If this is the first time you’re hearing this term, HTTP Parameter Pollution aka HPP, then you need to read the links given below, to get an idea on what HPP can really do to a web application.
If you give a query as ?name=123&name=abc
Then express returns 123,abc
Here are the links
With that being said, lets look at how popular web applications treat the same problem.
Apparently, only ASP and a few others spit back all the occurrences of the the same parameter name value.
Provided, express is the de-facto nodejs web app framework, I think its about time we take this seriously and make sure that only one of the parameter name is harnessed. Either the first or the last occurrence would do.