do electron apps ship nodejs, within thier files or are they installed and used without installing node on the user computer ?
Node is contained inside the Electron application, the end user shouldn’t need to install it themselves.
so, does node open up port 4000 on any users computer ? and wouldn’t that be a vulnerability ?
Not that I know of. It’s really hard to talk about vulnerabilities in hypothetical situations that don’t have many specifics. Technically, having your computer on is a vulnerability.