`express-generator` app uses modules which have critical security vulnerabilities

[RushilJalal]

I created an app using express-generator and on running npm i i am told that some of the modules have high and several critical level security vulnerabilities.
I ran npm audit fix --force which still didn't fix the problem.
I referred https://stackoverflow.com/questions/57923270/vulnerabilities-problem-using-npm-install which asked to uninstall jade and install pug instead which fixed the issue.
I believe this should be inbuilt and the user should not be required to manually install pug.

[RushilJalal]

Even after following https://stackoverflow.com/questions/57923270/vulnerabilities-problem-using-npm-install
On running npm start, I am greeted with

I would be grateful if someone could point me to the solution as I am completely new with express.

[IamLizu]

Can we please transfer this to https://github.com/expressjs/generator

cc: @UlisesGascon

[RushilJalal]

Yes that would be much better.
Apologies, I was not aware of generator being a seperate repo.

[IamLizu]

No worries @RushilJalal

Thank you for reporting this.

[RushilJalal]

Is it possible to assign this issue to me?
I would love to contribute, although I would need some help...

[IamLizu]

Sure @RushilJalal

[RushilJalal]

//cmd.js
it('should have a package.json file', function () {
      var file = path.resolve(ctx.dir, 'package.json')
      var contents = fs.readFileSync(file, 'utf8')
      assert.strictEqual(contents, '{\n' +
        '  "name": "express-1-no-args",\n' +
        '  "version": "0.0.0",\n' +
        '  "private": true,\n' +
        '  "scripts": {\n' +
        '    "start": "node ./bin/www"\n' +
        '  },\n' +
        '  "dependencies": {\n' +
        '    "cookie-parser": "~1.4.5",\n' +
        '    "debug": "~2.6.9",\n' +
        '    "express": "~4.17.1",\n' +
        '    "http-errors": "~1.7.2",\n' +
        //replace default jade with pug
        // '    "jade": "~1.11.0",\n' +
        '    "pug": "~3.0.3",\n' +
        '    "morgan": "~1.10.0"\n' +
        '  }\n' +
        '}\n')
    })

//express-cli.js
// Default view engine
    if (options.view === true) {
      warning('the default view engine will not be jade in future releases\n' +
        "use `--view=jade' or `--help' for additional options")
      options.view = 'pug'//changed jade to pug
    }

I have made the changes as highlighted in the comment.
I want to run the app and test if there are no errors due to the changes I made. How to do so?
Is there anything else I need to change? Kindly advise.

[RushilJalal]

@IamLizu Kindly advise...

[tomasantunes]

This is still a problem on version 4.16.1

This is the output when running generator by default:

After running npm-check-updates the vulnerabilities are gone.