D. Technical Debt & Risk Assessment
Risk Matrix
| # | Risk | Severity | Repo | Category |
|---|---|---|---|---|
| 1 | GitHub PAT embedded in package.json |
⛔ CRITICAL | soreto-zoe | Security |
| 2 | Node 10 — EOL December 2020 | ⛔ CRITICAL | reverb-react | Runtime |
| 3 | react@17 + react-dom@16.5 mismatch (pair 1 of 2) | 🔴 HIGH | reverb-react | Dependency |
| 3b | react-router@3.2.1 + react-router-dom@4.2.2 mismatch (pair 2 of 2) | 🔴 HIGH | reverb-react | Dependency |
| 4 | No CI/CD pipeline exists | 🔴 HIGH | melissa, zoe | Process |
| 5 | Hardcoded default secrets in config | 🔴 HIGH | reverb-backend | Security |
| 6 | Node 16 EOL — September 2023 | 🔴 HIGH | soreto-zoe | Runtime |
| 7 | knex@0.16.3 — 2018 release |
🔴 HIGH | soreto-zoe | Dependency |
| 8 | seneca.js unmaintained |
🔴 HIGH | reverb-backend | Architecture |
| 9 | Node 14 EOL — April 2023 | 🔴 HIGH | reverb-backend | Runtime |
| 10 | No test coverage at all | 🔴 HIGH | soreto-zoe | Quality |
| 11 | CI runs no tests | 🟡 MEDIUM | reverb-react | Process |
| 12 | Google UA dead API | 🟡 MEDIUM | reverb-backend | Integration |
| 13 | node-sass deprecated |
🟡 MEDIUM | reverb-backend, reverb-react | Dependency |
| 14 | AMD/namespace TypeScript pattern | 🟡 MEDIUM | soreto-zoe | Architecture |
| 15 | No OpenAPI contract | 🟡 MEDIUM | reverb-backend | Architecture |
| 16 | Google+ social sharing | 🟡 MEDIUM | reverb-react | Integration |
| 17 | @rjsf@6.0.0-beta.10 in prod |
🟡 MEDIUM | soreto-melissa | Dependency |
| 18 | express-robots from GitHub URL |
🟡 MEDIUM | reverb-backend | Dependency |
| 19 | puppeteer@9 (outdated) |
🟡 MEDIUM | soreto-zoe | Dependency |
| 20 | Babel 6 EOL | 🔴 HIGH | reverb-react | Tooling |
| 21 | Mixed Flux + Redux | 🟡 MEDIUM | reverb-react | Architecture |
| 22 | Processors entirely untyped | 🟡 MEDIUM | soreto-zoe | Quality |
| 23 | No .nvmrc version enforcement |
🟡 MEDIUM | all | Process |
| 24 | next@13.4.9 (3 majors behind — latest is 16.2.6) |
🟡 MEDIUM | soreto-melissa | Dependency |
| 25 | passport@0.3.2 (3 majors behind) |
🟡 MEDIUM | reverb-backend | Security |
| 26 | Unknown deploy targets (2 repos) | 🟡 MEDIUM | melissa, zoe | Operations |
By Severity
⛔ CRITICAL — Act Immediately
1. GitHub PAT Embedded in soreto-zoe/package.json
"soreto-arena": "https://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:x-oauth-basic@github.com/soreto/soreto-arena.git"
What this means: This PAT is permanently embedded in git history, npm install logs, and any CI build output that ran npm install. Even after removing it from the current file, the PAT may remain exposed in:
- git log / git show for any past commit containing this line
- npm cache logs on developer machines
- CI/CD log storage
- Heroku build logs
Actions:
1. Revoke the PAT at GitHub → Settings → Developer Settings → PATs → Revoke
2. Run git log -S "github_pat_" --all to find all commits containing this string
3. If the PAT had write access to any repo, audit those repos for unauthorized pushes
4. Replace soreto-arena with a PAT-free installation method
2. Node 10 in Production
Node 10 reached End-of-Life December 31, 2020. It has received no security patches in over 5 years. Known CVEs in Node 10 remain unpatched and are publicly documented. Running production workloads on Node 10 is a compliance failure in most security frameworks (SOC 2, ISO 27001, etc.).
🔴 HIGH — Address in Sprint
3 & 3b. Two Library-Pair Version Mismatches in reverb-react
Pair 1: react@17.0.1 + react-dom@16.5.0 — React requires matched versions. This configuration is explicitly unsupported by Meta/React team. Effects: runtime warnings, potential rendering bugs in concurrent features, undefined behavior with hooks.
Pair 2: react-router@3.2.1 + react-router-dom@4.2.2 — react-router v3 and react-router-dom v4 are incompatible packages. v4 was a complete API rewrite (React Router changed its public API entirely between v3 and v4). Having both installed simultaneously creates conflicting route resolution. Latest is react-router@7.15.1.
Both mismatches are present simultaneously. Do not fix either in-place — the Next.js 16 rewrite starts on a clean baseline and eliminates both mismatches from day one (React 19.2.6, Next.js App Router for routing).
