domain, and any tool addressing it will inevitably be incomplete, delayed, partial, and fallible;
  • the incident database underpinning the Service may at any time and without notice be incomplete, out of date, inaccurate, contain errors, or omit incidents (including critical, ongoing, or widely-known ones);
  • the Service may at any time produce false positives, false negatives, stale data, broken or misdirected links, partial coverage, mis-attribution, or outright errors;
  • a “no match”, “clean”, or similar result is not, and must never be treated as, evidence or confirmation that you, your code, your dependencies, your build pipeline, your systems, or your organisation are uncompromised, secure, free of malware, free of risk, or compliant with any standard;
  • a “match”, “alert”, or similar result is not, and must never be treated as, conclusive evidence that any specific system, environment, or organisation has been compromised, and may require independent verification;
  • the Service is provided free of charge, on a community-good basis, without any commercial relationship, retainer, engagement letter, or duty of care between you and Precursor Security of any kind;
  • you bear sole responsibility for any decision you (or any third party who derives information from you) take or refrain from taking on the basis of the Service, and for the consequences of that decision;
  • you will not rely on the Service as the sole or principal basis for any decision concerning the security, integrity, fitness, or compliance of any system, codebase, product, vendor, or organisation;
  • any reliance you do place on the Service is at your own risk.

You assume all risk arising from your access to and use of the Service.

5.No warranty

The Service is provided strictly “as is”, “as available”, and “with all faults”, without warranty of any kind.

To the maximum extent permitted by applicable law, Precursor Security (and each of the Released Parties defined in section 6) disclaims and excludes all warranties, representations, conditions, undertakings, and terms of any kind, whether express, implied, statutory, collateral, or otherwise, including without limitation any warranty, representation, condition or term:

  • of merchantability, satisfactory quality, fitness for purpose, or fitness for any particular purpose;
  • of accuracy, completeness, currency, timeliness, reliability, suitability, or availability;
  • of non-infringement, title, or quiet enjoyment;
  • that the Service is or will be secure, uninterrupted, error-free, or free of viruses, malware, defects, or other harmful components;
  • that any defect in the Service will be corrected, or that any update or maintenance will be provided;
  • that the incident database is or will be complete, exhaustive, accurate, current, or fit for any particular use;
  • arising from course of dealing, course of performance, or usage of trade.

Any sections 9 to 11 (and 13, 14 and 16) of the Sale of Goods Act 1979, sections 3, 4 and 5 of the Supply of Goods and Services Act 1982, sections 13 to 15 of the Supply of Goods and Services Act 1982, and any equivalent statutory or implied terms in any jurisdiction, are, to the maximum extent permitted by law, excluded.

No advice or information, whether oral or written, obtained by you from Precursor Security or through the Service creates any warranty or other obligation not expressly stated in these terms.

6.Exclusion of liability

In this section, “Released Parties” means Precursor Security, its parent, subsidiaries, affiliates, group companies, and each of their respective officers, directors, partners, members, shareholders, employees, contractors, consultants, agents, suppliers, licensors, sub-processors, and successors and assigns.

To the maximum extent permitted by applicable law, in no event shall any of the Released Parties be liable to you, or to any third party deriving rights through you, for any loss, damage, cost, expense, fine, penalty, or other liability of any kind whatsoever arising out of, related to, or in connection with:

  • your access to, or use of, or inability to access or use, the Service;
  • any output, result, indication, content, data, recommendation, advisory, link, opinion, or other information made available through, or absent from, the Service;
  • any action you (or any third party) take, or fail to take, on the basis of, or in reliance on, the Service;
  • any error, omission, inaccuracy, defect, bug, delay, interruption, downtime, data loss, security vulnerability, malware, intrusion, or unauthorised access affecting the Service;
  • any conduct, content, product, or service of any third party on, linked from, or in connection with the Service;
  • any modification, suspension, or discontinuance of the Service or any part of it;
  • any other matter relating to, or arising in connection with, the Service.

