The polyfill.io CDN situation might be a good signal to just host shit yourself. unpkg is another one I see pretty often.

Who am I kidding, most web devs won't do anything until it bites them in the ass.

@volpeon and not even then, see the leftpad incident

@volpeon I mean there are cases where a CDN is pretty useful ngl. but stuff like JS, Fonts and such things are so small they should be pretty easy to self-host. Or do I misunderstand something by not being enough of a webdev (or none at all)

@volpeon I am so scared of the landscape of modern day web dev libraries and stuff, I think we should all go back to the age of desktop applications instead (and pay Isi for Qt)

@stefan@akko.lightnovel-dungeon.de CDNs are fine if they're specifically deployed by you or your company. Might as well serve JS files for all I care.

But my point is that relying on some random public CDN is risky, and probably not even necessary for most websites if they cared a little more about performance.

@volpeon Or at the very least, use subresource integrity which should prevent this kind of attack (it will still break your website though)

@volpeon Even when it bites them in the ass they don't do anything. "Oh, it won't happen again. Oh, we'll find an alternative rando on GitHub who patched it out. Oh, we'll just download a Javascript TPM package to fix it."