It depends upon what you mean by “out of your control”. The CDN I’m advocating is one that you “control”. Meaning a CDN whose content and security is configurable by you or your organization. Obviously, there are degrees of control. One could argue that unless the hardware is sitting in a building you own sending and receiving through a network you built, you’re not really in control. But obviously that’s an extreme that wouldn’t be suitable for most organizations.

Regarding shrinkpack, that actually looks like a good solution for checking dependencies into source control in a more manageable way. I will do some research and update the main article with my findings. Thanks for bringing that to my attention!