Given code like this:
import { el, mount } from 'https://unpkg.com/redom@3.2.1/dist/redom.es.js';
is there some way to enable subresource integrity verification to ensure that the CDN asset returns the expected content?
See Question&Answers more detail:os
You have to also define the module via
<script type="module" integrity="..." src="https://unpkg.com/redom@3.2.1/dist/redom.es.js">
What you're asking specifically requires changes to ECMAScript itself and currently there's not even a proposal for it, so I don't expect it to appear anytime soon.
However in the case of UNPKG, if you trust UNPKG and Cloudflare not to mess with the content, you're fine. Neither npm nor the package author can modify the file as long as you specify the version.
