[Aaron1011]

I agree that it's still bad practice. My main objection was to the statement "Since GitHub is for open-source projects, it also meant that any user could submit a request to modify the code and impact Trump’s website". If don't trust the maintainers' judgement in merging PRs, hosting it yourself isn't a solution (short of reviewing the entire project yourself).

[infinite8s]

I think the concern here is that the maintainer could subsequently merge a malicious PR knowing who was using the library from GitHub. That wouldn't be an issue if that group was hosting a version themselves (before the maintainer might find out who was using it).