I came across a package called eobject that creates a API, through express.js, directly from a object. I see no issue with automatically creating API routes for static info from an object, but doesn’t exposing a function directly from an object present security issues?