I think it's fairly common. I was reviewing an implementation of a phone number input component last month. It looked great, changing the country code automatically showed the correct country's flag or vice versa select your flag and the country code updated, plus a bunch of useful phone number validation logic was provided, you just add the NPM package and use the resulting component and magic happened. But open up dev tools and you see that all the flags are being brought in from a CDN. The only fix is to fork the library and change asset paths in their code to self host. Many libraries are like this, icon collections, design system web components, whatever. If you're not vigilant it's easy to lazily include CDN hosted assets without explicit intent.