What's the problem with exposing port 3000 to let someone demo an app for an hour? By the time someone discovers the exposed address and port, and then figures out how to exploit the service that's running, I'll have already shut down the service.
true, maybe there's no problem for your use case. using something like ngrok is a gamble:
if the only thing on the line is low-value things like whatever is on your personal laptop (or even whatever is on a spartan vanilla ubuntu VM that your app is running in), then maybe it's not a very big gamble.
if the laptop has corporate secrets on it or it can be used as by an attacker to pivot into company internal systems through the VPN you're also connected to, however, that's a completely different story.
