![](https://fedia.io/media/7b/96/7b964047ab4ac563d3d0e86f6806dc6c7ef8cfbd8c5569d6782490951b98b565.jpg)
![](https://fry.gs/pictrs/image/c6832070-8625-4688-b9e5-5d519541e092.png)
In my experience, first-party JavaScript is more likely to be updated so rarely that bugs and exploits are more likely than supply chain attacks. If I heard about NPM getting attacked as often as I hear about CDNs getting attacked, I’d be more concerned.
Direct linking via a specific CDN was the problem. This is solved by bundlers, not caused by it.