[sytelus]

37% of surveyed sites used at least one library with known vulnerability. Websites don't upgrades these libraries frequently either. The question in my mind is why browsers don't ship with popular JS libraries? That way downloads can be reduced and also such security issues can be addressed more centrally.

[Walf]

It doesn't matter how the updates to libraries are done, people don't update because it means API changes and testing your code to see what broke and fix it. Most clients do not understand, let alone want to pay for that kind of maintenance.