Security Guide

Technical Debt Audits

Q: What is a technical debt audit?

A technical debt audit is an automated analysis of your tech stack that identifies security vulnerabilities (CVEs), deprecated packages, end-of-life versions, and upgrade opportunities. It produces a health score (0-100) with prioritized, actionable recommendations.

Q: How often should I run technical debt audits?

We recommend monthly audits for production applications. This cadence catches new CVEs within 30 days of disclosure. For pre-launch projects, run an audit before each major milestone.

Q: What is a good health score?

Scores of 90-100 indicate excellent stack health with minimal debt. 70-89 is good with minor improvements needed. 50-69 is fair with significant debt to address. Below 50 indicates critical issues requiring immediate attention.

Q: How is the health score calculated?

The formula is: 100 - (critical × 20) - (high × 10) - (medium × 5) - (low × 2). Each finding deducts points based on severity. The score is clamped to 0-100.

Q: Can I run audits from my IDE?

Yes. StacksFinder provides MCP (Model Context Protocol) tools that integrate with Claude, Cursor, and other AI coding assistants. Run audits, view results, and compare reports directly from your development environment.

Q: How do audits relate to the Stack Builder?

The Stack Builder helps you choose technologies based on current data. Audits validate those choices over time as the ecosystem evolves. Together they provide a complete lifecycle: plan with Builder, monitor with Audits.

Scan your stack for CVEs, deprecated packages, and EOL versions. Get a health score. Fix what matters. Ship with confidence.

6 Detection Types

0-100 Health Score

<60s Scan Time

MCP IDE Integration

Run Your First Audit View Dashboard

How We Audit

Data sources: NVD (CVEs), npm registry (deprecations), endoflife.date (EOL schedules)
Frequency: Data refreshed daily; individual audits run on-demand
Scoring: Deterministic formula based on finding severity counts

Audits reflect point-in-time data. New vulnerabilities may be disclosed after your scan.

How It Works

1 INPUT

Your Stack

next.js:14.2.0
prisma:5.10.0
node:20

2 SCAN

Automated Analysis

NVD npm EOL

3 OUTPUT

Actionable Report

Health score + prioritized fixes

What We Detect

We scan for 6 categories of technical debt, each with a severity level that affects your health score.

CRITICAL

Security CVEs

Known vulnerabilities from NVD with CVSS scores

Example CVE-2024-34351 in Next.js

HIGH

Deprecated Packages

Libraries no longer receiving security patches

Example request npm deprecated

MEDIUM

End-of-Life Versions

Runtimes past official support date

Example Node.js 16 EOL

LOW

Available Upgrades

Newer versions with fixes or features

Example React 19 available

INFO

License Issues

GPL contamination, incompatible licenses

Example GPL in MIT project

WARNING

Breaking Changes

Major upgrades requiring code changes

Example Prisma 5 drops Node 16

Health Score

Stack Health Rating

Your score determines required actions

0-49 Critical

50-69 Fair

70-89 Good

90-100 Excellent

Migration required

Plan updates

Minor fixes

Ship it!

Scoring Formula

score = 100 − (critical × 20) − (high × 10) − (medium × 5) − (low × 2)

CRITICAL −20 Security vulnerabilities, breaking changes

HIGH −10 Major bugs, deprecated APIs

MEDIUM −5 Performance issues, outdated versions

LOW −2 Minor updates available

Real Example

Case Study

SaaS Startup Pre-Launch Audit

Tech Stack

Next.js 14.0.0 React 18.2.0 Prisma 5.8.0 Node 20.11.0 PostgreSQL 16

BEFORE

62 Fair

CRIT Next.js 14.0.0 SSRF vulnerability

HIGH Prisma 5.8.0 query injection risk

MED React 18.2 - 19.x available

After fixes

AFTER

95 Excellent

✓ Upgraded to Next.js 14.2.0

✓ Upgraded to Prisma 5.10.0

LOW React 19 available (optional)

+33 Score improvement

2 Critical issues fixed

45 min Time to remediate

04b

When Migration is Required

Score below 50 = Migration Recommended

When fixes alone can't resolve the issues, a strategic stack migration becomes necessary.

