I created an app using express-generator and on running npm i i am told that some of the modules have high and several critical level security vulnerabilities.
I ran npm audit fix --force which still didn't fix the problem.
I referred https://stackoverflow.com/questions/57923270/vulnerabilities-problem-using-npm-install which asked to uninstall jade and install pug instead which fixed the issue.
I believe this should be inbuilt and the user should not be required to manually install pug.