Description

The Express server in index.js (line 33) uses express.static(path.join(__dirname)) which serves the entire project root directory as static files.

This exposes sensitive files to anyone who can access the server, including:

• package.json / package-lock.json (dependency versions → known CVEs)
• dockerfile (infrastructure details)
• .gitmodules, .npmrc (internal config)
• index.js (the server source code itself)
• jest.config.js, eslint.config.mjs (build/test config)

Steps to Reproduce

1. Run node index.js
2. Open http://localhost:3000/package.json in browser
3. The full package.json is visible

Expected Behavior

Only public-facing assets (index.html, css/, js/, lib/, images/, etc.) should be served. Server configuration and build files should not be accessible.

Proposed Fix

Restrict express.static() to serve only the necessary public directories, or add explicit deny rules for sensitive files.