[Feature request] Configurable model sources

[ume-graham]

Hey, thanks for your work on this plugin!

I'm having some trouble with the hardcoded fetches out to https://cdn.jsdelivr.net (1, 2). Although this is nice for folks who are just trying to get things up and running quickly, it's a little uncomfortable for those of us who have to enforce strict content security policies. There's a lot of code on jsdelivr, and I'd prefer to not have to mark it all as trusted! On its own, it's not awful, since it only needs connect-src permission, but when you combine it with the script-src blob: that seems to be required by @livekit/krisp-noise-filter, it starts to become worrying. You guys seem pretty trustworthy, but this is JS - we can't always trust the dependencies of our dependencies of our dependencies not to fetch some code from jsdelivr, stuff it into a blob, and execute it.

It would be ideal if there were a way to pass in some configuration to the plugin designating alternate source(s) for @mediapipe/tasks-vision and @mediapipe/holistic. That way, we could mirror the dependencies ourselves and not have to allow connections to jsdelivr.

[lukasIO]

@ume-graham that makes sense, can you check #34 to see if that would fit your needs?

[ume-graham]

Yup, that should work! Thanks @lukasIO!