Using JS off a CDN is not a security issue if you use Subresource Integrity: https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

You can ensure you're always running the version of the script you validated, assuming you even validate the code (which presumably no one does).