That's fair. I download and embed, personally. Still, it's not a rant worthy mistake, honestly. Suggest a better approach, sure.

It's definitely a rant worthy mistake because this would literally never happen in any professional app anywhere. This is a supply chain risk.

Microsoft? Okta? JetBrains? If these are amateurs, who is a professional developer?

https://www.encryptionconsulting.com/top-10-supply-chain-att...

Are you aware that common libraries like Bootstrap, FontAwesome, and HTMX walk developers through linking to their CDNs directly? In fact, FontAwesome recommends it for CDN performance.

I think you're dangerously mistaken if you believe that it "literally never" happens. It literally does happen all the damned time. And, for your own safety and others', you should assume that when you use any app for which you don't have the source code.

Linking to a CDN is for development only. Once the app is build you build your dependencies into the app. You don't fetch them at runtime and run them. Not only for security, but also for performance.

There's also a difference between using a CDN for, say, React and a random github project hosted by some dude.

Yeah I agree. Tell Microsoft. But, meanwhile this is normally used wrong in a lot of apps. It's not newsworthy that this one is also.