If I'm doing .use(express.static('/var/www/html')) and some attacker manages to ln -s /etc/passwd /var/www/html, then http://host/passwd will serve up /etc/passwd. Is there any way to tell serve-static not to follow symlinks, or to restrict them so that they're only followed to files within the directory being served?

I'm essentially asking for Apache's FollowSymLinks or nginx's disable_symlinks.