This exclusion applies to all categories of loss and damage, including without limitation:

  • direct, indirect, incidental, special, consequential, exemplary, aggravated, and punitive damages;
  • loss of profits, revenue, business, sales, customers, contracts, opportunity, goodwill, reputation, anticipated savings, or use;
  • loss of, or damage to, data, software, systems, source code, secrets, credentials, infrastructure, devices, or backups, including loss arising from the corruption, deletion, exfiltration, or unauthorised disclosure of the same;
  • loss arising from any security breach, compromise, intrusion, ransomware, supply-chain attack, data exfiltration or other security incident affecting you or any third party, whether or not such incident was foreseen, foreseeable, preventable, or related to the Service;
  • third-party claims of any kind, including from customers, employees, partners, suppliers, investors, insurers, or regulators;
  • regulatory fines, penalties, investigations, sanctions, or enforcement action;
  • remediation, incident-response, forensic, legal, public-relations, breach-notification, professional-advice, or substitute-service costs;
  • any other loss or damage of any kind, however described or arising.

This exclusion applies regardless of:

  • the legal basis or theory of the claim, including breach of contract, tort (including negligence and gross negligence), breach of statutory duty, misrepresentation (other than fraudulent), strict liability, restitution, indemnity, equity, or any other theory;
  • whether the loss is characterised as direct or indirect, foreseeable or unforeseeable;
  • whether the Released Parties have been advised of, knew of, or ought reasonably to have known of the possibility of such loss;
  • whether any limited or exclusive remedy set out in these terms is found to have failed of its essential purpose;
  • whether the claim arises in connection with these terms, the Service, or otherwise.

The Service is provided free of charge. You acknowledge and agree that the allocation of risk set out in these terms (namely, that you bear all risk arising from the Service and the Released Parties bear none) is a fundamental and inseparable basis on which Precursor Security agrees to make the Service available, that the Service would not be offered at all but for this allocation, that you have had a fair and reasonable opportunity to consider these terms, and that the allocation is reasonable in the circumstances.

Nothing in these terms excludes or limits any liability that cannot lawfully be excluded or limited, including liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot lawfully be excluded or limited under the law of England and Wales. If, and only to the extent that, any exclusion or limitation in these terms is held by a court of competent jurisdiction to be unenforceable, that exclusion or limitation shall be reduced to the minimum extent necessary to render it enforceable, and all other exclusions and limitations shall continue in full force and effect.

7.Indemnity

You shall indemnify, keep indemnified, defend, and hold harmless the Released Parties, on a full-indemnity basis and on demand, from and against any and all claims, demands, actions, proceedings, liabilities, losses, damages, awards, judgments, fines, penalties, costs and expenses (including reasonable legal costs on a full-indemnity basis, expert costs, and the cost of management time) arising out of, related to, or in connection with:

  • your access to or use of the Service;
  • any breach by you of these terms, including any breach of a representation, warranty, or undertaking;
  • any Submission you make through the Service;
  • your violation of any law, regulation, or third-party right (including any intellectual property, privacy, or confidentiality right);
  • any reliance placed on the Service by you or by any third party deriving information, output, or advice from you.

Precursor Security may, at its option, assume the exclusive defence and control of any matter otherwise subject to indemnification by you, in which case you will cooperate in asserting any available defences. You will not settle any matter that affects the Released Parties without Precursor Security's prior written consent.

8.Your responsibilities

You alone are responsible for:

  • the security of your own systems, source code, dependencies, build pipelines, secrets, credentials, devices, and networks;
  • independently verifying any output of the Service against your own circumstances before acting on it;
  • engaging suitably qualified professionals for any incident response, remediation, regulated advice, formal assessment, or legal matter;
  • ensuring that you have the right to process, paste, upload, or otherwise submit any content you provide to the Service, and that doing so does not breach any contract, duty of confidence, intellectual property right, applicable law, or third-party right;
  • complying with all laws and regulations applicable to you, including those relating to data protection, computer misuse, export control, and sanctions;
  • maintaining your own backups and continuity arrangements; the Service is not a backup or continuity tool.

