moving third-party libraries to a vendored directory. The risk I'd like to mitigate is that one of those deps can change out from under you, and then it can make (authenticated) requests to our backend to exfiltrate data. There's a few possible solutions:
The first approach takes about 15 seconds (adding "integrity=..." to script tags), but I prefer the second (which probably takes a few minutes) because then we can turn on a Content-Security-Policy that blocks all third-party connections, which is a much stronger invariant.
from @bcspragu (via email) who suggests...