The CDN is arguably fragile as well, as it is out of your control. While I would not disagree that NPM is fragile, there also have been a large number of changes to the policies on unpublishing from npm to the point where I think it is still a valid option.

Finally, as a footnote, shrinkpack helps make shrinkwrap even better, so you’re not checking in node_modules directly.