You must not use the Service to scan, probe, or otherwise interact with any system, codebase, or lockfile that you are not authorised to handle.

9.Submissions and user content

The Service includes a form for users to submit details of suspected supply-chain incidents for triage. By submitting any content (a “Submission”) to Precursor Security you represent, warrant and undertake that:

  • you have the right to disclose the Submission, and that doing so does not breach any obligation of confidence, contract, intellectual property right, applicable law, or third-party right;
  • the Submission does not contain any personal data of any third party beyond what is strictly necessary to describe the incident, and does not contain payment card data, special category personal data (within the meaning of the UK GDPR), government identifiers, or any other particularly sensitive personal data;
  • the Submission is, to the best of your knowledge, accurate, complete, and not misleading;
  • the Submission is not unlawful, defamatory, harassing, infringing, or otherwise objectionable.

You grant Precursor Security a worldwide, royalty-free, perpetual, irrevocable, transferable and sub-licensable licence to use, store, copy, modify, adapt, translate, publish, distribute, and otherwise exploit the Submission for any purpose connected with operating, improving, marketing, or promoting the Service or Precursor Security's business, including publishing the substance of the Submission (in summarised, edited, or attributed form) in the incident feed and related materials.

Precursor Security is under no obligation to publish, act on, respond to, acknowledge, or retain any Submission, and may edit, decline, anonymise, or remove any Submission at its sole discretion. Precursor Security accepts no liability for any consequence of doing, or not doing, any of those things.

10.Third-party links and content

The Service contains links to third-party websites, documentation, vendor advisories, and other resources. These links are provided for convenience only. Precursor Security does not endorse, control, monitor, or assume any responsibility for any third-party content, products, services, or practices, or for any change to or unavailability of the same. Your use of any third-party site or service is at your own risk and is subject to that third party's own terms.

11.Privacy

Our handling of personal data in connection with the Service is described in our Privacy Policy, which is incorporated into these terms by reference.

12.Changes to the Service and to these terms

Precursor Security may at any time, in its sole discretion and without notice or liability, modify, suspend, withdraw, discontinue, or impose limits on all or any part of the Service, including any feature, content, data, recommendation, advisory, the incident database, or any related interface or API.

Precursor Security may update these terms from time to time. The updated version will be identified by a revised “Last updated” date and takes effect as soon as it is posted. Your continued access to or use of the Service after a change constitutes acceptance of the updated terms. If you do not agree to a change, your sole remedy is to cease using the Service.

13.Governing law and general

Governing law and jurisdiction. Precursor Security is established in the United Kingdom. These terms, and any dispute, claim, or matter (including non-contractual disputes or claims) arising out of or in connection with them, their subject matter, or their formation, are governed by and construed in accordance with the laws of England and Wales. You and Precursor Security irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any such dispute, claim, or matter; Precursor Security retains the right to bring proceedings against you for breach of these terms in your country of residence or in any other relevant country.

Severability. If any provision of these terms is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, that provision shall be modified to the minimum extent necessary to render it enforceable, or, if it cannot be so modified, severed; the remaining provisions shall continue in full force and effect.

No waiver. No failure or delay by Precursor Security in exercising any right or remedy under these terms shall operate as a waiver of it, and no single or partial exercise shall preclude any further exercise.

Third-party rights. Each of the Released Parties (as defined in section 6) may enforce these terms in its own right under the Contracts (Rights of Third Parties) Act 1999. Save for that exception, a person who is not a party to these terms has no right under that Act to enforce any provision of them.

14.Contact

Questions about these terms, or about the Service generally, can be sent to info@precursorsecurity.com, or by post to Leeds HQ, 55 St Paul's Street, Leeds, LS1 2TE, United Kingdom.

See also our Privacy Policy and incident submission page.