I almost approved a security hole last year. A simple image server that let anyone read any file on the filesystem.
The input `../../etc/passwd` sailed right through `path.join()`. Oops.
Path traversal is one of the most exploited vulnerabilities in recent years, yet it's still too easy to write code that's exposed to it.
I wrote a guide on how to prevent it in Node.js (with lots of code examples):
https://nodejsdesignpatterns.com/blog/nodejs-path-traversal-security/