In my experience, first-party JavaScript is more likely to be updated so rarely that bugs and exploits are more likely than supply chain attacks. If I heard about NPM getting attacked as often as I hear about CDNs getting attacked, I’d be more concerned.
Direct linking via a specific CDN was the problem. This is solved by bundlers, not caused by it.