Can be mitigated, as the sibling comment points out, but even in the situation you described, the blast radius is reduced, especially for frontend libs.
Yes (assuming they're doing frontend dev and including the resources from the page). The code is fetched and executed from the browser, so It'll have to escape the browser sandbox to do something nefarious.
Same. I came back to do a little frontend work a couple of years ago and was horrified by the replacement of script tags with subresource integrity with npm and bundlers.
Is this more secure?? I would genuinely love to know
Yes, none of npm's lifecycle hooks. You're just pulling bytes over the wire.
Except now you're making http calls to remote servers that could be compromised.
This is a solved problem.
Use HTTPS and use the integrity attribute.
https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/...
Also, what's more likely? Someone hacking jsDelivr/cdnjs OR some random NPM packages getting hacked?
As long as you embed it with an SRI integrity hash, you're safe, even if the remote server is compromised.
Can be mitigated, as the sibling comment points out, but even in the situation you described, the blast radius is reduced, especially for frontend libs.
Yes (assuming they're doing frontend dev and including the resources from the page). The code is fetched and executed from the browser, so It'll have to escape the browser sandbox to do something nefarious.
Same. I came back to do a little frontend work a couple of years ago and was horrified by the replacement of script tags with subresource integrity with npm and bundlers.