I was being sarcastic. Although hot linking is not particularly common, it's common enough; and unpinned dependencies are just as much if not more of a supply chain attack risk.

I'd bet something like 70+% of all JS apps are inadequately protected against the risk of a malicious actor gaining access to a dependency's repo.

Pearlclutching over this while ignoring the lessons of `left-pad` and `colors` is biased motivated reasoning at best.