An independent review of the NDWS storefront — a fully custom NestJS + Next.js build — and a clear-eyed case for moving the business onto Shopify.
Your online store is bespoke software: a custom Next.js storefront talking to a custom NestJS backend, running on a single rented server. There is no platform underneath it — the shopping cart, the checkout, the payment logic, the security, the servers, and every future fix are all things you have to build, run, and protect.
It works, but our review found defects that put real money and customer trust at risk — and several are not edge cases. The store can oversell stock it doesn't have, accept orders for $0, and ship goods before any payment is taken. On top of that, the latest version of the code can no longer be deployed at all.
Stop maintaining a custom storefront. Move NDWS onto Shopify — a hosted platform that already solves payments, inventory, security, and uptime, so the business stops paying to rebuild and re-secure all of it by hand.
Four moving parts, all custom-built, all hosted on one server you rent. If it breaks at 2 a.m., there is no platform support line — only whoever still knows this codebase.
Each item below was confirmed against the actual source code. They are grouped by what they threaten — your revenue, your security, and your ability to keep the lights on.
The current code fails to build, so updates and fixes literally cannot be deployed. The live site is frozen on an older version.
Stock is never reduced after a sale. The store will keep selling items it doesn't have — leading to cancellations and refunds.
The price and order total are taken from the shopper's browser and trusted as-is. A technical buyer can change the total to zero — or negative.
On order, the system buys a real, billed shipping label and emails the customer — with no payment step in between. Anyone can trigger spend.
Promo codes can be used beyond their limit and aren't reliably subtracted from the charged total. Margins leak quietly.
Prices are stored in a format prone to rounding errors — small, compounding discrepancies in reporting and payouts.
Anyone on the internet can upload files to your server — no login required, and the safety check is incomplete. A classic doorway for abuse.
If a single secret is missing, the order-status webhook accepts anyone — letting outsiders move orders through their lifecycle.
Admins are silently logged out after ~10 minutes (a unit bug), and login tokens become forgeable if one secret is mis-set.
The anti-bot reCAPTCHA is installed but never switched on. Checkout and forms are open to spam and automated abuse.
The backend crashed on our test simply because email settings were blank — one missing value takes the whole store offline.
A nightly task removes "unpaid" orders — including ones whose fulfillment failed — so genuine records can vanish.
Two deployment scripts overwrite each other's settings — one wipes the captcha keys the other just set. Config drifts on every release.
The automated tests no longer compile, so regressions slip through — and there is no product data on the live site or in the seed.
Shopify is the world's leading hosted e-commerce platform, powering millions of stores. You don't run servers or write the shop's core code — Shopify provides the storefront, the secure checkout, payments, inventory, orders, shipping and taxes, all maintained and scaled for you. You customize the look with themes and extend it with apps. The hard, risky parts — security, payments, uptime, backups — are the platform's job, not yours.
Most of the problems above don't need to be fixed — on Shopify they simply don't exist, because the platform owns that layer. Side by side:
| Dimension | Custom site today | On Shopify |
|---|---|---|
| Payments & PCI | Built by hand; today orders can ship with no payment. | Secure, certified checkout takes payment before fulfilment. |
| Inventory | Stock never decremented — guaranteed overselling. | Inventory tracked and reserved automatically. |
| Price integrity | Totals trusted from the browser — $0 orders possible. | Prices computed server-side; cannot be tampered with. |
| Security & bots | Public upload, fail-open webhook, no bot protection. | Hardened platform with fraud & bot defenses included. |
| Hosting & uptime | One server; a blank email field took it offline. | Globally hosted, 99.9%+ uptime, no servers to run. |
| Updates & deploys | Latest code won't build; releases are fragile. | No build or deploy step — changes are instant & safe. |
| Maintenance & risk | Every fix & patch is your cost and your "bus factor". | Maintained by Shopify; your team focuses on selling. |
| Support when it breaks | Only whoever still knows the codebase. | 24/7 platform support and a huge partner ecosystem. |
Choose a plan, apply a theme, and recreate the NDWS brand and storefront design.
Import products, collections and any existing customers and orders.
Connect Shopify Payments, configure shipping rates and taxes.
301-redirect old URLs so search rankings carry over cleanly.
Point the domain to Shopify, test checkout end-to-end, go live.
Shut down the VPS, Postgres, Redis and pipelines — and the maintenance bill with them.