I have an interesting question from QTX on Discord:
I wonder how import map can be safe? After all if we have js file in node.modules we still have copy of our desired library that can’t be changed or abused, unless we update it. But if we import directly package from HTTP into production and someone change it / hack it to do smth bad, how will websites protect from such risk?
While mitm can alter the html you get, if only a CDN or a particular npm package is compromised the integrity check can work.
Integrity check also makes sure you have the right version and didn’t get a sneaky update, think of it as package.lock
The issue is not to change urls in your tag but to change code on package you are importing that can affect production.
In case of importMap, if you import let’s say package of color.js via HTTP (relatable :-D) and then the guy who owns the package just update it’s cdn exports, he can break your frontend without rebuilding your code. Because it will always re-fetch from CDN it can be manipulated and abused.
Like @ElementalCode said, storing exact hash so it will check if the CDN file was updated can be a good way to protect yourself from unexpected manipulations of the packag