Right now we include assets from both unpkg.com and cdn.jsdelivr.net. I think we should remove these.
If they go down, the app can't function (eg login breaks). Further, removing them improves our security posture without needing to implement a CSP (though CSP would be a good idea!).
Fix should be to just make a copy of the external assets to where ever our tool keeps static assets and update the code to use the local URL instead of 3rd part URL.
Right now we include assets from both
unpkg.com
andcdn.jsdelivr.net
. I think we should remove these.If they go down, the app can't function (eg login breaks). Further, removing them improves our security posture without needing to implement a CSP (though CSP would be a good idea!).
Fix should be to just make a copy of the external assets to where ever our tool keeps static assets and update the code to use the local URL instead of 3rd part URL.