joeldenning
commented
5 years ago CDNs are not insecure. Especially when you provide an integrity attribute on your script tags. CDNs are a more performant way of loading resources, since CDN files are cacheable across multiple websites, unlike a file hosted by the website.
So I disagree with your premise 😄. However, it is very possible to load systemjs, import-map-overrides, and single-spa from local files if you prefer. You can just put /node_modules/systemjs/dist/system.min.js into your import map (and similar for other resources). If you don't like using your node modules, you can download the scripts and put them into a vendors directory and serve them up from there.
I'm closing this since I believe I've answered the question, but feel free to comment further or reopen if there is more to discuss.
The SingleSPA HTML file http://single-spa-playground.org/playground/html-file uses CDNs like unpkg and cdnjs.cloudflare.com. There must be an option to use downloaded npm modules instead. CDNs are not a secure option in real world scenarios.