alt Hacker NewsMicrosoft? Okta? JetBrains? If these are amateurs, who is a professional developer?
https://www.encryptionconsulting.com/top-10-supply-chain-att...
Are you aware that common libraries like Bootstrap, FontAwesome, and HTMX walk developers through linking to their CDNs directly? In fact, FontAwesome recommends it for CDN performance.
I think you're dangerously mistaken if you believe that it "literally never" happens. It literally does happen all the damned time. And, for your own safety and others', you should assume that when you use any app for which you don't have the source code.
Linking to a CDN is for development only. Once the app is build you build your dependencies into the app. You don't fetch them at runtime and run them. Not only for security, but also for performance.
There's also a difference between using a CDN for, say, React and a random github project hosted by some dude.