Legal

Data Attribution & Licenses

Last updated: April 19, 2026 · Effective immediately

1. Overview

DepScope aggregates and enriches public data from the sources below. All credits, links, and licenses stated here apply to the respective datasets, not to DepScope's own software or derived analytics. DepScope's own code, UI, documentation, and proprietary health scoring are © Cuttalo srl, all rights reserved unless an individual file states otherwise.

2. OSV.dev (Open Source Vulnerabilities)

Vulnerability records are sourced from OSV.dev, an open, distributed vulnerability database operated by Google LLC. Data is used under the terms published by OSV.dev and, where marked, the Creative Commons Attribution 4.0 International (CC-BY-4.0) license. Modifications made by DepScope include filtering, deduplication, severity inference, and mapping to our internal IDs. Source links in vulnerability responses point back to the original OSV records.

3. GitHub Advisory Database

A portion of vulnerability data originates from the GitHub Advisory Database (GHSA), licensed under CC-BY-4.0. Individual advisory responses include the original GHSA identifier and a link to github.com/advisories/GHSA-xxxx as attribution. Modifications: normalization into our schema, re-ranking by affected version presence in the latest release.

4. Package registries

  • npm — metadata fetched live via the public registry.npmjs.org API. npm, Inc. is a GitHub company. We do not redistribute npm data in bulk; responses are derived, cached, and served on demand.
  • PyPI — via PyPI simple and JSON API. PyPI® is a trademark of the Python Software Foundation (PSF).
  • crates.io — operated by the Rust Foundation. Data via crates.io public API.
  • Go proxyproxy.golang.org.
  • Packagist (Composer) packagist.org.
  • Maven Central — via Sonatype.
  • NuGet, RubyGems, pub.dev, hex.pm, Swift Package Index, CocoaPods, MetaCPAN, Hackage, CRAN, conda-forge, Homebrew — public APIs/indexes of the respective ecosystems.

Package metadata and logos remain the property of their respective authors and communities. DepScope presents them as live lookups and derived analytics, not as a redistributed dataset.

5. Trademarks

Node.js®, Python®, Rust®, Ruby®, PHP®, Java®, .NET®, Go, Elixir, Swift, Dart, R, Haskell, npm, PyPI, Maven Central, Stripe®, Cloudflare®, Anthropic®, Claude® and other names are trademarks of their respective owners. Mention does not imply endorsement.

6. DepScope-generated data

The following are original works of Cuttalo srl and protected under copyright and database-right law:

  • Health score algorithm (weights, thresholds, aggregate metrics)
  • Compatibility Matrix (pair/triple compatibility inferences)
  • Error → Fix knowledge base
  • Curated alternatives and breaking-change summaries
  • The Service's source code, UI, animated pitch, documentation

Reuse of DepScope-generated data beyond individual API queries requires a commercial license.

7. Rights-holder contact

If you are a rights holder and believe something on DepScope infringes your rights, write to [email protected] with (i) identification of the work, (ii) the URL at issue, (iii) your contact details, (iv) a statement of good-faith belief, and (v) a statement under penalty of perjury that you are authorized to act.

← Back to Legal hub