4. No CI/CD for soreto-melissa and soreto-zoe
soreto-melissa and soreto-zoe have no CI pipeline. Changes can be merged and deployed without any automated validation. Given that soreto-melissa is the actively developed replacement portal, the absence of CI is a high-priority gap.
Minimum CI for melissa:
- Type check (tsc --noEmit)
- Lint (next lint)
- Unit tests (jest)
- Build (next build)
Minimum CI for zoe:
- Type check (tsc --noEmit)
- Build (npm run build)
5. Hardcoded Default Secrets
reverb-backend/config/config.js contains:
SESSION_SECRET: process.env.SESSION_SECRET || 's0meSup3rC0mpleXPa$$w0rd',
TOKEN_SECRET: process.env.TOKEN_SECRET || 's0meSup3rC0mpleXPa$$w0rd',
COOKIE_SECRET: process.env.COOKIE_SECRET || 'eNboeOJQ6l$NiMM!VY2E#7bw735li$7a',
If any environment (dev, staging, or production) fails to set these variables, the application silently uses these well-known defaults. Since these defaults are now documented in this audit and are in git history, they must be treated as compromised.
Verify: Run in each environment to confirm env vars are set:
echo $SESSION_SECRET && echo $TOKEN_SECRET && echo $COOKIE_SECRET
6. Node 16 EOL (soreto-zoe)
Node 16.x reached End-of-Life September 11, 2023. No security patches.
7. Knex 0.16.3 (soreto-zoe)
Released in 2018. Current is v3.x. The gap is so large that the upgrade must be done incrementally: 0.16.3 → 0.21.x → 0.95.x → 2.x → 3.x, testing at each step. This is a prerequisite for the Node version upgrade.
8. seneca.js Unmaintained
seneca@3.23.3 and seneca-amqp-transport@2.2.0 are the messaging layer for reverb-backend's internal service communication. The Seneca.js GitHub repository shows no meaningful maintenance activity. An unmaintained library in the critical messaging path is a significant long-term risk — bug reports go unanswered and security issues are not patched.
🟡 MEDIUM — Plan for Next Quarter
| Item | Notes |
|---|---|
| CI provides no test gate (reverb-react) | Travis runs build only; no tests executed |
| Google UA dead API | Sending analytics to a service that shut down in 2023 |
node-sass deprecated |
Replace with sass package |
| AMD/namespace TypeScript pattern | Legacy pattern, must migrate before monorepo |
| No OpenAPI contract | API shape is undiscoverable without reading source |
| Google+ sharing integration | Service shut down April 2019 |
@rjsf@6.0.0-beta.10 in production |
Beta packages in production carry instability risk |
passport@0.3.2 |
Missing security hardening from later versions |
puppeteer@9 |
Major version behind; API changes affect PDF generation |
Technical Debt by Repo
reverb-backend
Security: ████████░░ HIGH (default secrets, legacy passport, UA dead)
Dependencies: ████████░░ HIGH (seneca unmaintained, node-sass, old lodash deps)
Tooling: ██████░░░░ MEDIUM (no types, Webpack 5 ok, Travis CI ok)
Architecture: ████████░░ HIGH (flat 80+ services, no OpenAPI, no versioning)
reverb-react
Security: ██████████ CRITICAL (Node 10 EOL, no security patches)
Dependencies: ██████████ CRITICAL (react/dom mismatch, react-router@3+dom@4, Babel 6, Google+ dead)
Tooling: ████████░░ HIGH (no real CI, @@PLACEHOLDER@@ config)
Architecture: ██████░░░░ MEDIUM (mixed Flux+Redux, no types)
soreto-melissa
Security: ████░░░░░░ MEDIUM (beta dep, unknown deploy)
Dependencies: ████░░░░░░ MEDIUM (Next.js 13, @rjsf beta)
Tooling: ██████░░░░ MEDIUM (no CI/CD pipeline)
Architecture: ██░░░░░░░░ LOW (modern stack, well structured)
soreto-zoe
Security: ██████████ CRITICAL (PAT leak, Node 16 EOL, no CI)
Dependencies: ████████░░ HIGH (Knex 0.16.3, puppeteer 9, bull 3)
Tooling: ████████░░ HIGH (no CI, no tests, AMD TypeScript)
Architecture: ██████░░░░ MEDIUM (good processor structure, bad TS patterns)
Immediate Action Checklist
[ ] Revoke GitHub PAT in soreto-zoe/package.json
[ ] Verify SESSION_SECRET, TOKEN_SECRET, COOKIE_SECRET are set in all envs
[ ] Add .nvmrc to all repos (document current Node versions, not yet unified)
[ ] Add GitHub Actions CI to soreto-melissa
[ ] Add GitHub Actions CI to soreto-zoe
[ ] Deploy WAF in front of reverb-react Heroku app (Node 10 compensating control)
[ ] Begin Next.js 16 scaffold in apps/legacy-portal/ (reverb-react modernization)
[ ] Switch universal-analytics to a maintained GA4 library
[ ] Replace node-sass with sass in both repos