Isnt echoing errors like that a security issue? Im not implying it necessarly is, because it's obviously conveniently useful for debugging.

It's only a security issue if it provides exploitable information. It's more commonly avoided as an issue regarding user confusion, not security.

Yup, they should log / e-mail themselves the error messages when in production rather than displaying them, sensitive info might leak plus stacktrace aren't very friendly.

Looks like they might have left the connect.errorHandler() dev middleware (http://www.senchalabs.org/connect/errorHandler.html) plugged into their app.

We normally don't do this, we put this little preview app together quite quickly using a slightly different infrastructure to our regular stuff.

We normally log these and just display a friendly error message to the end user.