Which is why building a website out of nodejs is such a bad idea. With the other reason being that you can't actually access the crypto functions from client-side JS, so you have to rely on polyfills which are not as secure, and may have their own vulnerabilities.

It is certainly not a programming language you want to use if there is an Advanced Persistent Threat or state actor among your list of potential adversaries.