The whole point is to have JS on front-end and beck-end, right? What is serving the JS? Isn't the server Node?

And large security surface means just one compromised package is required to get on the server side. If an npm update gives you security warnings after a few weeks of a vanilla project just sitting there, something is very wrong.

Sure, you could say the same about any language too though. I've used static site generators in Rust too, or Python, it's the same problem. People still use them because the benefits outweigh the minute risk of being compromised.