serve-static vulnerable to template injection that can lead to XSS