The two problems with hosting* a local copy of dependencies.
- You don't benefit from the browser cached version that almost certainly exists due to the user previously visiting a site with that plugin.
- You have to pay for that bandwidth**
At the end of the day, you have a trade-off because you need to decide whether to trust a third party to manage risk on your site or whether you want to vet everything. SRI would have prevented this specific hack, true, assuming though you didn't have website authors who saw the error in the console, got the new hash, then blindly applied it to put out the "our customers can't login" fire. It also means that where there is a legitimate vulnerability in the framework, your site cannot be fixed automatically.
*Making a copy of any version that you deploy is important if only to deal with one of these vendors disappearing without notice.
**The irony isn't lost on my me.