Critical Score: 32

E-commerce Platform - Legacy Stack Audit

Current Stack

Express 4.16 EOL Node 14 EOL MongoDB 4.4 React 16.8 Webpack 4 SLOW

Audit Findings

CRIT

Node 14 reached EOL

No security patches since April 2023. Known prototype pollution vulnerabilities.

CRIT

Express 4.16 CVE-2024-29041

Open redirect vulnerability. Upgrade path blocked by Node 14 dependency.

HIGH

React 16.8 concurrent mode missing

Cannot use Suspense, useTransition. Performance bottleneck on product pages.

HIGH

MongoDB 4.4 approaching EOL

End of life February 2024. Missing time-series and encryption features.

MED

Webpack 4 build times 3min+

No module federation, tree-shaking issues. Developer productivity impacted.

Score Calculation: 100 − (2×20) − (2×10) − (1×5) = 35

Migration Recommendation

FROM

Express + Node 14 React 16 + Webpack MongoDB 4.4

Next.js 14 (App Router) React 18 + Turbopack PostgreSQL + Drizzle

Why This Migration Path?

Security First

Next.js has built-in security headers, CSRF protection, and active LTS support through 2026.

Build Performance

Turbopack reduces build times from 3min to 15sec. Hot reload under 100ms.

Migration Path

Incremental adoption possible. Existing React components work with minimal changes.

Long-term Cost

PostgreSQL has no license fees. Vercel deployment scales automatically.

Estimated Migration Timeline

Week 1-2 Database migration + API routes

Week 3-4 Frontend components migration

Week 5 Testing + performance validation

Week 6 Staged rollout + monitoring

Current 35

→

After Migration 94

When to Audit

Pre-Launch

Validate your stack has no known vulnerabilities before going live. Document results for compliance.

Monthly Review

Catch new CVEs within 30 days of disclosure. Track health score trends over time.

Before Major Upgrades

Audit before and after framework migrations. Confirm the upgrade resolved issues.

Client Deliverables

Include audit reports in client handoffs. Demonstrate security commitment.

IDE Integration

MCP Tools

Run audits directly from your AI coding assistant. No context switching.

Install in Claude Code claude mcp add stacksfinder "npx" "-y" "@stacksfinder/mcp-server"

create_audit Start a new technical debt audit for your stack

list_audits View your recent audit history with scores

get_audit Get detailed findings from a specific audit

compare_audits Compare two reports to track improvements

Best Practices

Always Include Versions

react:18.2.0 not just react. Specific versions enable accurate CVE detection.

Prioritize by Severity

Fix critical and high first. Batch low-severity into maintenance sprints.

Set a Target Score

Define team minimum (e.g., 80+). Create alerts when score drops below.

Document Exceptions

Some findings may be accepted risks. Document why for future team members.

Frequently Asked Questions

What is a technical debt audit?

How often should I run technical debt audits?

What is a good health score?

How is the health score calculated?

Can I run audits from my IDE?

How do audits relate to the Stack Builder?

Start Reducing Technical Debt

Create your first audit in under a minute. Get a health score and actionable fixes.

Run Your First Audit View Plans

How We Audit

How It Works

Your Stack

Automated Analysis

Actionable Report

What We Detect

Security CVEs

Deprecated Packages

End-of-Life Versions

Available Upgrades

License Issues

Breaking Changes

Health Score

Stack Health Rating

Real Example

SaaS Startup Pre-Launch Audit

When Migration is Required

E-commerce Platform - Legacy Stack Audit

Audit Findings

Migration Recommendation

Why This Migration Path?

Estimated Migration Timeline

When to Audit

Pre-Launch

Monthly Review

Before Major Upgrades

Client Deliverables

IDE Integration

Best Practices

Always Include Versions

Prioritize by Severity

Set a Target Score

Document Exceptions

Frequently Asked Questions

Frequently Asked Questions

Start Reducing Technical Debt

Related Articles