1) If a site I depend on gets hacked, I'm not going to know until they tell me or I read about it here.
2) If a site I depend on gets hacked, I have no tools or ability to fix the problem.
3) If a common site gets hacked, then everyone who depends on it gets hacked, per this example. Since crypto-jacking is about making money, this is a particularly important point.
Of course, 1 can be partially mitigated if I'm running a round-trip test from the outside.
The idea of including off-site scripts that have not been digitally signed (recursively) is nuts. That doesn't fix everything, of course, but it is a start.
Biting the hand that feeds IT
