This npm module is currently deprecated due to the large influx of security vulunerability reports received, most of which are simply exploiting the underlying limitations of CSRF itself. The Express.js project does not have the resources to put into this module, which is largely unnecessary for modern SPA-based applications.
Please instead use an alternative CSRF protection package if you do need one: https://www.npmjs.com/search?q=express%20csrf