The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

It looks like this is being exploited in the wild [0].<p>[0] <a href="https:&#x2F;&#x2F;twitter.com&#x2F;mszustak&#x2F;status&#x2F;963322531729018880" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;mszustak&#x2F;status&#x2F;963322531729018880</a>