Express depends on escape-html. It hasn't been updated since 2015.

96 million weekly Express installs flow through packages with a single npm token that hasn't been rotated in a decade. npm audit shows zero issues. Our tool scores two of them CRITICAL.