Linking to a CDN is for development only. Once the app is build you build your dependencies into the app. You don't fetch them at runtime and run them. Not only for security, but also for performance.

There's also a difference between using a CDN for, say, React and a random github project hosted by some dude.